[solved] WireGuard client configuration and DNS

Installing and Using OpenWrt Network and Wireless Configuration
1

Hello,
I have configured Stubby for DNS over TLS (DoT).
This is actually replacing unbound.

The output of dig dnssectest.sidn.nl +dnssec +multi @<OpenWrt-Gateway-IP-Address> confirms that DNSSEC validation works.

$ dig dnssectest.sidn.nl +dnssec +multi @172.21.1.2

; <<>> DiG 9.18.4 <<>> dnssectest.sidn.nl +dnssec +multi @172.21.1.2
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44247
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
;; QUESTION SECTION:
;dnssectest.sidn.nl.	IN A

;; ANSWER SECTION:
dnssectest.sidn.nl.	3600 IN	A 212.114.120.64
dnssectest.sidn.nl.	3600 IN	RRSIG A 13 3 3600 (
				20220708232610 20220623230558 12678 sidn.nl.
				t3xPCw2bQIxNk2CLdWWkZFd+bUiMvKyxcFf/79U2E/EO
				tUzRWB4rQAjPvai+diXfWnpZebx6rSszWYcRXHjP5A== )
dnssectest.sidn.nl.	3600 IN	RRSIG A 13 3 3600 (
				20220708232610 20220623230558 43647 sidn.nl.
				gXXztFT5Q4PKd7PSRCVc/x7EJmKCxeU2S7DrYkgoWLN1
				kMHH0kwksAfWesjb4V3biLPPSdRng1cgTf/OURaA9w== )

;; Query time: 99 msec
;; SERVER: 172.21.1.2#53(172.21.1.2) (UDP)
;; WHEN: Sat Jun 25 16:34:58 CEST 2022
;; MSG SIZE  rcvd: 269

Now I have started setup of OpenWrt WireGuard for provider IVPN based on this guide.
This VPN provider instructs to
[...] uncheck the Use DNS servers advertised by peer and specify one of the following DNS servers in the Use custom DNS servers field:
172.16.0.1 = regular DNS with no blocking
10.0.254.2 = standard AntiTracker to block advertising and malware domains
10.0.254.3 = Hardcore Mode AntiTracker to also block Google and Facebook domains

My understanding is that this settings using VPN's DNS servers should prevent DNS leaks.
However I thought that my setup with Stubby would prevent DNS leaks, too.

Could you please comment which DNS setup is reasonable and recommended?

THX

2

hi,

DNS over X only means that DNS query/reply traffic using alternative method instead traditional DNS over well-known port 53 hence can overcome DNS traffic hijacking or blocking.
DNSSEC is a security extension for regular DNS: it guarantees that query-reply traffic is not manipulated by man in middle but it does not guarantee privacy. Whoever your upstream DNS provider can still log for example your queries.

depending on your DNS upstream server DNSSEC will not be enough for full privacy if that's your concern. your VPN provider may provide log-less, no tracking DNS service but you should check with them.

3

Does this imply that I should follow the recommendation and setup IVPN's setup for DNS server?

4

if you trust in your VPN provider and antitracker means what it suggests and your concern is full privacy then probably use your VPN provider.

5

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.