SurfShark DNS w/ WireGuard w/without Stubby

I've got a very lean system to install the toys. I started with my Mikrotik not knowing what would work/fit/stay. This was done not long (March 2022) ago on version openwrt-19.07.8-ar71xx-mikrotik-rb-nor-flash-16M-initramfs-kernel to stable. Back then I was a OpenVPN desktop client user and that is how I rolled.

Fast Forward:

Hostname	OpenWrt
Model	MikroTik RouterBOARD 951Ui-2nD (hAP)
Architecture	Qualcomm Atheros QCA9533 ver 2 rev 0
Target Platform	ath79/mikrotik
Firmware Version	OpenWrt 22.03.0-rc5 r19523-bfd070e7fa / LuCI openwrt-22.03 branch git-22.167.28394-8a4486a
Kernel Version	5.10.127

I've found some newer menus to work in DNS servers for my commercial VPN provider with SurfShark. This was in addition to the DNS Privacy stub resolver 'Stubby'.

Pic Hidden to keep your eyesight burn free.

These are the steps I took to get SurfShark's DNS severs working while the 'wg0' interface in running w/ my peer.

What I have experienced so far is that when I'm surfing with 'wg0' up (forced up)

ifup wg0

DNS checks on the popular leak sites see me running within the commercial VPN providers network. GOOD!

Otherwise; when the 'wg0' interface is down (forced down)

ifdown wg0

Stubby takes over and all the popular leak sites see me running the CloudFlare DNS servers. GOOD!

DNSSEC is not affected as I let "dnsmasq-full" handle that. So far, by the use of the tools provided by the Git Readme, my dig to the sever still populate the 'ad' flag.

The key thing to note is the flags: qr rd ra ad part - the ad flag signifies that DNSSEC validation is working. If that flag is absent DNSSEC validation is not working.

The reason for all this fiddling around was due mainly to seeing the options in the new OpenWrt rc., and also the continued support and use of the WireGuard desktop app.

My router is CPU limited and I find that running the desktop app w/ the keys I generate, provide an extra few Mb speed. The desktop app also allows for configuring the DNS servers of choice. Long Story, but I hope the details will provide some feedback or intrigue into your own situation.


Stubby, the package for DNS Privacy stub resolver has been uninstalled. About 12 ~ 14 hours in after posting the thread, my system sprang a leak into the CloutFlare DNS . Without circumvention; ie: reboot, restarting network, etc., thing would stop leaking.
That's not the aim I was hoping for or willing to let slide.

late evening 7/13/2022 Uninstalled

Running Stubby free with peer dns set on wan to use my ISP, and wg0 interface dns with SurfShark and all is holding water.

I was burning time between posts reading up on @psherman topic focusing on @vgaetera statement.

Dnsmasq periodically queries all listed resolvers ignoring their priority and then uses the fastest one for a period of time, so you cannot set up split DNS with just interface settings.

So far... my weighted dns resolve file is not being polled as stated above, or the fastest dns remains the wg0 commercial dns servers assigned to the interface and the ISP is not leaking... fingers crossed.

I'd personally like to get Stubby back onto my router using CloudFlare; however @lleachii pointed out a tool for hind sighted troubleshooting. I think I'll wait this one out till SurfShark gets the Manual Config for WireGuard in place before reinstating.

Keep in mind that a stress test is required to confirm that there are no DNS leaks, e.g. you can specify a wrong trusted resolver to simulate its failure and verify that the system does not fall back to untrusted resolvers.