Wireguard DNS leaking due to DNSMasq

First, I will say, I have gone through many threads, and I have not found the solution to my problem. I am wits end as to what to do.

Summary: Wireguard is setup with ONE device running through it, using PBR. Works fine. I am also using HTTPS DNS Proxy, with the option "let local devices use their own DNS servers" set.

Problem: DNSMasq is applying the HTTPS DNS Proxy server to the Wireguard interface, interfering with the DNS setting that Wireguard should be using.

Request: How do I solely make it so DNSMasq does not interfere with the DNS I have set in the Wireguard interface?

LAN & WAN custom DNS is empty. DNSMasq Forward is set to 127.0.0.1#5053.

Please note, I am only able to do things within the GUI itself, not command-line.

That is a known problem, OpenWRT does not use the DNS from the WG interface exclusively.

For some background reading : https://github.com/egc112/OpenWRT-egc-add-on/tree/main/stop-dns-leak

There are [scripts to use the DNS server]
(https://github.com/egc112/OpenWRT-egc-add-on/tree/main/stop-dns-leak/use-wireguard-dns) from the WG interface exclusively, however then all your LAN clients will use that DNS server and this interferes with the use of HTTPS DNS proxy.
If you want to use the WG DNS server only for that specific local device then that is not possible yet in the GUI but it is coming: Policy-Based-Routing (pbr) package discussion - #982 by stangri

In the mean time you can use Option 6 to let DNSMasq hand out a specific DNS server to the local device which is using the tunnel.

Alright. If I SSH into the router, and add "list dhcp_option 'tag,6,x.x.x.x'", and then tag the specific device, save it and reboot, there is no change, DNSMasq is still hijacking the DNS for the interface.

The dhcp option 6 sets a DNS server to use by your clients instead of the routers address (unless you are using DNS hijacking/interception )

The instructions are for changing /etc/config/dhcp with an editor either the built-in vim or nano but you can also use WinSCP for a windows box.

This is an example of a part of my /etc/config/dhcp where I have added a tag with option 6 and let my phone use this tag.
If I check the settings of my phone it now has DNS servers 8.8.8.8 and 8.8.4.4 instead of the routers IP address. As my phone is set to use the VPN tunnel the queries to DNS 8.8.8.8/8.8.4.4 will automatically go via the VPN tunnel

config tag 'tag1'  
	option dhcp_option '6,8.8.8.8,8.8.4.4'  

config host
	option name 'Galaxy-S20-FE-van-E'
	option mac '98:B8:BC:XX:XX:XX'
	option ip '192.168.9.223'
	list tag 'tag1' 

Thanks @egc! WebUI for DNS Policies should be working in the recent builds.

1 Like

I am a bit confused about the "tag" part. For my interface, it says "config dhcp 'wg'". Do I need to create one that would say "config tag 'wg'"?

This is what I have set:

config host
        option name 'x'
        list mac 'xx:xx:xx:xx:xx'
        option ip 'x.x.x.x'
        option leasetime 'infinite'
        list dhcp 'wg'

 config dhcp 'wg'
        option interface 'wg'
        option dhcp_option '6,x.x.x.x'

Yet with this setup, it still is not working for me, the DoH server I have set is still being enforced on it.

Will it be included in the next stable release?

No that is not going to work.

You can set individual option 6 per host with the tag option or set option 6 for all or per interface.

for your individual host it works like this add: to /etc/config/dhcp :frowning:

config tag 'tag1'  
	option dhcp_option '6,8.8.8.8,8.8.4.4'  

the host section then should be:

config host
        option name 'x'
        list mac 'xx:xx:xx:xx:xx'
        option ip 'x.x.x.x'
        option leasetime 'infinite'
        list tag 'tag1'

Remove

Reboot your router and after that reboot your client

Check on your client it has as DNS server: 8.8.8.8 and 8.8.4.4

The DNS will follow the Client so if the client is routed via the VPN then its DNS queries to 8.8.8.8,8.8.4.4 will also be routed via the VPN

It is possible that the DNS queries are rerouted if you enabled DNS hijacking or by a DoH package.
If so disable this DNS hijacking, I do not use HTTPS DNS proxy (I use SmartDNS as upstream DoT resolver for DNSMasq)

But as already noted the PBR package will get similar functionality in its GUI but that will come when it comes :wink:

1 Like

Ah-HAH! So that was the issue. I thought "tag" was suggesting an option, and "tag1" was just a placeholder for the interface's true name. It is working now, the only downside is that if I want to bring the Wireguard tunnel down, I have to change the '6,x.x.x.x' address to my router's IP to get DoH to run through it again. But I suppose it is better than nothing.

As for SmartDNS, I was going to use that instead of HTTPS DNS Proxy, but with its vast amount of technical jargon and options, I didn't want to set it up just to misconfigure it. Not to mention the documentation is vague since it is translated from Mandarin too, so details can get lost in that process.

Thank you much for your help, egc. I hope strangri's GUI implementations come to stable soon. I know this is a GUI option on DD-WRT, so I am excited for it.

1 Like

No, I don't think it will ever be included by default, you'd always have to add it to your router/image.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.