Menu
What's new
By:
Filters Better Search

RT-AC88U DNS Leaking On OpenVPN

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

freddyfinn

freddyfinn

New Around Here
Hi all, I am unable to get DNS to work properly on my VPN tunnel.
I have one machine added under policy rules strict and Accept DNS Configuration is set to exclusive yet the DNS leak test on the machine shows my ISP's DNS server.
I have run ipconfig /flushdns and cleared the browser multiple times.
I have reset the router and reentered all details but no dice. Firmware:380.66_6
Any help appreciated.
 

Attachments

  • Asus VPN log.txt
    8.1 KB · Views: 538
freddyfinn said:
Hi all, I am unable to get DNS to work properly on my VPN tunnel.
I have one machine added under policy rules strict and Accept DNS Configuration is set to exclusive yet the DNS leak test on the machine shows my ISP's DNS server.
Click to expand...

Can you post the output of these commands:

Code: 
iptables --line -t nat -nvL DNSVPN2

iptables --line -t nat -nvL PREROUTING | grep DNSVPN

nvram get vpn_client2_adns
 
Martineau said:
Can you post the output of these commands:
Click to expand...

Code: 
ASUSWRT-Merlin RT-AC88U 380.66-6 Wed Jun 21 19:07:32 UTC 2017

admin@RT-AC88U-5FF8:/tmp/home/root# iptables --line -t nat -nvL DNSVPN1
Chain DNSVPN1 (2 references)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 DNAT       all  --  *      *       192.168.1.96         0.0.0.0/0            to:10.20.0.1

admin@RT-AC88U-5FF8:/tmp/home/root# iptables --line -t nat -nvL PREROUTING | grep DNSVPN
3       75  4970 DNSVPN1    udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:53
4        0     0 DNSVPN1    tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:53

admin@RT-AC88U-5FF8:/tmp/home/root# nvram get vpn_client1_adns
3

When I reset i configured on client 1.
 
Last edited:
freddyfinn said:
When I reset i configured on client 1.
Click to expand...

I just love it when the OP requests help on an issue, yet decides to (subtly) alter the original environment when providing diagnostics :rolleyes: - this really keeps things interesting!...but since you kindly voluntarily disclosed this up-front, I will continue.... :D

freddyfinn said:
Code: 
 iptables --line -t nat -nvL DNSVPN1

Chain DNSVPN1 (2 references)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 DNAT       all  --  *      *       192.168.1.96         0.0.0.0/0            to:10.20.0.1

admin@RT-AC88U-5FF8:/tmp/home/root# iptables --line -t nat -nvL PREROUTING | grep DNSVPN
3       75  4970 DNSVPN1    udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:53
4        0     0 DNSVPN1    tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:53

nvram get vpn_client1_adns
3

When I reset i configured on client 1.
Click to expand...

Well the iptables appear OK (as does the nvram variable) as there has apparently been 75 hits on the PREROUTING rule to redirect traffic to traverse the custom VPN Client 1 DNS chain.

All I can suggest is that 192.168.1.96 is not the I/P of the device you are testing https://ipleak.net from? or you posted the output prior to re-testing?

EDIT: Probably no longer relevant given the VPN implementation, but the device isn't inadvertently (or by design) bypassing the router by having its DNS servers hard-coded as was possible in days gone by and exploited by hackers on Win platforms. :rolleyes:
(DNSFilter under Parental Controls can override the device and force it to use the router).
 
Last edited:
Something else you can do is specify alternate DNS services like google and/or open dns under wan from the main asus menu. Since not all my devices route through vpn, I have these dns services for them.

Those will be a fall back if your vpn isn't cooperating on dns


Sent from my iPhone using Tapatalk
 
Martineau said:
All I can suggest is that 192.168.1.96 is not the I/P of the device you are testing https://ipleak.net from? or you posted the output prior to re-testing?
Click to expand...

Martineau said:
I just love it when the OP requests help on an issue, yet decides to (subtly) alter the original environment when providing diagnostics :rolleyes: - this really keeps things interesting!...but since you kindly voluntarily disclosed this up-front, I will continue.... :D
Click to expand...

Sorry Martineau, Yes I was going along collecting these bits and pieces as I was troubleshooting. I had to switch the tunnel to another machine as my wife needed to remote into work.

Martineau said:
EDIT: Probably no longer relevant given the VPN implementation, but the device isn't inadvertently (or by design) bypassing the router by having its DNS servers hard-coded as was possible in days gone by and exploited by hackers on Win platforms. :rolleyes:
(DNSFilter under Parental Controls can override the device and force it to use the router).
Click to expand...

No the IPV4 is set to automatic and running windows 10. Parental and DNS filtering is off.
On top of that its grabbing whatever the DNS address of the router is.
 
freddyfinn said:
No the IPV4 is set to automatic and running windows 10. Parental and DNS filtering is off.
On top of that its grabbing whatever the DNS address of the router is.
Click to expand...

Until you see hits in the DNSVPNx chain, then the VPN's DNS won't be used for the Policy rules 'EXCLUSIVE' setting.

If you can take a brief interruption on the Internet access, you could temporarily force ALL your network devices to traverse the chain and use the VPN's DNS.

So list the current DNSVPNx chain
Code: 
iptables --line -t nat -nvL DNSVPN1

then substitute the to:xxx.xxx.xxx.xxx DNS I/P into the following command
Code: 
iptables -t nat -I DNSVPN1 -j DNAT --to-destination xxx.xxx.xxx.xxx

Now test for VPN DNS 'leak' or create lookup activity for a couple of minutes then recheck the hits on the DNSVPNx chain
Code: 
iptables --line -t nat -nvL DNSVPN1

Remove the temporary rule so issue:
Code: 
iptables -t nat -D DNSVPN1 -j DNAT --to-destination xxx.xxx.xxx.xxx
 
Martineau said:
Until you see hits in the DNSVPNx chain, then the VPN's DNS won't be used for the Policy rules 'EXCLUSIVE' setting.

If you can take a brief interruption on the Internet access, you could temporarily force ALL your network devices to traverse the chain and use the VPN's DNS.

So list the current DNSVPNx chain
Code: 
iptables --line -t nat -nvL DNSVPN1

then substitute the to:xxx.xxx.xxx.xxx DNS I/P into the following command
Code: 
iptables -t nat -I DNSVPN1 -j DNAT --to-destination xxx.xxx.xxx.xxx

Now test for VPN DNS 'leak' or create lookup activity for a couple of minutes then recheck the hits on the DNSVPNx chain
Code: 
iptables --line -t nat -nvL DNSVPN1

Remove the temporary rule so issue:
Code: 
iptables -t nat -D DNSVPN1 -j DNAT --to-destination xxx.xxx.xxx.xxx
Click to expand...

This was interesting! When I route all traffic over the vpn tunnel and set Accept DNS Configuration to Exclusive. I get no DNS leaks. However, with policy rules and when using AB-Solution, I found I need to set Accept DNS Configuration to Strict. If I don't, the AB-Solution ad blocking does not work on the VPN interface. But it does for the WAN. The downside is the DNS leaks on the VPN tunnel. Having the DNS leak does not cause any issues for my use case. I am only curious if something can be done to not have DNS leak.

So yesterday, I entered the iptables command on the command line:
Code: 
iptables -t nat -I DNSVPN1 -j DNAT --to-destination 104.223.91.194
iptables -t nat -I DNSVPN1 -j DNAT --to-destination 104.223.91.210
These are the TorGuard DNS servers in USA. I then went to several DNS leak test sites and each one reported no leaks. I did a happy dance thinking I finally found the solution to this mystery. This morning, I went to several more DNS leaks test sites and all reported no leaks.

So, I entered the iptables command above in services-start after a line that calls a script to do some vpn policy routing. I then rebooted. I then see my DNS is leaking again. So, I remove the iptables command from services-start and enter in firewall-start and rebooted. My DNS is leaking again. So, I remove the commands from firewall-start and reboot. I then renter the iptables commands manually like I did the first time.

Gah, it did not work. My DNS is leaking again and I see no packets being passed.
Code: 
iptables --line -t nat -nvL DNSVPN1
Chain DNSVPN1 (0 references)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 DNAT       all  --  *      *       0.0.0.0/0            0.0.0.0/0            to:104.223.91.210
2        0     0 DNAT       all  --  *      *       0.0.0.0/0            0.0.0.0/0            to:104.223.91.194

I don't know what it worked for 24 hours the first time I entered the command. And now it does not. Strange.

EDIT: I have the DNS Leak issue fixed again! This time, I changed VPN Client 2 Redirect Internet Traffic from NO to Policy Rules (Strict). Accept DNS Configuration is set to Exclusive for this VPN client. This is the client I route certain streaming media traffic to via a script. Other clients use VPN Client 1. On VPN Client 2, I have no policy rules in the routing rules section. The @thelonelycoder Ad Blocking solution is working over the VPN tunnel. I will keep testing and monitoring.
 
Last edited:
I did a power down and restart of the router. The iptables rule remained in place and the DNS Leak issue remained fixed. However, no packets are appearing in the stats:
Code: 
 iptables --line -t nat -nvL DNSVPN1
Chain DNSVPN1 (0 references)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 DNAT       all  --  *      *       0.0.0.0/0            0.0.0.0/0            to:104.223.91.210
2        0     0 DNAT       all  --  *      *       0.0.0.0/0            0.0.0.0/0            to:104.223.91.194

I did a reboot and it is broken again. I had to reissue the iptable commands. I tried restarting vpn clients a few times and DNS is leaking again.
 
Last edited:
Sort of working again...Ad blocking over the VPN tunnel is now broken though.

I needed to also issue the iptables for DNSVPN2! Even though my policy rules clearly state to use VPN1 for the client I am testing, it likes to use VPN2 for DNS resolution.

Code: 
admin@RT-AC88U:/tmp/home/root# iptables --line -t nat -nvL DNSVPN1
Chain DNSVPN1 (0 references)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 DNAT       all  --  *      *       0.0.0.0/0            0.0.0.0/0            to:104.223.91.210
2        0     0 DNAT       all  --  *      *       0.0.0.0/0            0.0.0.0/0            to:104.223.91.194
admin@RT-AC88U:/tmp/home/root# iptables --line -t nat -nvL DNSVPN2
Chain DNSVPN2 (2 references)
num   pkts bytes target     prot opt in     out     source               destination
1      248 23460 DNAT       all  --  *      *       0.0.0.0/0            0.0.0.0/0            to:104.223.91.210
2        0     0 DNAT       all  --  *      *       0.0.0.0/0            0.0.0.0/0            to:104.223.91.194
 
Last edited:
You must log in or register to reply here.

Similar threads

E
VPN Killswitch not working on RT-AC68U 386.12_4
Replies
0
Views
346
eddy3702
E
Skeptical.me
PiHole and OpenVPN client 'Accept DNS Configuration' set to 'Exclusive' - DNS leak
Replies
4
Views
1K
Skeptical.me
Skeptical.me
J
RT-AC86U DNS leaks while using mullvad
Replies
1
Views
409
jsn2233
J
K
OpenVPN client Accept DNS Configuration not working properly firmware 388.1
Replies
0
Views
915
Karmatron
K
S
NordVPN DNS Leaking - Default Server showing 386.7
Replies
3
Views
1K
eibgrad
eibgrad
Similar threads
Thread starter Title Forum Replies Date
R RT-AC88U on Merlin 386.12_4 Wifi Button turn off Wifi Scheduler Asuswrt-Merlin 0
S AC88U stopped working with Merlin Asuswrt-Merlin 7
BeKozGaming [RT-AC88U][386.12_4] "backup_jffs.tar Failed - Virus detected" Error saving JFFS partition: Trojan:Script/Wacatac.B!ml Asuswrt-Merlin 11
S Issues after upgrading to 386.12_x AC88U Asuswrt-Merlin 23
B Time to replace my RT-AC88U Asuswrt-Merlin 10
CntrlAltDel Convert AC88U to AP-only Asuswrt-Merlin 2
S Quick one. Possible to back up AX88U config and apply to AC88U router? Asuswrt-Merlin 2
K RT-AC88U wan speed Asuswrt-Merlin 11
Yota Asus updates its EOL list, adds RT-AC1750, AC1900P, AC88U, AC5300 Asuswrt-Merlin 80
G AC88U Port forwarding problem Asuswrt-Merlin 3

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 1,011 (members: 27, guests: 984)
Top