VPN Dns Leak to Local ISP

[yorgi]

Hi
I have an issue and was wondering if there is a fix or its the way it is.

I have a 87u and PIA VPN with merlin firmware.
when I use selective routing to a sepcific IP the DNS and IP shows PIA
when I switch selective routing to Local ISP the DNS of PIA leaks to my Local ISP

If I put prefered DNS like Noroton on Connect to DNS Server automatically area in WAN DNS SETTINGS
and turn off VPN connections I get the right DNS which in my case is Norton DNS and My Local ISP IP is right.
As soon as I enable the VPN client the DNS from PIA automatically takes over for my Local ISP

so basically this is the way it works.
In Redirect Internet traffic to Policy Rules in the VPN client section. I have reserved
192.168.1.90 for VPN which works fine. As soon as I log on to that IP i am on VPN my DNS shows PIA and my IP shows PIA

all my other traffic goes to local ISP so when I switch to DHCP or another Static IP address that is not part of the Policy My IP address shows as my local ISP which that is good but with PIA's DNS and not the routers DNS which I set in the WAN Connect to DNS Server automatically which should use DNS from norton and not PIA. Even if I didn't use preferred DNS isn't the router suppose to give me my Local ISP DNS?
I would think that it should because I am not using the VPN its running in the backround but only for a specific IP address. why is the PIA dns leaking over?

Is this a bug or is there a work around?
The only way I can work around it is to manually enter the proper DNS values when I am on my local ISP
and when I go on the VPN i manually enter the dns to point to the router, this is done on the network adapter of the device.
thankfully I made scripts on the pc that I use the VPN and its not as painfull.

I am thinking that with the original firmware from ASUS you can either have VPN on or OFF so the DNS would resolve properly
but with the Merlin firmware he has it that you can use up to 5 vpn clients and they can all be on at the same time and with selective routing one can go to whichever vpn they want or use local ISP
which works great and there is firewall protection that if the tunnel goes down the vpn traffic is automatically stopped. these are great features
But its scary that the DNS of the VPN leaks over to the ISP
is it really something to be concerned about?

any help or other alternatives would be greatly appreciated.

thanks

 

[sfx2000]

Check with your VPN provider, there was mention of DNS leakage across different providers a couple of weeks back...

 

[bob bart]

Hi
I have an issue and was wondering if there is a fix or its the way it is.

I have a 87u and PIA VPN with merlin firmware.
when I use selective routing to a sepcific IP the DNS and IP shows PIA
when I switch selective routing to Local ISP the DNS of PIA leaks to my Local ISP

If I put prefered DNS like Noroton on Connect to DNS Server automatically area in WAN DNS SETTINGS
and turn off VPN connections I get the right DNS which in my case is Norton DNS and My Local ISP IP is right.
As soon as I enable the VPN client the DNS from PIA automatically takes over for my Local ISP

so basically this is the way it works.
In Redirect Internet traffic to Policy Rules in the VPN client section. I have reserved
192.168.1.90 for VPN which works fine. As soon as I log on to that IP i am on VPN my DNS shows PIA and my IP shows PIA

all my other traffic goes to local ISP so when I switch to DHCP or another Static IP address that is not part of the Policy My IP address shows as my local ISP which that is good but with PIA's DNS and not the routers DNS which I set in the WAN Connect to DNS Server automatically which should use DNS from norton and not PIA. Even if I didn't use preferred DNS isn't the router suppose to give me my Local ISP DNS?
I would think that it should because I am not using the VPN its running in the backround but only for a specific IP address. why is the PIA dns leaking over?



Is this a bug or is there a work around?
The only way I can work around it is to manually enter the proper DNS values when I am on my local ISP
and when I go on the VPN i manually enter the dns to point to the router, this is done on the network adapter of the device.
thankfully I made scripts on the pc that I use the VPN and its not as painfull.

I am thinking that with the original firmware from ASUS you can either have VPN on or OFF so the DNS would resolve properly
but with the Merlin firmware he has it that you can use up to 5 vpn clients and they can all be on at the same time and with selective routing one can go to whichever vpn they want or use local ISP
which works great and there is firewall protection that if the tunnel goes down the vpn traffic is automatically stopped. these are great features
But its scary that the DNS of the VPN leaks over to the ISP
is it really something to be concerned about?

any help or other alternatives would be greatly appreciated.

thanks

I have the SAME exact problem. It leaked so bad my ISP told me I had a bot attack coming from my routers.

I have posted the issue again and some have recommended a reset of the router and clearing the VRAM. Apparently just making changes to check boxes will not provide the same level of security.

right now I use this router exclusive to VPN only . I have it chained to my main router. I turn off NAT in the router in case the VPN goes down...with no NAT...then there is no internet.

When I do the above...no leakage at all. I not taking any chances ...and yes...you better be concerned about it. And I spent enough hours testing this to know this a problem. Perhaps a reset of the router and clean out of the Vram might work...but its not worth the risk if at some point it fails because I make a change in the router settings.

Note...I even turn of the router and turn it on again and still get the same problem.

 

[System Error Message]

Are you only routing some traffic through VPN? If so you will need to redirect DNS packets. create IP table rule on output on WAN interface, set for destination port 25 for tcp and udp and you could change the route it takes(or redirect through vpn interface).

 

[yorgi]

I have the SAME exact problem. It leaked so bad my ISP told me I had a bot attack coming from my routers.

I have posted the issue again and some have recommended a reset of the router and clearing the VRAM. Apparently just making changes to check boxes will not provide the same level of security.

right now I use this router exclusive to VPN only . I have it chained to my main router. I turn off NAT in the router in case the VPN goes down...with no NAT...then there is no internet.

When I do the above...no leakage at all. I not taking any chances ...and yes...you better be concerned about it. And I spent enough hours testing this to know this a problem. Perhaps a reset of the router and clean out of the Vram might work...but its not worth the risk if at some point it fails because I make a change in the router settings.

Note...I even turn of the router and turn it on again and still get the same problem.

When I had posted this problem it was way back in February and after later firmware all these issues where fixed.
If you are using the latest firmware when you are connected to the VPN your IP and DNS are the same when using policy rules.
And whatever traffic is not on VPN has the proper IP and DNS of the Local ISP
The only problem I had is that when on a VPN tunnel if I wanted to route certain traffic to local ISP the DNS would show that from the VPN.
I Thought that was a bug but its not. When on a VPN tunnel the DNS is dictated by the VPN server therefore any traffic that is routed to Local ISP from the VPN tunnel will show the DNS of the VPN server which is normal.
If that's what you are experiencing you cannot do anything about it. You can route FTP or SMPT which don't use DNS.

 

[System Error Message]

You can route DNS through VPN but the router cannot use any domains at first until it connects to VPN. That means if your vpn service uses domains rather than a server IP than the router wont be able to connect. I've routed DNS through VPN before on mikrotik, so its definitely possible on asus with some iptables.

So if you have the case of another router being the vpn client than simply set the vpn route as the default route/gateway and perhaps remove the default route for WAN? Consumer routers cant initiate vpn connects on the lan port so they have to connect to your lan using WAN port and treat it as WAN. Your main router needs vpn passthrough enabled.

The main problem with this setup is if the tunnel goes down and you have it configured with domain than it will not go back up or it could go back up with no DNS or with DNS leakage.

 

[sfx2000]

When I had posted this problem it was way back in February and after later firmware all these issues where fixed.
If you are using the latest firmware when you are connected to the VPN your IP and DNS are the same when using policy rules.
And whatever traffic is not on VPN has the proper IP and DNS of the Local ISP

It's really easy to get caught with VPN leaks - depends on the configuration of the daemons, and the host OS config...

Remember this discussion? -- http://www.snbforums.com/threads/vpn-brain-teaser.33076/