Best config options for 384.11_2 for dns using vpn

[Galaxysurfer]

okay so am bit confused with the new options for dns privacy. I am currently running 384.11_2 on RT-AC68U with additional Amtm & YazFi script. I have vpn clients enabled through nordvpn that provides it's own dns servers. I would also like to add the adblocker server & ntp server script options to the mix at some point in the future as well. ( for now going with the simplest that doesn't require entware installed & additional usb drive attached to router)

How do I address the dns configuration so there are no ip leaks & things run correctly? I am also mindful of wanting additional privacy added where possible. What are my best options here?

 

[Martineau]

okay so am bit confused with the new options for dns privacy. I am currently running 384.11_2 on RT-AC68U with additional Amtm & YazFi script. I have vpn clients enabled through nordvpn that provides it's own dns servers. I would also like to add the adblocker server & ntp server script options to the mix at some point in the future as well. ( for now going with the simplest that doesn't require entware installed & additional usb drive attached to router)

How do I address the dns configuration so there are no ip leaks & things run correctly? I am also mindful of wanting additional privacy added where possible. What are my best options here?

see @Xentrk's blog entry DNS behaviour - Accept DNS Configuration explained for an in-depth guide on your options/choices.

FYI, @Xentrk recommends “Accept DNS Configuration=DISABLED” and use (Stubby) DNS over TLS (DoT)

 

[Galaxysurfer]

How will dns choice affect vpn performance if at all? what would the difference of using nordvpn provided dns vs stubby dns. I am going with the presumption that nord dns is a smartdns, which also means i may be giving up privacy by using it.
https://support.nordvpn.com/Other/1047409702/What-are-your-DNS-server-addresses.htm


How does stubby dns work with other dns privacy options introduced in 284.11?

 

[Galaxysurfer]

My main concern is how to get roku devices that currently are routed to their own subnet via YazFi working properly with a dns change. I think they require google dns currently, correct me if I am wrong.

 

[Marin]

I use the Strict configuration instead. For this I have WAN DNS set to No (under the WAN tab and NordVPN servers added there under DNS 1 and 2). To ensure that dnsmasq is not bypassed and Diversion works this setup I have Policy Rules set as “Strict” and have also added the “dhcp-option DNS xxx.xxx.xx.xx” in the Custom Configuration options as well ( where xxx.xxx.xx.xx are NordVPN’s servers). I have no dns leaks.


Sent from my iPhone using Tapatalk

 

[WuTang LAN]

How will dns choice affect vpn performance if at all?

Simply put: It won't.

How does stubby dns work with other dns privacy options introduced in 284.11?

Asus Merlin uses stubby as standard. This was added in 384.11.

 

[WuTang LAN]

How do I address the dns configuration so there are no ip leaks & things run correctly? I am also mindful of wanting additional privacy added where possible. What are my best options here?

This depends on who you trust most to handle/ see your dns lookups.
Your ISP? Your VPN provider? Cloudflare? Google?...

The settings will change slightly depending on whether you would like to use your VPN's dns server or something different.

 

[Kingp1n]

see @Xentrk's blog entry DNS behaviour - Accept DNS Configuration explained for an in-depth guide on your options/choices.

FYI, @Xentrk recommends “Accept DNS Configuration=DISABLED” and use (Stubby) DNS over TLS (DoT)

I'm not trying to cross post but there's a similar post , guess I can ask here as well:
After reading the yorgis guide , it mentions to set Accept DNS Configuration to "exclusive" however after reading the x3mtek guide, it says to set this option to either strict or disabled so the Diversion script works correctly. From site "There are two options available if you want the OpenVPN client to use DNSMASQ when using Policy Rules. This is done by setting “Accept DNS Configuration” to either “Strict”or “Disabled”." Also, my current setup is to redirect internet traffic policy rules (Strict ) due to my setup but I do have accept DNS configuration to exclusive...do I need to update?

 

[Xentrk]

I'm not trying to cross post but there's a similar post , guess I can ask here as well:
After reading the yorgis guide , it mentions to set Accept DNS Configuration to "exclusive" however after reading the x3mtek guide, it says to set this option to either strict or disabled so the Diversion script works correctly. From site "There are two options available if you want the OpenVPN client to use DNSMASQ when using Policy Rules. This is done by setting “Accept DNS Configuration” to either “Strict”or “Disabled”." Also, my current setup is to redirect internet traffic policy rules (Strict ) due to my setup but I do have accept DNS configuration to exclusive...do I need to update?

Dnsmasq is bypassed when using Policy Rules combined with Accept DNS Configuration = Exclusive. The Diversion ad blocker will not work. If you don't use Diversion ad blocker, then no need to change. But if you want to use Diversion ad blocker over the VPN tunnel when using Policy Rules, I recommend setting Accept DNS Configuration = Disabled and enabling DoT on the WAN page to encrypt DNS queries.

 

[Xentrk]

How will dns choice affect vpn performance if at all? what would the difference of using nordvpn provided dns vs stubby dns. I am going with the presumption that nord dns is a smartdns, which also means i may be giving up privacy by using it.
https://support.nordvpn.com/Other/1047409702/What-are-your-DNS-server-addresses.htm


How does stubby dns work with other dns privacy options introduced in 284.11?

I know of one forum user that uses Express VPN. The ability to bypass Netflix breaks when he uses a DNS other than the one provided by the VPN provider. That tells me they are using a feature similar to SmartDNS to spoof location. So my work around recommendation does not apply in this case. My provider Torguard uses Private or Dedicated IP addresses to get around the blocks. I can use whatever DNS I want and still stream without issues.

 

[Kingp1n]

Dnsmasq is bypassed when using Policy Rules combined with Accept DNS Configuration = Exclusive. The Diversion ad blocker will not work. If you don't use Diversion ad blocker, then no need to change. But if you want to use Diversion ad blocker over the VPN tunnel when using Policy Rules, I recommend setting Accept DNS Configuration = Disabled and enabling DoT on the WAN page to encrypt DNS queries.

Copy...one last question...with this route can I set the redirect internet traffic to read policy rules (strict)?

 

[Galaxysurfer]

How does stubby work in the mix? No one answered that part of my queries. Do I need to use a specific dns to be able to use the stubby? or is the stubby the specific dns offering the encryption. I'm not clear on that point.

 

[L&LD]

How does stubby work in the mix? No one answered that part of my queries. Do I need to use a specific dns to be able to use the stubby? or is the stubby the specific dns offering the encryption. I'm not clear on that point.

If you're talking about the stubby script, that is no longer needed or should be used when using 384.11 or later.

 

[SheikhSheikha]

I know of one forum user that uses Express VPN. The ability to bypass Netflix breaks when he uses a DNS other than the one provided by the VPN provider. That tells me they are using a feature similar to SmartDNS to spoof location. So my work around recommendation does not apply in this case. My provider Torguard uses Private or Dedicated IP addresses to get around the blocks. I can use whatever DNS I want and still stream without issues.

I use ExpressVPN and never had the issue you attribute to it. No difference when I configure quad8 or quad1. and no issues, no (geo) blocking at all for the past years. ExpressVPN allows to use Google or Cloudfare.

 

[Xentrk]

Copy...one last question...with this route can I set the redirect internet traffic to read policy rules (strict)?

Yes...Policy Rules (Strict). This setting gives you the ability to create rules for LAN clients or destination IP addresses and give you the option to block traffic if the VPN connection goes down.

 

[Xentrk]

I use ExpressVPN and never had the issue you attribute to it. No difference when I configure quad8 or quad1. and no issues, no (geo) blocking at all for the past years. ExpressVPN allows to use Google or Cloudfare.

That is good to know. That is also my experience from all of the testing I've done. DNS location doesn't matter. I'll tag @Skeptical.me so he knows too.

 

[Skeptical.me]

That is good to know. That is also my experience from all of the testing I've done. DNS location doesn't matter. I'll tag @Skeptical.me so he knows too.

Thank you!


Sent from my iPhone using Tapatalk Pro

 

[Skeptical.me]

That is good to know. That is also my experience from all of the testing I've done. DNS location doesn't matter. I'll tag @Skeptical.me so he knows too.

As you probably remember and are aware of, I've been confused as to how ExpressVPN worked with their DNS. And I became very confused when I started using Diversion and found if I used "Redirect Internet Traffic" to "Policy Rules (Strict)" I did receive a VPN warning on US Netflix and HULU, and Diversions Ad blocking didn't seem to work on all devices. As well as seeing many DNS servers unrelated to Expressvpn on DNS scans with these settings.

However, I've now discovered with your help, and others, that despite seeing 7 to 31 DNS servers appearing on ipleak.net DNS scans, the actual VPN tunnel is working and DNS queries are being sent through the ExpressVPN DNS servers. So, there's no issue with Geo-Blocking, or DNS leaks.

And now I've found I can return to using "Redirect Internet Traffic" to "Policy Rules (Strict)" and "Accept DNS Configuration" to "Exclusive" that everything works and I receive no VPN warnings at all on US streaming sites. So everything is great. I can return to using separate VPN services on my my QNAP box, and some devices, than what Im using for all other devices, and Diversion works perfectly well.


Sent from my iPhone using Tapatalk Pro

 

[Xentrk]

As you probably remember and are aware of, I've been confused as to how ExpressVPN worked with their DNS. And I became very confused when I started using Diversion and found if I used "Redirect Internet Traffic" to "Policy Rules (Strict)" I did receive a VPN warning on US Netflix and HULU, and Diversions Ad blocking didn't seem to work on all devices. As well as seeing many DNS servers unrelated to Expressvpn on DNS scans with these settings.

However, I've now discovered with your help, and others, that despite seeing 7 to 31 DNS servers appearing on ipleak.net DNS scans, the actual VPN tunnel is working and DNS queries are being sent through the ExpressVPN DNS servers. So, there's no issue with Geo-Blocking, or DNS leaks.

And now I've found I can return to using "Redirect Internet Traffic" to "Policy Rules (Strict)" and "Accept DNS Configuration" to "Exclusive" that everything works and I receive no VPN warnings at all on US streaming sites. So everything is great. I can return to using separate VPN services on my my QNAP box, and some devices, than what Im using for all other devices, and Diversion works perfectly well.

I am confused how Diversion can be working though. Diversion won't work over the VPN Tunnel with the settings you have for ExpressVPN as dnsmasq is bypassed when DNS Configuration is set to Exclusive when using Policy Rules. Do you route your PC or other devices to another VPN Client or Tunnel and only the streaming device to ExpressVPN tunnel?

 

[Skeptical.me]

I am confused how Diversion can be working though. Diversion won't work over the VPN Tunnel with the settings you have for ExpressVPN as dnsmasq is bypassed when DNS Configuration is set to Exclusive when using Policy Rules. Do you route your PC or other devices to another VPN Client or Tunnel and only the streaming device to ExpressVPN tunnel?

My iPhone, Apple TV 4K, and some IOT devices are routed through the Expressvpn. And my iMac through the WAN. And Im not using Ad blockers on any devices and Ads are blocked. I have no idea how it's happening. Maybe its related to something I'm not aware of. However, I'll reboot all devices and see if that makes a difference.

To be honest even if I have to route all traffic through the VPN for diversion to work, Im cool with that.


Sent from my iPhone using Tapatalk Pro