Cant resolve DNS leak

[TanyaC]

I'm running an ASUS RT-AC88u Router with Merlin 384.15.
I have configured it on the WAN page not to get DNS server automatically and have configured my VPN providers DNS Servers.
My IPSs DNS server appears to be 89.187.1620/24, (datacamp), which is apparently a skills company based in Singapore?
When I go to dnsleaktest.com or ipleak.com and when connected to my VPN I am still seeing the ISP DNS server
So I configured my NIC with the VPN DNS Servers.
Rebooted router, rebooted PC and tested for DNS Leak again - still there.
I've tried flushing DNS Cache and followed instructions on a couple of other websites but no success.
How do I get rid of the ISP DNS Server?

 

[Zastoff]

I'm running an ASUS RT-AC88u Router with Merlin 384.15.
I have configured it on the WAN page not to get DNS server automatically and have configured my VPN providers DNS Servers.
My IPSs DNS server appears to be 89.187.1620/24, (datacamp), which is apparently a skills company based in Singapore?
When I go to dnsleaktest.com or ipleak.com and when connected to my VPN I am still seeing the ISP DNS server
So I configured my NIC with the VPN DNS Servers.
Rebooted router, rebooted PC and tested for DNS Leak again - still there.
I've tried flushing DNS Cache and followed instructions on a couple of other websites but no success.
How do I get rid of the ISP DNS Server?

Have you tried to set "Accept DNS Configuration = Exclusive" in your vpn client settings?
This should force vpn-providers DNS servers via tunnel.
If not.. You can add DNS servers in "Custom Configuration" (in the vpn client)

dhcp-option DNS 10.11.12.13<--change to vpn DNS 1 server ip
dhcp-option DNS 10.11.12.13<--change to vpn DNS 2 server ip
push "dhcp-option DNS 8.8.8.8"<--change to vpn DNS 1 server ip
push "dhcp-option DNS 8.8.8.8"<--change to vpn DNS 2 server ip

Hope this may help on devices that you use via your vpn.

 

[TanyaC]

Sorry, I'm not using the VPN Client. I have OpenVPN installed. Less bloat, less telemetry and fewer processes.
For OpenVPN one can add the directive block-outside-dns to the .ovpn config file (might this be what the exclusive setting you described is doing?)
Is there some setting in the firmware that might help off VPN?
Is DNS Masquerading a consideration?

 

[Zirescu]

I'm confused are you connecting to your home router via the the OpenVPN server and hoping that it is going to use the VPN dns settings you set on the WAN? If that's the case it's always going to report your home IP address as the traffic is still originating from your router and not through your VPN service provider.

 

[TanyaC]

Forgive the following explanation, I know it's long.

There are three ways to configure an adapters DNS servers. (1). By configuring it directly on the NIC. (2). Using the DNS servers as specified on the WAN page of the router configuration and (3). Configuring the DNS servers on the DHCP tab of the LAN page of the router configuration.

If the PCs (local) NIC is configured with known DNS servers belonging to a VPN provider I get a DNS leak off and on VPN. If I specify the block-outside-dns directive in the openVPN config file I plug the leak when connected to the VPN. The DNS server is shown as the VPN server. However, this does not resolve the leak when not connected to the VPN.

If I use a public DNS server on the NIC (configured via any of the three above methods), such as cloudflare, Google, OpenDNS, or my ISPs DNS servers I do not see the leak. ipeak.net reports the DNS servers are those of the public DNS (in some cases, as with google, I get up to 32 DNS server addresses according to ipleak.net and dnsleaktes.com). This is true off VPN and on VPN without the block-oustide-dns. With a public DNS server and on VPN with block-outside-dns I see only the VPN server.

I guess technically there's a fourth method; Automatic config on the NIC and no router configuration at all. In this case I get the ISP DNS.

I see identical behavior on two different ISPs. The behavior is so identical (including the DNS Servers selected - 89.187.162.162 and 89.187.162.215), that it's creepy and makes the hairs on the back of my neck stand up.

Using ipconfig /all...

The VPN (TAP), connection always shows the VPN DNS servers. The local NIC will show IP addresses depending on how the DNS servers are configured.
(1). If the DNS server is configured on the NIC as the routers address I will see the routers IP if the DNS Servers are specified on the WAN Page.
(2). If I specify nothing on the local NIC (automatic config), it will show the DNS Servers on the WAN page.
(3). Unless I also specify DNS servers on the LAN page, which always overrides the server configured on the WAN page.

In cases (2) and (3). ipconfig /all will show the configured DNS Servers.

The results are the same for both UDP and TCP VPN connections.

This is all with just the OpenVPN software installed. (https://openvpn.net/community-downloads/)

If I install the NordVPN app I do not get a leak regardless of the configuration. It's proprietry software so I don't know what it's doing but it "appears" to be specifying block-outside-dns since the symptoms look identical with the block-outside-dns with the OpenVPN config. I;'ve asked Nord to confirm this, but given this is closed software I doubt they'll disclose what the app is doing.

However, the app is junk (imho). I can't disable auto update. It takes between 23-30 seconds to connect to a server. "Pick best" always picks worst, though I can configure it to pick a specific server. I am always on VPN as soon as the PC boots. With VPN the connect takes 3-8 seconds. The app also has annoying advertising. So using it is not a preference.

Since the app can prevent leaks I figure it might be possible to fix them without the app, I just don't know what the app is doing.

The attached images show what leak test sites report when connected to the VPN with the VPN DNS Servers configured on the local NIC (via any of the three methods), and without the block-outside-dns directive.

 

[TanyaC]

Just to tie up loose ends;
1. Using block-oustide-dns makes my internal websites running on IIS inaccessible via DNS name. Via IP address I can still access them
2. Using block-outside-dns causes several online games to hang for 15-20 seconds.

I posted on an IIS website to see if there is a way to configure IIS to still work when the PC it is running on and the PCs connecting to is are using block-oustide-dns but I guess knowledge of the combination of IIS, Windows Server and OpenVPN is rarer than hens teeth.