Dnsleaktest puzzle

[dave14305]

How's that looking?

The 3 MAINFH and MAINBH entries explain the 3 RETURN rules from the iptables command. @RMerlin made a fix last year to address the issue with the first DEFAULT entry in the list:

rc: skip default SDN when configuring dns_filter rules · RMerl/asuswrt-merlin.ng@f38a9a3

Otherwise, br0 (regular LAN) clients will all be set to Unfiltered, and the global rule will never be applied.

github.com

I don’t know if these other entries are supposed to be there if you’re not using AiMesh.

 

[SkippyP]

Looks like there might be a problem with DNS Director in Merlin’s latest 3.0.0.4.388 firmware.

I have Cloudflare DoT configured on my router in strict mode with DNS Director enabled and Global Redirection set to “Router”. User defined fields and client list are all empty. DNS Server fields under the LAN tab are also empty. Everything works fine…all DNS leak tests show Cloudflare and Cloudflare only.

Now, if I hard code 8.8.8.8 into my laptop and run another leak test, it shows Google. Director is NOT redirecting to the router.

 

[dave14305]

Now, if I hard code 8.8.8.8 into my laptop and run another leak test, it shows Google. Director is NOT redirecting to the router.

Which browser? Chrome, for example, will see you using 8.8.8.8 at the OS level and auto-upgrade to DoH to 8.8.8.8. DNS Director doesn’t block DoH (port 443).

 

[SkippyP]

Which browser? Chrome, for example, will see you using 8.8.8.8 at the OS level and auto-upgrade to DoH to 8.8.8.8. DNS Director doesn’t block DoH (port 443).

Ah I didn’t know that. I tested with Edge, which I’m assuming is the same as Chrome…

Which browser do you suggest is best to test with?

EDIT: I just tested on my iPhone (manually entered 8.8.8.8) and ran leak test from Safari…returned all Cloudflare So, looks like Director is working, and Edge (like Chrome) also auto updates to DoH.

 

[Zarrow]

The 3 MAINFH and MAINBH entries explain the 3 RETURN rules from the iptables command. @RMerlin made a fix last year to address the issue with the first DEFAULT entry in the list:

rc: skip default SDN when configuring dns_filter rules · RMerl/asuswrt-merlin.ng@f38a9a3

Otherwise, br0 (regular LAN) clients will all be set to Unfiltered, and the global rule will never be applied.

github.com

I don’t know if these other entries are supposed to be there if you’re not using AiMesh.

AiMesh is definitely not enabled.

You concluded in post #37 that DNS Director is not working on my RT-BE86U. Has what you wrote in the quoted post changed that conclusion? Any further tests needed?

If It's truly not working, should I post something in the appropriate FW release thread?

 

[dave14305]

You concluded in post #37 that DNS Director is not working on my RT-BE86U. Has what you wrote in the quoted post changed that conclusion? Any further tests needed?

No, it’s broken due to those MAINBH and MAINFH network entries from get_mtlan confusing DNS Director. My recommendation would be to factory reset once, enable DNS Director, then run the iptables and get_mtlan commands again. If it looks the same, go ahead and report it in the release thread. You can take and restore a backup to get back to the current state after this test.

 

[dave14305]

Any further tests needed?

Assuming it won’t get fixed for a while, you can create a /jffs/scripts/nat-start script to remove the unwanted rules.

#!/bin/sh

iptables -t nat -D DNSFILTER -i br0 -j RETURN
iptables -t nat -D DNSFILTER -i br0 -j RETURN
iptables -t nat -D DNSFILTER -i br0 -j RETURN

 

[Zarrow]

No, it’s broken due to those MAINBH and MAINFH network entries from get_mtlan confusing DNS Director. My recommendation would be to factory reset once, enable DNS Director, then run the iptables and get_mtlan commands again. If it looks the same, go ahead and report it in the release thread. You can take and restore a backup to get back to the current state after this test.

As you suggested, I did a full factory reset, enabled DNS Director only (no DoT) and ran those commands again.
The output of iptables-save -c | grep DNSF:

DNSFILTER - [0:0]
[25:2013] -A PREROUTING -i br+ -p udp -m udp --dport 53 -j DNSFILTER
[0:0] -A PREROUTING -i br+ -p tcp -m tcp --dport 53 -j DNSFILTER
[25:2013] -A DNSFILTER -i br0 -j RETURN
[0:0] -A DNSFILTER -i br0 -j RETURN
[0:0] -A DNSFILTER -j DNAT --to-destination 192.168.50.1
DNSFILTER_DOT - [0:0]
[0:0] -A FORWARD -i br+ -p tcp -m tcp --dport 853 -j DNSFILTER_DOT
[0:0] -A DNSFILTER_DOT ! -d 192.168.50.1/32 -j REJECT --reject-with icmp-port-unreachable

I see that the difference from my previous setup is that there is one less line of [0:0] -A DNSFILTER -i br0 -j RETURN

get_mtlan:

|-enable:[1]
|-prio:[0]
|-vid:[0]
|-port_isolation:[0]
|-name:[DEFAULT]
|-createby:[WEB]
|-*Network:
|--IPv4:
|-idx:[0]
|-ifname:[br0]
|-br_ifname:[br0]
|-addr:[192.168.50.1]
|-subnet:[192.168.50.0]
|-netmask:[255.255.255.0]
|-prefixlen:[24]
|-dhcp_enable:[1]
|-dhcp_min:[192.168.50.2]
|-dhcp_max:[192.168.50.254]
|-dhcp_lease:[86400]
|-domain_name:[]
|-dns:[][]
|-wins:[]
|-dhcp_res:[0]
|-dhscp_res_idx:[0]
|-dot_enable:[0]
|-dot_tls:[1]
|--IPv6:
|-v6_enable:[0]
|-v6_autoconf:[0]
|-addr6:[]
|-dhcp6_min:[]
|-dhcp6_max:[]
|-dns6:[][][]
|-*SDN Feature Index/Switch:
|-sdn_idx:[0]
|-apg_idx:[0]
|-vpnc_idx:[0]
|-vpns_idx:[0][0][0][0][0][0][0][0][0][0][0][0][0][0][0][0]
|-dnsf_idx:[0]
|-urlf_idx:[0]
|-nwf_idx:[0]
|-cp_idx:[0]
|-gre_idx:[0][0][0][0][0][0][0][0]
|-fw_idx:[0]
|-killsw_sw:[0]
|-ahs_sw:[0]
|-wan_idx:[0]
|-ppprelay_sw:[0]
|-wan6_idx:[0]
|-mtwan_idx:[0]
|-mswan_idx:[0]
---------------------------------------
|-enable:[1]
|-prio:[0]
|-vid:[0]
|-port_isolation:[0]
|-name:[MAINBH]
|-createby:[WEB]
|-*Network:
|--IPv4:
|-idx:[0]
|-ifname:[br0]
|-br_ifname:[br0]
|-addr:[192.168.50.1]
|-subnet:[192.168.50.0]
|-netmask:[255.255.255.0]
|-prefixlen:[24]
|-dhcp_enable:[1]
|-dhcp_min:[192.168.50.2]
|-dhcp_max:[192.168.50.254]
|-dhcp_lease:[86400]
|-domain_name:[]
|-dns:[][]
|-wins:[]
|-dhcp_res:[0]
|-dhscp_res_idx:[0]
|-dot_enable:[0]
|-dot_tls:[1]
|--IPv6:
|-v6_enable:[0]
|-v6_autoconf:[0]
|-addr6:[]
|-dhcp6_min:[]
|-dhcp6_max:[]
|-dns6:[][][]
|-*SDN Feature Index/Switch:
|-sdn_idx:[1]
|-apg_idx:[1]
|-vpnc_idx:[0]
|-vpns_idx:[0][0][0][0][0][0][0][0][0][0][0][0][0][0][0][0]
|-dnsf_idx:[0]
|-urlf_idx:[0]
|-nwf_idx:[0]
|-cp_idx:[0]
|-gre_idx:[0][0][0][0][0][0][0][0]
|-fw_idx:[0]
|-killsw_sw:[0]
|-ahs_sw:[0]
|-wan_idx:[0]
|-ppprelay_sw:[0]
|-wan6_idx:[0]
|-mtwan_idx:[0]
|-mswan_idx:[0]
---------------------------------------
|-enable:[1]
|-prio:[0]
|-vid:[0]
|-port_isolation:[0]
|-name:[MAINFH]
|-createby:[WEB]
|-*Network:
|--IPv4:
|-idx:[0]
|-ifname:[br0]
|-br_ifname:[br0]
|-addr:[192.168.50.1]
|-subnet:[192.168.50.0]
|-netmask:[255.255.255.0]
|-prefixlen:[24]
|-dhcp_enable:[1]
|-dhcp_min:[192.168.50.2]
|-dhcp_max:[192.168.50.254]
|-dhcp_lease:[86400]
|-domain_name:[]
|-dns:[][]
|-wins:[]
|-dhcp_res:[0]
|-dhscp_res_idx:[0]
|-dot_enable:[0]
|-dot_tls:[1]
|--IPv6:
|-v6_enable:[0]
|-v6_autoconf:[0]
|-addr6:[]
|-dhcp6_min:[]
|-dhcp6_max:[]
|-dns6:[][][]
|-*SDN Feature Index/Switch:
|-sdn_idx:[2]
|-apg_idx:[2]
|-vpnc_idx:[0]
|-vpns_idx:[0][0][0][0][0][0][0][0][0][0][0][0][0][0][0][0]
|-dnsf_idx:[0]
|-urlf_idx:[0]
|-nwf_idx:[0]
|-cp_idx:[0]
|-gre_idx:[0][0][0][0][0][0][0][0]
|-fw_idx:[0]
|-killsw_sw:[0]
|-ahs_sw:[0]
|-wan_idx:[0]
|-ppprelay_sw:[0]
|-wan6_idx:[0]
|-mtwan_idx:[0]
|-mswan_idx:[0]
---------------------------------------

I then enabled DoT to Quad9, strict and ran the commands again. The output of iptables was exactly the same as above. The output of get_mtlan only changed -dot_enable:[0] to [1].

DNS Director still broken?

 

[dave14305]

DNS Director still broken?

Yes. Create the script in my previous post then restart the firewall with service restart_firewall and test again.

 

[Zarrow]

Yes. Create the script in my previous post then restart the firewall with service restart_firewall and test again.

Done. Iptables output:

DNSFILTER - [0:0]
[3:237] -A PREROUTING -i br+ -p udp -m udp --dport 53 -j DNSFILTER
[0:0] -A PREROUTING -i br+ -p tcp -m tcp --dport 53 -j DNSFILTER
[3:237] -A DNSFILTER -j DNAT --to-destination 192.168.50.1
DNSFILTER_DOT - [0:0]
[0:0] -A FORWARD -i br+ -p tcp -m tcp --dport 853 -j DNSFILTER_DOT
[0:0] -A DNSFILTER_DOT ! -d 192.168.50.1/32 -j REJECT --reject-with icmp-port-unreachable

Looks like the offending lines have been removed.

get_mtlan:

|-enable:[1]
|-prio:[0]
|-vid:[0]
|-port_isolation:[0]
|-name:[DEFAULT]
|-createby:[WEB]
|-*Network:
|--IPv4:
|-idx:[0]
|-ifname:[br0]
|-br_ifname:[br0]
|-addr:[192.168.50.1]
|-subnet:[192.168.50.0]
|-netmask:[255.255.255.0]
|-prefixlen:[24]
|-dhcp_enable:[1]
|-dhcp_min:[192.168.50.2]
|-dhcp_max:[192.168.50.254]
|-dhcp_lease:[86400]
|-domain_name:[]
|-dns:[][]
|-wins:[]
|-dhcp_res:[0]
|-dhscp_res_idx:[0]
|-dot_enable:[1]
|-dot_tls:[1]
|--IPv6:
|-v6_enable:[0]
|-v6_autoconf:[0]
|-addr6:[]
|-dhcp6_min:[]
|-dhcp6_max:[]
|-dns6:[][][]
|-*SDN Feature Index/Switch:
|-sdn_idx:[0]
|-apg_idx:[0]
|-vpnc_idx:[0]
|-vpns_idx:[0][0][0][0][0][0][0][0][0][0][0][0][0][0][0][0]
|-dnsf_idx:[0]
|-urlf_idx:[0]
|-nwf_idx:[0]
|-cp_idx:[0]
|-gre_idx:[0][0][0][0][0][0][0][0]
|-fw_idx:[0]
|-killsw_sw:[0]
|-ahs_sw:[0]
|-wan_idx:[0]
|-ppprelay_sw:[0]
|-wan6_idx:[0]
|-mtwan_idx:[0]
|-mswan_idx:[0]
---------------------------------------
|-enable:[1]
|-prio:[0]
|-vid:[0]
|-port_isolation:[0]
|-name:[MAINBH]
|-createby:[WEB]
|-*Network:
|--IPv4:
|-idx:[0]
|-ifname:[br0]
|-br_ifname:[br0]
|-addr:[192.168.50.1]
|-subnet:[192.168.50.0]
|-netmask:[255.255.255.0]
|-prefixlen:[24]
|-dhcp_enable:[1]
|-dhcp_min:[192.168.50.2]
|-dhcp_max:[192.168.50.254]
|-dhcp_lease:[86400]
|-domain_name:[]
|-dns:[][]
|-wins:[]
|-dhcp_res:[0]
|-dhscp_res_idx:[0]
|-dot_enable:[1]
|-dot_tls:[1]
|--IPv6:
|-v6_enable:[0]
|-v6_autoconf:[0]
|-addr6:[]
|-dhcp6_min:[]
|-dhcp6_max:[]
|-dns6:[][][]
|-*SDN Feature Index/Switch:
|-sdn_idx:[1]
|-apg_idx:[1]
|-vpnc_idx:[0]
|-vpns_idx:[0][0][0][0][0][0][0][0][0][0][0][0][0][0][0][0]
|-dnsf_idx:[0]
|-urlf_idx:[0]
|-nwf_idx:[0]
|-cp_idx:[0]
|-gre_idx:[0][0][0][0][0][0][0][0]
|-fw_idx:[0]
|-killsw_sw:[0]
|-ahs_sw:[0]
|-wan_idx:[0]
|-ppprelay_sw:[0]
|-wan6_idx:[0]
|-mtwan_idx:[0]
|-mswan_idx:[0]
---------------------------------------
|-enable:[1]
|-prio:[0]
|-vid:[0]
|-port_isolation:[0]
|-name:[MAINFH]
|-createby:[WEB]
|-*Network:
|--IPv4:
|-idx:[0]
|-ifname:[br0]
|-br_ifname:[br0]
|-addr:[192.168.50.1]
|-subnet:[192.168.50.0]
|-netmask:[255.255.255.0]
|-prefixlen:[24]
|-dhcp_enable:[1]
|-dhcp_min:[192.168.50.2]
|-dhcp_max:[192.168.50.254]
|-dhcp_lease:[86400]
|-domain_name:[]
|-dns:[][]
|-wins:[]
|-dhcp_res:[0]
|-dhscp_res_idx:[0]
|-dot_enable:[1]
|-dot_tls:[1]
|--IPv6:
|-v6_enable:[0]
|-v6_autoconf:[0]
|-addr6:[]
|-dhcp6_min:[]
|-dhcp6_max:[]
|-dns6:[][][]
|-*SDN Feature Index/Switch:
|-sdn_idx:[2]
|-apg_idx:[2]
|-vpnc_idx:[0]
|-vpns_idx:[0][0][0][0][0][0][0][0][0][0][0][0][0][0][0][0]
|-dnsf_idx:[0]
|-urlf_idx:[0]
|-nwf_idx:[0]
|-cp_idx:[0]
|-gre_idx:[0][0][0][0][0][0][0][0]
|-fw_idx:[0]
|-killsw_sw:[0]
|-ahs_sw:[0]
|-wan_idx:[0]
|-ppprelay_sw:[0]
|-wan6_idx:[0]
|-mtwan_idx:[0]
|-mswan_idx:[0]
---------------------------------------

I'll post in the release thread.

 

[Zarrow]

I received a response from Quad9. It just so happens that in my country of residence, they use a DNS server (not WoodyNet) that is owned by the same parent company that owns my ISP, so Dnsleaktest was correctly identifying the company, but it's not a leak.

 

[Tech9]

Not a leak, but nice trick.