What's new

how to fix a dns leak

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

andresmorago

Senior Member
hello to all

i recently switched my router DNS configuration from cloudflare to google due to high latency. i rebooted the router and flushed resolver cache on my pc

after running a test on dnsleaktest.com, im still seeing cloudflare. how can i stop the dns leak? maybe im missing something?

thanks
 

Attachments

  • 1.JPG
    1.JPG
    60.6 KB · Views: 459
  • 2.JPG
    2.JPG
    47.4 KB · Views: 506
  • 3.JPG
    3.JPG
    57 KB · Views: 546
Last edited:
hello to all

i recently switched my router DNS configuration from cloudflare to google due to high latency. i rebooted the router and flushed resolver cache on my pc

after running a test on dnsleaktest.com, im still seeing cloudflare. how can i stop the dns leak? maybe im missing something?

thanks
Is the test client running through a VPN? If so what are your DNS settings there?
 
Hi.
None of my clients are running vpn. They are all connected straight to my isp

i do have a vpn client active with a strict policy rule in the router but as far as I know, it shouldn't affect. Or should it? :/
 
Last edited:
Hi.
None of my clients are running vpn. They are all connected straight to my isp
Then yeah a cache somewhere is holding on to cloudflare, it would seem. Hmmm!
 
i do have a vpn client active with a strict policy rule in the router. im using x3mrouting for some very specific websites.
should that be the cause?

hello @Xentrk
i wanted to consult with you a dns leak im noticing on my router. im running method 3 in order to redirect very specific websites to my vpn client 1.
when running a dnsleaktest i see both cloudflare and google dns appear on the results. can you please advise if this could be related to your script?
 

Attachments

  • 4.JPG
    4.JPG
    56.6 KB · Views: 369
Last edited:
i do have a vpn client active with a strict policy rule in the router. im using x3mrouting for some very specific websites.
should that be the cause?

hello @Xentrk
i wanted to consult with you a dns leak im noticing on my router. im running method 3 in order to redirect very specific websites to my vpn client 1.
when running a dnsleaktest i see both cloudflare and google dns appear on the results. can you please advise?
That would be my best guess, Doug will be able to shed some light on it for you.
 
In the Wan DNS page you have connect to DNS servers automatically ticked to no but underneath you didn't specify the DNS you wanted to use.
You left them both blank.

Try filling those two blank slots in with whatever DNS you are wanting to use then check for leak again.
 
In the Wan DNS page you have connect to DNS servers automatically ticked to no but underneath you didn't specify the DNS you wanted to use.
You left them both blank.

Try filling those two blank slots in with whatever DNS you are wanting to use then check for leak again.
thanks!
im using DNS-over-TLS and the dns servers are populated on the DNS-over-TLS Server List.

i thought that The "normal" WAN DNS settings (either manual or automatic) are ignored when DoT is enabled.
https://www.snbforums.com/threads/dns-security.56784/#post-493805

i will fill these fields anyways just in case and report back

EDIT: leak still occurs
 
Last edited:
thanks!
im using DNS-over-TLS and the dns servers are populated on the DNS-over-TLS Server List.

i thought that The "normal" WAN DNS settings (either manual or automatic) are ignored when DoT is enabled.
https://www.snbforums.com/threads/dns-security.56784/#post-493805

i will fill these fields anyways just in case and report back

EDIT: leak still occurs
I would suggest you to use DNSCrypt instead of DNS over TLS. There are hundreds of servers supported by the DNScrypt script.

The code is-

curl -L -s -k -O https://raw.githubusercontent.com/thuantran/dnscrypt-asuswrt-installer/master/installer && sh installer ; rm installer
 
i do have a vpn client active with a strict policy rule in the router. im using x3mrouting for some very specific websites.
should that be the cause?

hello @Xentrk
i wanted to consult with you a dns leak im noticing on my router. im running method 3 in order to redirect very specific websites to my vpn client 1.
when running a dnsleaktest i see both cloudflare and google dns appear on the results. can you please advise if this could be related to your script?
My provider is now using Cloudfare DNS in the geo location where the VPN Server end point is. As a result, I also show a DNS leak because the IP address of the DNS is not the same as the VPN IP address.

x3mRouting does not modify the firmware DNS behavior. There was a code defect that impacted DNS but it was patched a little over two weeks ago if using method 1 or 2. Select the update option from the x3mRouting menu to get all updates.

What do you have Accept DNS Configuration set to?

Run the command posted on this thread and post the results here. You may need to update the the client number reference though. I used client 5 in the example. Change the number to 1 if you are using OVPNC1.

Also, I recently experienced a DNS abnormality that you can read in the same thread.

Look at your DNS Filter page settings under the LAN tab.
 
Last edited:
x3mRouting does not modify the firmware DNS behavior. There was a code defect that impacted DNS but it was patched a little over two weeks ago if using method 1 or 2. Select the update option from the x3mRouting menu to get all updates.

What do you have Accept DNS Configuration set to?

Run the command posted on this thread and post the results here. You may need to update the the client number reference though. I used client 5 in the example. Change the number to 1 if you are using OVPNC1.

Also, I recently experienced a DNS abnormality that you can read in the same thread.
hello and thanls for your help

here is the info
Code:
No new version of load_MANUAL_ipset_iface.sh to update - latest is 1.0.0
No new version of load_ASN_ipset_iface.sh to update - latest is 1.0.0
No new version of load_DNSMASQ_ipset_iface.sh to update - latest is 1.0.1
No new version of load_AMAZON_ipset_iface.sh to update - latest is 1.0.0

Accept DNS configuration is set to Strict

running your code gives me this
Code:
andresmorago@RT-AC68U-5358:/tmp/home/root# iptables --line -t nat -nvL DNSVPN1
Chain DNSVPN1 (0 references)
num   pkts bytes target     prot opt in     out     source               destination

andresmorago@RT-AC68U-5358:/tmp/home/root# iptables --line -t nat -nvL PREROUTING | grep DNSVPN

andresmorago@RT-AC68U-5358:/tmp/home/root# nvram get vpn_client1_adns
2

andresmorago@RT-AC68U-5358:/tmp/home/root# cat /tmp/etc/openvpn/fw/client1-dns.sh
#!/bin/sh
/usr/sbin/iptables -t nat -N DNSVPN1

Here is my dnsfilter config
1.JPG

and my vpnclient1 config just in case
3.JPG 4.JPG 5.JPG
 
Last edited:
hello and thanls for your help

here is the info
Code:
No new version of load_MANUAL_ipset_iface.sh to update - latest is 1.0.0
No new version of load_ASN_ipset_iface.sh to update - latest is 1.0.0
No new version of load_DNSMASQ_ipset_iface.sh to update - latest is 1.0.1
No new version of load_AMAZON_ipset_iface.sh to update - latest is 1.0.0

Accept DNS configuration is set to Strict

running your code gives me this
Code:
andresmorago@RT-AC68U-5358:/tmp/home/root# iptables --line -t nat -nvL DNSVPN1
Chain DNSVPN1 (0 references)
num   pkts bytes target     prot opt in     out     source               destination

andresmorago@RT-AC68U-5358:/tmp/home/root# iptables --line -t nat -nvL PREROUTING | grep DNSVPN

andresmorago@RT-AC68U-5358:/tmp/home/root# nvram get vpn_client1_adns
2

andresmorago@RT-AC68U-5358:/tmp/home/root# cat /tmp/etc/openvpn/fw/client1-dns.sh
#!/bin/sh
/usr/sbin/iptables -t nat -N DNSVPN1

Here is my dnsfilter config
View attachment 19079

and my vpnclient1 config just in case
View attachment 19080 View attachment 19081 View attachment 19082
Edit:
You also need to add a LAN device to use the VPN tunnel that you are performing the DNS leak test on.

You need to set Accept DNS Configuration = Exclusive to use the DNS pushed by the VPN server. The downside is Diversion won't work when using Policy Rules when combined with DNS=Exlusive. I set DNS over TLS on the WAN page and set Accept DNS Configuration = Disabled. As a result, the VPN clients use WAN DNS. The DNS traffic is encrypted. But Diversion will work.

If you want to set Accept DNS Configuration = Strict, I always specified the DNS I wanted the tunnel to use by placing the command dhcp-option DNS 1.1.1.1 in the Custom Config section. You can read more about DNS and Policy Rules at https://x3mtek.com/policy-rule-routing-on-asuswrt-merlin-firmware.

After you set Accept DNS Configuration = Exclusive, search the system log file for dhcp-option to see the DNS that is being pushed by the VPN server:

Code:
Aug 23 20:06:58 RT-AC88U-8248 ovpn-client5[7815]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 1.1.1.1,dhcp-option DNS 1.0.0.1,route 10.35.0.1,topology net30,ping 5,ping-restart 30,compress,ifconfig 10.35.0.18 10.35.0.17,peer-id 6,cipher AES-256-GCM'
 
Last edited:
Also, the block-outside-dns option only works on Windows clients. You can remove the line from the Custom Config section

–block-outside-dns
Block DNS servers on other network adapters to prevent DNS leaks. This option prevents any application from accessing TCP or UDP port 53 except one inside the tunnel. It uses Windows Filtering Platform (WFP) and works on Windows Vista or later.This option is considered unknown on non-Windows platforms and unsupported on Windows XP, resulting in fatal error. You may want to use –setenv opt or –ignore-unknown-option (not suitable for Windows XP) to ignore said error. Note that pushing unknown options from server does not trigger fatal errors.
 
hello to all
@Xentrk thanks for your help. i think i gave you a wrong context on my issue. the dns leak that was occurring, is with the devices connected to the router with direct access to the isp and not to the vpnclient1. i dont have any lan devices connected to the vpnclient1 because the only and main purpose of my vpnclient is to forward specific websites to it (by using x3mrouting and ipset).
all of my router connected devices go straight to isp unless they access very specific websites.

after 2 days of having made the switch from cloudflare to google and actually doing nothing more than waiting and rebooting the router once in a while, finally today the dnsleaktest only showed google dns instead of a cloudflare/google mixture. i havent done any modification besides setting google on the DNS-over-TLS Server List.
 
Two questions,
what is listed here on you Lan DHCP settings.
upload_2019-8-24_21-31-33.png

and
what is listed on your IPV6 page make sure it is not mistakenly turned on since you are only using ipv4 with google.
upload_2019-8-24_21-30-10.png
 

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top