1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

how to fix a dns leak

Discussion in 'Asuswrt-Merlin' started by andresmorago, Aug 22, 2019.

  1. andresmorago

    andresmorago Regular Contributor

    Joined:
    May 27, 2014
    Messages:
    145
    hello to all

    i recently switched my router DNS configuration from cloudflare to google due to high latency. i rebooted the router and flushed resolver cache on my pc

    after running a test on dnsleaktest.com, im still seeing cloudflare. how can i stop the dns leak? maybe im missing something?

    thanks
     

    Attached Files:

    • 1.JPG
      1.JPG
      File size:
      60.6 KB
      Views:
      108
    • 2.JPG
      2.JPG
      File size:
      47.4 KB
      Views:
      107
    • 3.JPG
      3.JPG
      File size:
      57 KB
      Views:
      105
    Last edited: Aug 22, 2019
  2. skeal

    skeal Part of the Furniture

    Joined:
    Apr 30, 2016
    Messages:
    3,353
    Location:
    /etc
    Is the test client running through a VPN? If so what are your DNS settings there?
     
  3. andresmorago

    andresmorago Regular Contributor

    Joined:
    May 27, 2014
    Messages:
    145
    Hi.
    None of my clients are running vpn. They are all connected straight to my isp

    i do have a vpn client active with a strict policy rule in the router but as far as I know, it shouldn't affect. Or should it? :/
     
    Last edited: Aug 22, 2019
  4. skeal

    skeal Part of the Furniture

    Joined:
    Apr 30, 2016
    Messages:
    3,353
    Location:
    /etc
    Then yeah a cache somewhere is holding on to cloudflare, it would seem. Hmmm!
     
  5. andresmorago

    andresmorago Regular Contributor

    Joined:
    May 27, 2014
    Messages:
    145
    i do have a vpn client active with a strict policy rule in the router. im using x3mrouting for some very specific websites.
    should that be the cause?

    hello @Xentrk
    i wanted to consult with you a dns leak im noticing on my router. im running method 3 in order to redirect very specific websites to my vpn client 1.
    when running a dnsleaktest i see both cloudflare and google dns appear on the results. can you please advise if this could be related to your script?
     

    Attached Files:

    • 4.JPG
      4.JPG
      File size:
      56.6 KB
      Views:
      69
    Last edited: Aug 22, 2019
  6. skeal

    skeal Part of the Furniture

    Joined:
    Apr 30, 2016
    Messages:
    3,353
    Location:
    /etc
    That would be my best guess, Doug will be able to shed some light on it for you.
     
    andresmorago likes this.
  7. Davidncali001

    Davidncali001 Regular Contributor

    Joined:
    Dec 25, 2017
    Messages:
    77
    Location:
    S.F Bay Area, CA
    In the Wan DNS page you have connect to DNS servers automatically ticked to no but underneath you didn't specify the DNS you wanted to use.
    You left them both blank.

    Try filling those two blank slots in with whatever DNS you are wanting to use then check for leak again.
     
  8. andresmorago

    andresmorago Regular Contributor

    Joined:
    May 27, 2014
    Messages:
    145
    thanks!
    im using DNS-over-TLS and the dns servers are populated on the DNS-over-TLS Server List.

    i thought that The "normal" WAN DNS settings (either manual or automatic) are ignored when DoT is enabled.
    https://www.snbforums.com/threads/dns-security.56784/#post-493805

    i will fill these fields anyways just in case and report back

    EDIT: leak still occurs
     
    Last edited: Aug 22, 2019
  9. rk8531

    rk8531 Regular Contributor

    Joined:
    Jan 28, 2019
    Messages:
    93
    I would suggest you to use DNSCrypt instead of DNS over TLS. There are hundreds of servers supported by the DNScrypt script.

    The code is-

    curl -L -s -k -O https://raw.githubusercontent.com/thuantran/dnscrypt-asuswrt-installer/master/installer && sh installer ; rm installer
     
    SMS786 likes this.
  10. andresmorago

    andresmorago Regular Contributor

    Joined:
    May 27, 2014
    Messages:
    145
  11. Xentrk

    Xentrk Part of the Furniture

    Joined:
    Jul 21, 2016
    Messages:
    2,405
    Location:
    The Land of Smiles
    My provider is now using Cloudfare DNS in the geo location where the VPN Server end point is. As a result, I also show a DNS leak because the IP address of the DNS is not the same as the VPN IP address.

    x3mRouting does not modify the firmware DNS behavior. There was a code defect that impacted DNS but it was patched a little over two weeks ago if using method 1 or 2. Select the update option from the x3mRouting menu to get all updates.

    What do you have Accept DNS Configuration set to?

    Run the command posted on this thread and post the results here. You may need to update the the client number reference though. I used client 5 in the example. Change the number to 1 if you are using OVPNC1.

    Also, I recently experienced a DNS abnormality that you can read in the same thread.

    Look at your DNS Filter page settings under the LAN tab.
     
    Last edited: Aug 23, 2019
  12. andresmorago

    andresmorago Regular Contributor

    Joined:
    May 27, 2014
    Messages:
    145
    hello and thanls for your help

    here is the info
    Code:
    No new version of load_MANUAL_ipset_iface.sh to update - latest is 1.0.0
    No new version of load_ASN_ipset_iface.sh to update - latest is 1.0.0
    No new version of load_DNSMASQ_ipset_iface.sh to update - latest is 1.0.1
    No new version of load_AMAZON_ipset_iface.sh to update - latest is 1.0.0
    Accept DNS configuration is set to Strict

    running your code gives me this
    Code:
    [email protected]:/tmp/home/root# iptables --line -t nat -nvL DNSVPN1
    Chain DNSVPN1 (0 references)
    num   pkts bytes target     prot opt in     out     source               destination
    
    [email protected]:/tmp/home/root# iptables --line -t nat -nvL PREROUTING | grep DNSVPN
    
    [email protected]:/tmp/home/root# nvram get vpn_client1_adns
    2
    
    [email protected]:/tmp/home/root# cat /tmp/etc/openvpn/fw/client1-dns.sh
    #!/bin/sh
    /usr/sbin/iptables -t nat -N DNSVPN1
    
    
    Here is my dnsfilter config
    1.JPG

    and my vpnclient1 config just in case
    3.JPG 4.JPG 5.JPG
     
    Last edited: Aug 23, 2019
  13. Xentrk

    Xentrk Part of the Furniture

    Joined:
    Jul 21, 2016
    Messages:
    2,405
    Location:
    The Land of Smiles
    Edit:
    You also need to add a LAN device to use the VPN tunnel that you are performing the DNS leak test on.

    You need to set Accept DNS Configuration = Exclusive to use the DNS pushed by the VPN server. The downside is Diversion won't work when using Policy Rules when combined with DNS=Exlusive. I set DNS over TLS on the WAN page and set Accept DNS Configuration = Disabled. As a result, the VPN clients use WAN DNS. The DNS traffic is encrypted. But Diversion will work.

    If you want to set Accept DNS Configuration = Strict, I always specified the DNS I wanted the tunnel to use by placing the command dhcp-option DNS 1.1.1.1 in the Custom Config section. You can read more about DNS and Policy Rules at https://x3mtek.com/policy-rule-routing-on-asuswrt-merlin-firmware.

    After you set Accept DNS Configuration = Exclusive, search the system log file for dhcp-option to see the DNS that is being pushed by the VPN server:

    Code:
    Aug 23 20:06:58 RT-AC88U-8248 ovpn-client5[7815]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 1.1.1.1,dhcp-option DNS 1.0.0.1,route 10.35.0.1,topology net30,ping 5,ping-restart 30,compress,ifconfig 10.35.0.18 10.35.0.17,peer-id 6,cipher AES-256-GCM'
     
    Last edited: Aug 23, 2019
    andresmorago and Kingp1n like this.
  14. Xentrk

    Xentrk Part of the Furniture

    Joined:
    Jul 21, 2016
    Messages:
    2,405
    Location:
    The Land of Smiles
    Also, the block-outside-dns option only works on Windows clients. You can remove the line from the Custom Config section

     
    andresmorago likes this.
  15. andresmorago

    andresmorago Regular Contributor

    Joined:
    May 27, 2014
    Messages:
    145
    hello to all
    @Xentrk thanks for your help. i think i gave you a wrong context on my issue. the dns leak that was occurring, is with the devices connected to the router with direct access to the isp and not to the vpnclient1. i dont have any lan devices connected to the vpnclient1 because the only and main purpose of my vpnclient is to forward specific websites to it (by using x3mrouting and ipset).
    all of my router connected devices go straight to isp unless they access very specific websites.

    after 2 days of having made the switch from cloudflare to google and actually doing nothing more than waiting and rebooting the router once in a while, finally today the dnsleaktest only showed google dns instead of a cloudflare/google mixture. i havent done any modification besides setting google on the DNS-over-TLS Server List.
     
  16. SomeWhereOverTheRainBow

    SomeWhereOverTheRainBow Regular Contributor

    Joined:
    Jun 4, 2019
    Messages:
    165
    Two questions,
    what is listed here on you Lan DHCP settings.
    upload_2019-8-24_21-31-33.png
    and
    what is listed on your IPV6 page make sure it is not mistakenly turned on since you are only using ipv4 with google.
    upload_2019-8-24_21-30-10.png
     
  17. andresmorago

    andresmorago Regular Contributor

    Joined:
    May 27, 2014
    Messages:
    145
    hi
    ipv6 is disabled as my isp doesnt use it.

    lan dhcp settings is exactly as your picture