NordVPN and DNS

[eibgrad]

I'm trying to get x3mRouting working, but at every turn, when I take DNS config off "Exclusive", it fails and I see DNS leaks.
I'm using NORD and EXPRESS. I've just read through eibgrad's posts. I did a what's my ip and DNS leak test using Expresses app. My ip address is the same as reported by the ovpn client window, When I check for DNS leaks, my ip address appears as one of the Express DNS servers. It's the same every time, and it's the same if I test with dnsleaks.
So I took all 3 addresses, and put them in the "Destination IP" field. See pic. Is that correct? Then I set DNS config to Disabled, Relaxed, Strict, and retest with Express leak test, but every time it shows me the DNS configured on the router, and unblocking services doesn't work. What am I doing wrong? Just in the context of DNS, I mean

Online DNS leak tests are notoriously unreliable (I assume that's what you're using), particularly when it comes to the router. The only way to know w/ 100% certainty if you have a DNS leak is to check w/ connection tracking to see specifically which network interface is being used for port 53.

VPN routing goes wrong

First of all, I'm aware of YazFi and X3MRouting, but I wanted to set it up myself first, before I have to dig into those scripts. I've done PBR in the past, but the memory has faded so it feels like I'm reinventing the wheel once more. I have set up two ProtonVPN clients. I have selected...

www.snbforums.com

 

[Brainstorm]

Online DNS leak tests are notoriously unreliable (I assume that's what you're using), particularly when it comes to the router. The only way to know w/ 100% certainty if you have a DNS leak is to check w/ connection tracking to see specifically which network interface is being used for port 53.

VPN routing goes wrong

First of all, I'm aware of YazFi and X3MRouting, but I wanted to set it up myself first, before I have to dig into those scripts. I've done PBR in the past, but the memory has faded so it feels like I'm reinventing the wheel once more. I have set up two ProtonVPN clients. I have selected...

www.snbforums.com

Yes, I used Express vpn's own app, and online dnsleak. Both show a UK IP address and DNS servers, the results are exactly the same. When I change the DNS config to anything but Exclusive, both tests show DNS leaks, and unblocking stops working, when it DOES work when DNS is set to Exclusive. I don't even have x3mRouting loaded at the moment.
However, I hear what you're saying, so how do I go about connection tracking to see which interface port 53 is using?

 

[eibgrad]

Yes, I used Express vpn's own app, and online dnsleak. Both show a UK IP address and DNS servers, the results are exactly the same. When I change the DNS config to anything but Exclusive, both tests show DNS leaks, and unblocking stops working, when it DOES work when DNS is set to Exclusive. I don't even have x3mRouting loaded at the moment.
However, I hear what you're saying, so how do I go about connection tracking to see which interface port 53 is using?

I use ExpressVPN myself, and I know for a fact their own DNS leak testing tool is pure nonsense. All it does it take notice whether your public IP is owned by them, then assume you're using their DNS server(s).

As I indicated in that link above, you can use SSH to get into the router and dump connection tracking. What's of interest is all udp/tcp traffic w/ a destination port of 53. For each record, there's two pairs of src/dst fields, and the dst field on the second pair is the IP to which the DNS replies are being sent. IOW, either your public IP on the WAN, or private IP on the VPN. What you want to see, of course, if the latter. As long as all your DNS queries have their replies being sent back to the VPN's local IP, you know w/ certainty those DNS queries are being sent over the VPN, regardless what any other tools may be telling you to the contrary.

 

[Brainstorm]

Once again, sorry. I must learn to read first, jump second....
I had noticed express's leak check only reported favourable results when connected via their servers, so I was suspicious...
I'll take a look at the link and do some testing/investigating.
I should probably come clean and explain my setup here. I have an RT N66U connected to my isp. The DNS on that router is express vpn's mediastreamer. Then, Lan to WAN, I have an AC86U downstream, who's DNS server is the N66U, and a different subnet. That's obviously running Merlin. The N66U is stock.
Aside from the testing, I think you're suggesting I set the WAN DNS to something like Cloudflare, and put those same addresses in the destination field of opvn config. Does x3mRouting prb have to be installed/running, or will this work purely with Merlin and split tunneling? And am I screwing things with my setup, Mediastreamer DNS addresses, and if so, is there a way round that?

 

[eibgrad]

I don't know the first thing about ExpressVPN mediastreamer. DNS can get very complex in terms of configuration if you start adding other things into the mix, including third-party scripting, like x3mRouting. All I can tell you is that when it comes to the fundamentals of configuring DNS in a typical scenario (i.e., Merlin router using DNSMasq and a VPN client), you can't depend on typical online leak testing tools to know where your DNS is being routed. And given the lack of control you may have as to how DNS is configured due to all the players involved, I find it best to specify custom DNS servers on the WAN, bind them to the VPN using policy based routing (I'd preferred to use static routes, but as I said earlier, w/ Merlin that's not possible because he strips these out for some reason), and specifying Disabled for "Accept DNS configuration". Now it's a simple case of those being the only DNS servers available, and being either bound to the WAN when the VPN is inactive, or bound to the VPN when the VPN is active. Beyond that, once you start adding in third-party scripting, letting the router or VPN control DNS servers, etc., it becomes a mess and nearly impossible for someone else to debug.

 

[Brainstorm]

Understood. Thanks for the no-nonsense explanation.
Mediastreamer is setting the router WAN DNS to an Express DNS, which geolocates me in the USA, unblocks most TV services, but leaks.
I like your DNS approach, but it sort of defeats my objective, as some of my connections only work over Express, some only over NORD, and some work over mediastreamer. So I'll end up constantly switching between routers and vpn's anyhow, which is what I'd hoped to avoid.
I see I can set 2 Router WAN DNS addresses. Can I set 2 different addresses and bind to one for one pbs vpn, and another for a second pbs vpn? (Even as I'm asking, I'm wondering how it will help). How does the router choose which DNS when no rules are active? Is it simply primary/secondary?