Open VPN and DNS Issue

[Aaron_A]

View attachment 13455 Hello,

This is my first post on these very helpful forums. In the past I have learned a great deal from posts and replies on this website, however I currently have an issue for which I have not been able to find a solution.

I have an ADSL home internet connection (PPPoE), using a D-Link DSL-2888A modem-router (running in bridge mode) connected to an ASUS AC5300 wireless router (ASUS-Merlin 384.5 firmware).

I have one Open VPN server running, with 3 Open VPN clients (Australia, USA, New Zealand). I only ever use one client at a time, however for various reasons I need to use each at certain times.

Despite having "Accept DNS Configuration" set to "Exclusive" in the open VPN client settings, whenever I run a test on www.dnsleaktest.com, it displays that I am in New Zealand or Australia (depending which client I am using), however the end of the test shows that the server that I am connected to is my usual DNS server that is specified in the WAN settings of the router.

So my question is: how can I force the router to use use the DNS server of the Open VPN client that I am connected to, instead of the specified DNS server in the WAN settings page?

Thank you for taking the time to read this post. Please advise if additional information, screenshots, or clarification is required.

 

[bird333]

You should read this thread. You may not actually be leaking DNS. http://linksysinfo.org/index.php?threads/dns-leak.73296/

 

[Martineau]

View attachment 13455 Despite having "Accept DNS Configuration" set to "Exclusive" in the open VPN client settings, whenever I run a test on www.dnsleaktest.com, it displays that I am in New Zealand or Australia (depending which client I am using), however the end of the test shows that the server that I am connected to is my usual DNS server that is specified in the WAN settings of the router.

Do you get the same results using https://ipleak.net/
and check the following command output:
e.g. Assumes VPN Client 1 is currently ACTIVE; if not use the appropriate VPN Client instance i.e.1,2 or 3

iptables --line -t nat -nvL DNSVPN1

 

[Aaron_A]

Thank you both for reading and responding to my post. I appreciate it. Unfortunately, however, the suggestions you put forth did not solve the problem - my connection is still using the DNS servers listed in the WAN settings instead of using the VPN provider's DNS servers. I'm starting to tear my hair out.

I read every post from http://linksysinfo.org/index.php?threads/dns-leak.73296/ which was interesting and very relevant to my situation, however I could not seem to solve my issue using steps implemented by those folks.

I did check https://ipleak.net/ and it described the same results as www.dnsleaktest.com

Then I copied
iptables --line -t nat -nvL DNSVPN1 into the custom config section of the Open VPN. Unfortunately this did not manage to force use of the VPN provider's DNS servers either.

Are there any other options that I could try? So far I have really enjoyed my ASUS VPN router, however this is the first issue that I have been unable to resolve relatively quickly, thus it's been causing me some grief. I am happy to post screenshots of my settings if that may help diagnosis.

 

[Martineau]

I copied
iptables --line -t nat -nvL DNSVPN1 into the custom config section of the Open VPN. Unfortunately this did not manage to force use of the VPN provider's DNS servers either.

'iptables' is a command and does not go into the OpenVPN custom config panel, but is entered at the SSH command prompt.

I regularly run multiple VPN Clients concurrently, and the command below shows

VPN Client 1 DNS=104.xxx.xxx.xxx and LAN device 172.16.1.1 is routed via VPN Client 1 and uses this DNS
VPN Client 3 DNS=207.xxx.xxx.xxx and LAN device 172.16.3.1 is routed via VPN Client 3 and uses this DNS
VPN Client 5 DNS=23.xxx.xxx.xxx and LAN device 172.16.5.1 is routed via VPN Client 5 and uses this DNS

iptables --line -t nat -nvL DNSVPN1  2>/dev/null;iptables --line -t nat -nvL DNSVPN2 2>/dev/null;iptables --line -t nat -nvL DNSVPN3  2>/dev/null;iptables --line
 -t nat -nvL DNSVPN4 2>/dev/null;iptables --line -t nat -nvL DNSVPN5 2>/dev/null;iptables --line -t nat -nvL DNSVPN9 2>/dev/null
 
 
Chain DNSVPN1 (2 references)
num   pkts bytes target     prot opt in     out     source               destination       
1        0     0 DNAT       all  --  *      *       172.16.1.1           0.0.0.0/0            to:104xxx.xxx.xxx

Chain DNSVPN3 (2 references)
num   pkts bytes target     prot opt in     out     source               destination       
1        0     0 DNAT       all  --  *      *       172.16.3.1           0.0.0.0/0            to:207.xx.xxx

Chain DNSVPN5 (2 references)
num   pkts bytes target     prot opt in     out     source               destination       
1        0     0 DNAT       all  --  *      *       172.16.5.1           0.0.0.0/0            to:23.xxx.xxx.xxx

You could try and use Selective Routing to explicitly force ALL of your LAN (devices except the router) to use the VPN DNS:

You can then use the 'iptables' command to check the DNSVPNX table to see if the LAN devices are in the table.

 

[Aaron_A]

Thank you very much for your response. I must admit that I am fairly new to the world of networking. What strikes me is that there must be a more simple method, within the router settings page, to force use of the VPN provider's DNS servers. I would have thought this to be a common desire of people using VPN routers. I have already set the "Accept DNS" configuration to "Exclusive". You would think that would be the solution, as the router is meant to use the VPN DNS servers exclusively. This, however, is not the case for me, and makes me think that there must be another setting somewhere that is forcing the router to use the DNS servers listed in the WAN settings page.

 

[Aaron_A]

I have an ADSL home internet connection (PPPoE), using a D-Link DSL-2888A modem-router (running in bridge mode) connected to an ASUS AC5300 wireless router (ASUS-Merlin 384.5 firmware).

I have one Open VPN server running, with 3 Open VPN clients (Australia, USA, New Zealand). I only ever use one client at a time, however for various reasons I need to use each at certain times.

Despite having "Accept DNS Configuration" set to "Exclusive" in the open VPN client settings, whenever I run a test on www.dnsleaktest.com, it displays that I am in New Zealand or Australia (depending which client I am using), however the end of the test shows that the server that I am connected to is my usual DNS server that is specified in the WAN settings of the router.

So my question is: how can I force the router to use use the DNS server of the VPN provider that I am connected to, instead of the specified DNS server in the WAN settings page?

Thank you for taking the time to read this post. Please advise if additional information, screenshots, or clarification is required.

 

[Martineau]

What strikes me is that there must be a more simple method, within the router settings page, to force use of the VPN provider's DNS servers. I have already set the "Accept DNS" configuration to "Exclusive"

If you only run one VPN Client at a time, then if 'Routing Policy=ALL' then in my experience, setting 'Accept DNS Configuration=Relaxed' or 'Accept DNS Configuration=Strict' works as you would expect.

Did you try changing the 'Accept DNS Configuration' setting ?

 

[eibgrad]

The use of online DNS leak testing tools typically don't produce accurate results when you're working w/ a router that provides a local DNS proxy (e.g., DNSMasq). Every client is configured w/ the local DNS proxy (e.g., 192.168.1.1) for their local IP config. So every DNS request is sent up to the proxy, which then accesses one or more public DNS servers on behalf of that client. As such, it's *impossible* for any online DNS leak testing tool to know w/ any accuracy which DNS server(s) that client is using. In order to be accurate, it would have to interrogate the router, not the client, which it can't do, since WebRTC (which makes all this possible) is only running on the client, NOT the router.

That's why these online DNS leak testing tools are worthless when dealing w/ the router, at least w/ those routers providing a DNS proxy like DNSMasq. The *only* way to know for sure which DNS servers are being used is to dump connection tracking on the router and see where the DNS queries (dport=53) of DNSMasq on the router are being sent on the client's behalf.

From a shell (telnet/ssh), you can use the following command to track those DNS queries.

 cat /proc/net/ip_conntrack | grep ' dport=53 '

What you'll typically see is the initial DNS query from the client to the router, then the router generate a DNS query on behalf of that client to one or more public DNS servers. It's this secondary connection that you're looking for, and the public IP of the DNS server it's attempting to access. It it's the public IP of your ISP's DNS server(s), then yes, you have a leak. OTOH, if it's the IP from your DNS provider, you don't have a leak.

 

[Aaron_A]

Thanks for your reply. However, I must say that I disagree because of the following reason.
When I select OpenVPN Client 2: USA, the DNS leak websites all display the American DNS server of my VPN provider. It's is only while connected to the Australian and New Zealand OpenVPN clients, that that default DNS servers are in use. This shows that it is possible to use the DNS server of the VPN provider, and have it recognized by the various DNS leak websites. So why can the USA client work properly, while the Australian and New Zealand ones revert to the DNS specified in the WAN settings?

 

[eibgrad]

Thanks for your reply. However, I must say that I disagree because of the following reason.

When I select OpenVPN Client 2: USA, the DNS leak websites all display the American DNS server of my VPN provider. It's is only while connected to the Australian and New Zealand OpenVPN clients, that that default DNS servers are in use. This shows that it is possible to use the DNS server of the VPN provider, and have it recognized by the various DNS leak websites. So why can the USA client work properly, while the Australian and New Zealand ones revert to the DNS specified in the WAN settings?

In my experience in trying to use these online DNS leak test tools, I've found that sometimes they're just guessing. Since they don't have access to the actual DNS servers you're using (again, this information is buried in DNSMasq), I believe they look at the public IP. Then do some geo-location w/ that IP, determine who controls that IP, look in their database of known DNS servers used by that ISP or VPN provider, and report it. Sometimes they guess correctly, sometimes they don't. And if it happens they don't have anything in their database regarding that IP, they probably just guess again and find the most likely ISP or VPN provider you would be using in that region.

At the end of the day, it doesn't really matter what these online tools are reporting anyway. You have access to absolute, first-hand proof of which DNS servers are being access by examining connection tracking in the router. Doesn't matter a lick what these tools tell you if connection tracking reports otherwise. At best, it's second-hand information.

When I examine what the router is using for port 53 (DNS) connections, and try to match that up to what the online testing tools are reporting, it's painfully obvious they haven't a clue and are just guessing. That's why when using a router w/ a local DNS proxy (e.g., DNSMasq), these tools often prove unreliable. Yes, it's a hassle and even a bit confusing to deal w/ the connection tracking system on the router, but *it* is the final word on which DNS servers are in use. The only way that wouldn't be the case is if your router's DHCP server wasn't using DNSMasq as the assigned DNS server on the client, but instead the client was receiving public DNS assignments directly (verifiable on Windows w/ the ipconfig /all command). And it is possible to configure DHCP in DNSMasq to work that way. However, it's not the default configuration.

So we could debate all day just how accurate these online DNS leak tools really are, but given the choice of examining first-hand information from connection tracking vs. second-hand information from online tools, I'll take the former every time.

 

[Aaron_A]

Thanks again for your response. While I agree with you that these online DNS leak tools may not always be accurate, I find it hard to believe that they consistently "guess" the exact same DNS server (which happens to be the very DNS server listed in my router's WAN settings page) for my Australia and New Zealand openVPN clients, yet report the accurate server for my USA client.

I am thinking more that some of my router settings must be configured incorrectly to achieve what I want. From what I can gather there is no difference in the settings for my USA client vs Aus/NZ that should account for the reporting of correct/incorrect DNS server in use.