[solved] DNS Leak with VPN Client

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

Spaghetti_Jack

Occasional Visitor
at
i have constant DNS leak while using VPN Client,

what i set up wrong?

printscreens:
- VPN Client
- WAN internet Connection
- LAN DHCP server

dnsleak.png



dnsleak2.png


dnsleak3.png
 
Last edited:

rxman4453

New Around Here
Try using your vpn's dns servers.
 

New2This

Senior Member
Change your Accept Dns config from Disabled to Exclusive
 

Spaghetti_Jack

Occasional Visitor
Yes, it works, there is no leak now any more

however i used STRICT for that,

  • Strict: DNS servers pushed by the VPN provided DNS server are prepended to the current list of DNS servers, which are used in order. Existing DNS servers are only used if VPN provided ones don’t respond.
  • Exclusive: Only the pushed VPN provided DNS servers are used.

unfortunately i don't completly understand the difference between those two. Could you please sketch it for me in 3 simple sentences?
 

Spaghetti_Jack

Occasional Visitor
Could i understand it as a EXCLUSIVE has a 'kill switch' while STRICT not?
 

RMerlin

Asuswrt-Merlin dev
Exclusive means all DNS traffic is forced to use the VPN's servers by redirecting all DNS queries to it through NAT.

Strict means that dnsmasq will know both the VPN and the ISP DNS servers, and will try them in order. If one fails, then the query will be sent to the other servers, meaning that any of these servers can be used at any time.
 

Spaghetti_Jack

Occasional Visitor
Now i hear you loud and clear - was it you who wrote the github policy?
It seems that for the sake of having VPN, in fact `Exclusive` is the one that interests us - the users.
Thank you

Solution for future:
VPN -> VPN Client configuration :
1) Accept DNS Configuration : Exclusive
2) Force internet Traffic through Tunnel : YES
 

MvW

Senior Member
It seems that for the sake of having VPN, in fact `Exclusive` is the one that interests us - the users.
I think that statement is too bold.

It's simply a personal preference, depending on the scenario which applies to you. I have the VPN DNS-servers set to Disabled, because I specifically [B}not[/B] want them to be used. I'm using the NextDNS CLI Client and have a ProtonVPN subscription. NextDNS provides parental controls, logging, black- and whitelisting, broad insights in how my kid uses his Internet, regardless whether he's at home or at school. At home he's connected through the tunnel of the router, when on his way, as soon as he gets out of range of our trusted wifi networks, an app called Passepartout (which allow custom DNS server) immediately rebuilds a connection to ProtonVPN. That way I feel a lot safer. So, in my case, I specifically prefer to use another DNS than my VPN-provider provides. Not only are they slower, they also lack the many possibilities NextDNS offers me. So it's all a personal preference, based on what you want to achieve.
 

RMerlin

Asuswrt-Merlin dev
And some people do use VPN clients for their real intended purpose: to remotely link with a remote network such as your office's. In such cases, you do not want to use exclusive DNS, as it would break local resolution. You want the VPN DNS just added to your local DNS, and rely on the domain to determine which DNS server to use for your queries (local or remote).
 

Spaghetti_Jack

Occasional Visitor
I think that statement is too bold.

It's simply a personal preference, depending on the scenario which applies to you. I have the VPN DNS-servers set to Disabled, because I specifically [B}not[/B] want them to be used. I'm using the NextDNS CLI Client and have a ProtonVPN subscription. NextDNS provides parental controls, logging, black- and whitelisting, broad insights in how my kid uses his Internet, regardless whether he's at home or at school. At home he's connected through the tunnel of the router, when on his way, as soon as he gets out of range of our trusted wifi networks, an app called Passepartout (which allow custom DNS server) immediately rebuilds a connection to ProtonVPN. That way I feel a lot safer. So, in my case, I specifically prefer to use another DNS than my VPN-provider provides. Not only are they slower, they also lack the many possibilities NextDNS offers me. So it's all a personal preference, based on what you want to achieve.
And some people do use VPN clients for their real intended purpose: to remotely link with a remote network such as your office's. In such cases, you do not want to use exclusive DNS, as it would break local resolution. You want the VPN DNS just added to your local DNS, and rely on the domain to determine which DNS server to use for your queries (local or remote).
Both are true, rabbit holes are deep, oceans where the whales live are wide
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top