VPN on Router Failing when Connecting to Disney Plus

[georgev]

I have a dedicated IP with NordVPN and I have an .ovpn config on my RT-AX86U (running Merlin) to put all of my traffic over that VPN. Everything has been going great. However, just recently, I can no longer log into Disney+ on my network! I try to hit the login page, and it says Disney+ has encountered an issue!

I've done my best to troubleshoot, but I'm at my wit's end. Here was my troubleshooting so far:

Q: Disney+ could be down?
A: Negative

Q: Maybe my Dedicated IP has been blacklisted!
A: I can VPN to my Dedicated IP via client software on my Android phone and Linux laptop via the same technology/protocol as my router's connection (OpenVPN/UDP), and it works when I VPN on the client device!

Q: Maybe there is a DNS leak? Maybe some general DNS funkiness? I do run a PiHole as the DNS on my network.
A: On the client devices, I can put in public DNS servers (Cloudflare, NordVPN's DNS servers, etc.) and I still have the same issue. On my linux machine, I changed `/etc/resolv.conf` to exactly match what it gets set to when I connect to my VPN with the nord client software (`nameserver 103.86.96.100` and `nameserver 103.86.99.100`). No luck

Q: Browser caches? App caches?
A: Yeah... that's why this has taken so long! I have been clearing those. However, I don't think I need to, because when I switch the client nordvpn software on/off, I see imediate results in my browser by just refreshing the login page (it works with the client software on, and doesn't with the client software off).

So that's about as far as I got. I'm wondering if it could be a DoT or DoH thing? But I'm not really sure how to flip that switch on/off or how to tell if that switch is getting flipped on/off when I turn on/off the nordvpn client software. I really doubt it since I would think that's something my browser is in control of? Or maybe not? I think I've tried every combination of `Enable DNS Rebind protection`, `Enable DNSSEC support`, and `Prevent client auto DoH` (I've landed on "No" for all of those which I think is where I started").

Does anyone have any tips to help me run this down?

 

[ColinTaylor]

So what happens if you turn off the VPN client on the router and use a "normal" internet connection?

 

[georgev]

Well... everything is working now... I swear I didn't change anything recently, but changing my "Accept DNS Configuration" on my VPN client connection (on the router) from "Strict" to "Exclusive" fixed everything.

I didn't have any DNS leaks before (I'm currently in India and all of my cloudflare DNS servers showing up were in the US... wait... are there only Cloudflare DNS servers in the US?). My thinking was I didn't want the VPN to do something where it pushed a DHCP config to my clients to make them use a DNS that wasn't my pihole, but I see that even when I have this set to exclusive it doesn't affect my DNS.

So, pivoting my question (and with the atmospheric that I am now a happy camper), what changes when this "Accept DNS configuration" is set to "Exclusive"? Is it just that it changes the /etc/resolv.conf on my router to whatever DNS servers are pushed by the VPN server I'm connecting to? Do we think that when it was set to "Strict" that Disney+ tried to connect to the VPN recommended servers, took too long, then fell back to a "local" option in the resolv.conf and used a DNS server that bypassed the "all traffic through the VPN" rule?

 

[CaptainSTX]

If after trying Colin's suggestion you can connect then contact NordVPN and ask them if they have a server that hasn't been blocked by Disney.

 

[georgev]

Sorry, I have a response that is currently awaiting moderator approval that clears things up a bit. The problem was that my VPN client "Accept DNS Configuration" was set to "Strict" instead of "Exclusive". So now I have a question of "what does that setting really do" that is asked in my "moderator pending" post. If the first post gets approved you can delete this one!

 

[ColinTaylor]

Sorry, I have a response that is currently awaiting moderator approval that clears things up a bit. The problem was that my VPN client "Accept DNS Configuration" was set to "Strict" instead of "Exclusive". So now I have a question of "what does that setting really do" that is asked in my "moderator pending" post. If the first post gets approved you can delete this one!

If you place your mouse pointer over the words "Accept DNS Configuration" a question mark will appear. Click the mouse button and some help text will appear explaining the options.

 

[georgev]

Roger that. I understand how "Accept DNS Configuration" options impact my `/tmp/resolv.dnsmasq` file. I get that on strict it is:

`nameserver [what the VPN server pushed]`
`nameserver [what was there before]`

and on exclusive it is:

`nameserver [what the VPN server pushed]`

I would think this would affect how DNS is resolved if I used the router (the DNSMasq server on the router) as my DNS. What I'm confused about is how that makes any difference if my client device's `/etc/resolv.conf` only contains nameservers that are public (not even checking local records). I would think if my `/etc/resolv.conf` literally just has `nameserver 8.8.8.8`, that the `/tmp/resolv.dnsmasq` on the router would make no difference! Therefore, I'm wondering if there is something I'm not grasping about something else happening in the background when I select `Accept DNS Configuration = exclusive`. Does anyone know the impact of this setting beyond changing the content of `/tmp/resolv.dnsmasq`?

 

[RMerlin]

dnsmasq does not use /etc/resolv.conf. All your LAN clients use dnsmasq, only the router itself uses /etc/resolv.conf.

 

[georgev]

Yep, I'm tracking that and I don't think my router's /etc/resov.conf is part of this puzzle. In my last post the only /etc/resolv.conf I was attempting to refer to was the one on my client device.

Perhaps I could refractor the question a bit. My understanding of this accept dns configuration setting is this: it literally only changes the resolv.dnsmasq file, which literally only changes the resolv.conf file of clients that point to the router's dnsmasq server as their DNS server. Therefore, instead of changing this "accept dns configuration" setting to view what happens on my client device, shouldn't I be able to just change the client's resov.conf to mimic such a change? Or am I missing some part of what happens behind the scenes when this setting is set?

Furthermore, unless I'm missing something, I don't see how this setting could affect clients that don't point to the router as a DNS server! I would think this setting has no impact on a device that has only public DNS servers in its resolv.conf! Outside of any fancy dns director setting on the router, that is.

So that's what I'm scratching my head about at the moment... this setting is the difference of my disney plus working or not, despite my devices not using my router for a DNS server. Sure there's a pihole that needs an upstream server, but I have that pointed at public dns servers, not at the router. Also the OS that is running the pihole doesn't have the router in its resov.conf.

 

[georgev]

I've learned a bit more about what is happening here!

When I set the "Accept DNS Config" setting to "exclusive", clients on subnets NO LONGER use the DHCP-set DNS server! In Merlin (3004.388.8_4), I have guest networks. I'm looking at one guest network in particular (wl1.1), but it seems to be doing this with wl0.1 and the vpn client (OVPN TUN). In order to have those guest networks use my pihole server, I do have an /etc/dnsmasq.conf script that does "dhcp-option=br2,6,192.168.5.10" (the ip of my pihole on the main subnet). So in theory, the DHCP server sets 192.168.5.10 as the ONLY DNS server on all of my clients on that guest (IoT) network. Sure enough, I can connect a linux computer to that network and see that its /etc/resolv.conf only contains that 192.168.5.10 nameserver. Great. DHCP works. And in fact, DHCP aside, we can skip everything that's happened so far and just say "I connect a device to that IoT network and set its /etc/resolv.conf such that it uses my pihole".

Alright, next, I ping a blocked url (let's say ad.doubleclick.net). The DNS resolves to the correct IP rather than blocking, and my pihole server said it was never asked! Werider still, if I "dig" on my linux computer on that IoT subnet, it says that "192.168.5.10" is answering the query... weird... because the pihole says it never sees the query... that's when I decided to put some log rules in iptables.

I log queries coming from my IoT subnet computer's IP udp port 53 on the INPUT chain of my router. Nothing. Good, that means my router is not getting the requests. Not only does that confirm that I'm not using dnsmasq on my router to answer these queries (which is good, because I want to use the pihole instead), but I would think that means my /etc/resolv.dnsmasq for sure does not come into play, so this "Accept DNS Configuration" setting shouldn't matter!

However, then I log queries coming from my IoT subnet computer's udp port 53 on the FORWARD chain of my router. We should see the query forwarded to my pihole, but instead I see my query forwarded to NordVPN's public DNS server! Which is the server pushed via the OpenVPN config.

So, this is the unexpected behavior that has me scratching my head. On my merlin router, "Accept DNS Config" set to "Exclusive" seems to FORCE DNS queries to the pushed DNS server on the various guest subnets! But not the main subnet!!! WHAT!? Also, how is it that when I "dig" it says that "192.168.5.10" responded, when that IP wasn't the DNS server that was used?

EDIT: So it looks like two PREROUTING rules get added forcing any port 53 traffic to the pushed DNS servers from the VPN. On the local subnet, it can skip that prerouting rule because they're on the same subnet (they don't need to go throught the router). So I've learned that the "Accept DNS Config" does (at least) two things: it changes the /etc/resolv.dnsmasq file to change which nameservers are used for all who use the router as a DNS server, and it has a prerouting rule to force all DNS traffic on different subnets to the VPN-pushed DNS server... is there anything else that happens when you set this setting?

EDIT EDIT: So what's the deal with Disney+? Well, I'm still not sure. All I know is if I reboot my router, I can't connect (it gives me an error on the loading screen). Then I can change something about my VPN, save the config, change it back, save the config, then I can connect for the rest of the life of the router. That certainly smells like something that's happening out of order with my iptables rules and my /jffs/scripts... I'm sure that's its own isolated issue and shouldn't be the worst to troubleshoot.