always DNS leaked with strict DNS rule setup

[nhan72nn]

I am using AX86U with Merlin firmware ver 386.7; I am using IPVanish and Nord VPN but still have DNS leaked (tested by dnsleaktest.com).

with WIndows OS, it passed DNS leak test, but if I use iOS, it failed the test.
here is some screenshot for the setup

and here is the setup for WAN

would you like to show me the way to fix the DNS leak error on iOS devices.

Thanks you

 

[eibgrad]

Makes no sense to me to configure "Accept DNS configuration" on the OpenVPN client w/ anything but Disabled if you're already configured to use DoT on the WAN. With DoT, all your clients, whether bound to the VPN or WAN, are accessing DNS securely over the WAN. Anything the VPN provider might offer in terms of DNS servers is superfluous.

Now if you're really paranoid and don't even want the ISP to know you're using DoT, you could bind the DoT servers to the OpenVPN client as well using the VPN Director. But I personally believe it's overkill.

All that said, I suppose there is one exception; if the DNS server(s) of the VPN provider are offering special services, such as the ability to circumvent region blocking by streaming content providers. But in that case, the *only* configuration that will guarantee no DNS leaks is Exclusive. Anything else combines the DNS server(s) of the WAN w/ those of the VPN provider, eventually leading to use of the WAN's DNS servers and DNS leaks (assuming the WAN is NOT configured w/ DoT).

Finally, as I tell everyone, you should use the DNS monitor to verify exactly what DNS servers you're actively using, and where they are being routed.

Tutorial - How to monitor DNS traffic in real-time

The following script allows for real-time monitoring of DNS on the router for the purposes of knowing what DNS servers are in use, and which network interfaces are being used. https://pastebin.com/AGNF8cC8 Overview One of the most difficult aspects of the router for users is managing DNS. DNS...

www.snbforums.com

Why? Because you can't rely solely on these online leaktest tools. You need to know what's happening on the router *before* your DNS queries make it upstream to any public DNS servers. If you determine all is well on the router, but find out these online leaktest tools are still reporting leaks, you know it's NOT due to the DNS configuration on the router.

 

[MarkyMarkMark]

Does Turning on IPv6 Native negate / overide all that if your ISP provides you a IPv6

Makes no sense to me to configure "Accept DNS configuration" on the OpenVPN client w/ anything but Disabled if you're already configured to use DoT on the WAN. With DoT, all your clients, whether bound to the VPN or WAN, are accessing DNS securely over the WAN. Anything the VPN provider might offer in terms of DNS servers is superfluous.

Now if you're really paranoid and don't even want the ISP to know you're using DoT, you could bind the DoT servers to the OpenVPN client as well using the VPN Director. But I personally believe it's overkill.

All that said, I suppose there is one exception; if the DNS server(s) of the VPN provider are offering special services, such as the ability to circumvent region blocking by streaming content providers. But in that case, the *only* configuration that will guarantee no DNS leaks is Exclusive. Anything else combines the DNS server(s) of the WAN w/ those of the VPN provider, eventually leading to use of the WAN's DNS servers and DNS leaks (assuming the WAN is NOT configured w/ DoT).

Finally, as I tell everyone, you should use the DNS monitor to verify exactly what DNS servers you're actively using, and where they are being routed.

Tutorial - How to monitor DNS traffic in real-time

The following script allows for real-time monitoring of DNS on the router for the purposes of knowing what DNS servers are in use, and which network interfaces are being used. https://pastebin.com/AGNF8cC8 Overview One of the most difficult aspects of the router for users is managing DNS. DNS...

www.snbforums.com

Why? Because you can't rely solely on these online leaktest tools. You need to know what's happening on the router *before* your DNS queries make it upstream to any public DNS servers. If you determine all is well on the router, but find out these online leaktest tools are still reporting leaks, you know it's NOT due to the DNS configuration on the router.

Trying to understand how to lock things down for both for torrents and bitcoin trading.

Does Turning on IPv6 Native negate / over ride all that if your lan clients have IPv6 addresses?

 

[eibgrad]

Does Turning on IPv6 Native negate / overide all that if your ISP provides you a IPv6


Trying to understand how to lock things down for both for torrents and bitcoin trading.

Does Turning on IPv6 Native negate / over ride all that if your lan clients have IPv6 addresses?

NOT if your DNS is still reliant on IPv4, which seems to be the case. I never suspected you were using IPv6 based on what you posted.

Even if the entire router, from head to toe, was supporting IPv6 exclusively, including IPv6 DNS servers, IPV6 support w/ the OpenVPN client, etc., ALL OF IT, the same principles would still apply. You need to know what DNS servers are being used, and how they are being routed, before worrying about what some remote online leaktest tool is reporting, since you can only control the former anyway, NOT the latter. It's just that the DNS monitoring utility does NOT support IPv6, so it's NOT as helpful in that case. But again, the principles involved don't change between IPv4 and IPv6.

 

[nhan72nn]

Hi,
as I have mentioned, the setup passed dnsleaktest for windows, but not for iOS. like if I run the test on laptop/pc, the site cannot detect my real IP, but if I run the same test on iPhone/iPad, the site able to detect my IP.

 

[eibgrad]

Hi,
as I have mentioned, the setup passed dnsleaktest for windows, but not for iOS. like if I run the test on laptop/pc, the site cannot detect my real IP, but if I run the same test on iPhone/iPad, the site able to detect my IP.

Well now you've made a slight change to your description. Initially you indicated a DNS leak specifically, and provided DNS related details of your configuration. But NOW you're indicating the public IP of your WAN is exposed in one case and NOT the other. That's a very different problem. Presumably you have both clients bound to the VPN, but you didn't provide specific details as to how you configured the VPN Director.

 

[nhan72nn]

No, they are the same;
I tested my vpn with whatismyip, and it cannot detect my ip on neither windows or iOS, but if i test with dnsleaktest, the site will see my real ip base on dns leak, and that happened on iOS, not with windows (laptop and pc will not leak dns in this case). So, in my case, my phone/ipad would leak my dns, which leads to leak real IP

 

[eibgrad]

No, they are the same;
I tested my vpn with whatismyip, and it cannot detect my ip on neither windows or iOS, but if i test with dnsleaktest, the site will see my real ip base on dns leak, and that happened on iOS, not with windows (laptop and pc will not leak dns in this case). So, in my case, my phone/ipad would leak my dns, which leads to leak real IP

Again, a leak of your public IP and a DNS leak are NOT the same thing. If you're suggesting that a DNS leak *leads* to the revealing of your public IP (i.e., it's a side-effect) in one case, well..., that's hard to know for sure. But if we assume that to be the case, then in fact it *is* a DNS leak that's the problem. And if that's the case, we're right back where we started.

If your router is misconfigured wrt DNS, and that would appear to be the case w/ using Strict, you're going to have these kinds of problems. As I said, only Exclusive guarantees protection against DNS leaks (and perhaps, public IP leaks as a side-effect). But as I also said, if you're using DoT on the WAN anyway, you don't need to use either Strict or Exclusive. Disabled will do the job since DoT is a guarantee against DNS leaks too. And if you want to be overly cautious, you could even bind the DoT servers to the VPN.

 

[Sumsurfguy]

No, they are the same;
I tested my vpn with whatismyip, and it cannot detect my ip on neither windows or iOS, but if i test with dnsleaktest, the site will see my real ip base on dns leak, and that happened on iOS, not with windows (laptop and pc will not leak dns in this case). So, in my case, my phone/ipad would leak my dns, which leads to leak real IP

Are you using iCloud private relay by chance? If so, I've found it will show the relay dns instead of the vpn dns, its not supposed to (I think), but it is still in beta.

 

[nhan72nn]

Are you using iCloud private relay by chance? If so, I've found it will show the relay dns instead of the vpn dns, its not supposed to (I think), but it is still in beta.

i am not using iCloud private relay. that weird to me since all PC, laptop passed the DNS test, only happen on iOS.

 

[nhan72nn]

Again, a leak of your public IP and a DNS leak are NOT the same thing. If you're suggesting that a DNS leak *leads* to the revealing of your public IP (i.e., it's a side-effect) in one case, well..., that's hard to know for sure. But if we assume that to be the case, then in fact it *is* a DNS leak that's the problem. And if that's the case, we're right back where we started.

If your router is misconfigured wrt DNS, and that would appear to be the case w/ using Strict, you're going to have these kinds of problems. As I said, only Exclusive guarantees protection against DNS leaks (and perhaps, public IP leaks as a side-effect). But as I also said, if you're using DoT on the WAN anyway, you don't need to use either Strict or Exclusive. Disabled will do the job since DoT is a guarantee against DNS leaks too. And if you want to be overly cautious, you could even bind the DoT servers to the VPN.

i have used Exclusive already, problem still there. like i have mentioned, all laptop and PC passed the DNS test, only iPhone/iPad failed the test.

 

[PR3MIUM]

ipv6 -> native, accept dns config. -> exclusive, redirect -> yes (all), killswitch -> yes.
ipv6 is leaking the dns

 

[TrebleTA]

Yes this is a knowen issule, most vpns are ipv4, so on the router ipv6 needs to be disabled. Untill vpns start to support ipv6, yet then ipv4 will prob be leaked.

 

[nhan72nn]

Yes this is a knowen issule, most vpns are ipv4, so on the router ipv6 needs to be disabled. Untill vpns start to support ipv6, yet then ipv4 will prob be leaked.

hi, there is no IP6 enabled.
I know the issue, instead of using dns as automatic, and let the router drive the internet, I forced iPhone/iPad to use local dns which I have setup on my raspberry pi to block ads, unwanted sites on selected devices; and the raspberry pi not in the vpn list in vpn director In order to use raspberry pi to update ip for ddns.

just made dns for iPhone/iPad as automatic and problem solved.
thanks all for help.

 

[TrebleTA]

I see missed that part, glad its sorted.
have you looked in to DNS over TLS, as I set my router as auto then set DNS over TLS and it sets my devices correctly. just well you are using other bits so not sure on that kind of setup, I'm still learning myself.

 

[LostNetSpace]

I think controlling DNS for Apple devices including iOS is difficult. In iOS 14 they implemented a way for applications to create a DNS security or privacy context that allows the application, among other things, to use DoH See https://developer.apple.com/videos/play/wwdc2020/10047/ for some of this. Look at about 2:00, 3:17, and 10:16

As near as I can tell, Asus-Merlin can block DoT and then properly respond to the unencrypted retry with its own DoT request to your desired DNS server. At least I think I am seeing that work as expected when I play around with various DNS leak check sites and apps that I know use DoT.

But if the device as a whole or even just an individual app is setup to use DoH to a specified DNS server I don’t see how the router can block that without blocking all HTTPS connections. If I understand what Apple is doing, then I think it would be possible for an app developer, or maybe even just the developer of a library used by an app developer (think a Facebook library), could set up a DoH context to use their dedicated spying server.

I have been using DNS based ad and tracker blocking on my Asus-Merlin router for quite sometime. The other year when I upgraded to iOS 14 on an iPhone I started seeing ads on some apps that never had them before. I could see no trace of the DNS calls associated the ads in the logs on my Asuswrt-Merlin router. I was disappointed when I looked into this an figured out that an app could bypass my DNS if using DoH and there was no obvious way to defeat it.

 

[chongnt]

I think controlling DNS for Apple devices including iOS is difficult. In iOS 14 they implemented a way for applications to create a DNS security or privacy context that allows the application, among other things, to use DoH See https://developer.apple.com/videos/play/wwdc2020/10047/ for some of this. Look at about 2:00, 3:17, and 10:16

As near as I can tell, Asus-Merlin can block DoT and then properly respond to the unencrypted retry with its own DoT request to your desired DNS server. At least I think I am seeing that work as expected when I play around with various DNS leak check sites and apps that I know use DoT.

But if the device as a whole or even just an individual app is setup to use DoH to a specified DNS server I don’t see how the router can block that without blocking all HTTPS connections. If I understand what Apple is doing, then I think it would be possible for an app developer, or maybe even just the developer of a library used by an app developer (think a Facebook library), could set up a DoH context to use their dedicated spying server.

I have been using DNS based ad and tracker blocking on my Asus-Merlin router for quite sometime. The other year when I upgraded to iOS 14 on an iPhone I started seeing ads on some apps that never had them before. I could see no trace of the DNS calls associated the ads in the logs on my Asuswrt-Merlin router. I was disappointed when I looked into this an figured out that an app could bypass my DNS if using DoH and there was no obvious way to defeat it.

While this is not exactly related to DNS leak as per this topic. I suspect your issue is related to DNS request type 65 introduced since iOS 14. You may want to have a look at Diversion DNS based adblock. Latest update covers this.

Diversion - Diversion 4.3.3 - the Router Ad-Blocker, released April 02 2023

Welcome This is Diversion - the Router Ad-Blocker for Asuswrt-Merlin All install and update info's are on the Diversion website. Juli 17 2022 Diversion 4.3.3 is now available See this post for what's new Diversion is free to use under the GNU General Public License version 3 (GPL-3.0). If you...

www.snbforums.com

 

[N/A]

Had the same problem and Initially I thought it might be IPv6 but the real issue is DoT. If you use DoT and set VPN DNS to strict/exclusive, sometimes your DNS request will still go through DoT. Simply disable DoT will fix the problem. Disable rebind protection by itself won't help.

IMO setting VPN DNS to strict/exclusive should have priority over DoT. @RMerlin any chance this can be fixed in 386.7_2? My rough guess is that dnsmasq is using both DoT and VPN DNS randomly.

 

[eibgrad]

Had the same problem and Initially I thought it might be IPv6 but the real issue is DoT. If you use DoT and set VPN DNS to strict/exclusive, sometimes your DNS request will still go through DoT. Simply disable DoT will fix the problem. Disable rebind protection by itself won't help.

IMO setting VPN DNS to strict/exclusive should have priority over DoT. @RMerlin any chance this can be fixed in 386.7_2? My rough guess is that dnsmasq is using both DoT and VPN DNS randomly.

Exclusive *does* use the VPN provider's DNS server exclusively (assuming they push one to the OpenVPN client). Assuming you're using the VPN Director, for every WLAN/LAN device bound to the VPN, a firewall rule is created that redirects any attempt by the client to use any other DNS server, back to the VPN provider's DNS server.

Where the problem lies is w/ Strict (which I described previously, but some are choosing to ignore). Strict *combines* the DNS servers of the WAN w/ those of the VPN provider. At one time it was thought (incorrectly) that Strict would give priority to the VPN provider's DNS server(s) over those of the WAN. But it doesn't. It's actually no better than specifying Relaxed, since given enough time and activity, DNSMasq will use ALL the DNS servers available to it.

We've had numerous other discussions about this issue, so nothing really new is being added here. As I said at the time, there's no point in having the Strict option. It's really no better than Relaxed in terms of its effects. It's just there for historical reasons. If it was removed, we'd have endless complaints about it. But unfortunately it means users will again and again come to assume it offers something better than Relaxed, but not quite as stringent as Exclusive (which, for example, precludes you from any of the other benefits of DNSMasq, such as local name resolution, local caching, ad blocking, etc.).

As I've stated again and again, that's why DNS is so complicated. There are just too many balls being juggled at the same time, too many variables, too many options, that can all affect the outcome. And why I strongly recommend the DNS monitor to determine what's actually happening. Because in the end, that's all that matters. Very few ppl are familiar enough w/ how it all fits together to understand why you get one set of results vs. another w/ different options. As I said before, why is anyone using the VPN provider's DNS servers anyway if they have DoT on the WAN?! It defeats the purpose (at least if security/privacy is your goal).

 

[N/A]

Exclusive *does* use the VPN provider's DNS server exclusively (assuming they push one to the OpenVPN client). Assuming you're using the VPN Director, for every WLAN/LAN device bound to the VPN, a firewall rule is created that redirects any attempt by the client to use any other DNS server, back to the VPN provider's DNS server.

Where the problem lies is w/ Strict (which I described previously, but some are choosing to ignore). Strict *combines* the DNS servers of the WAN w/ those of the VPN provider. At one time it was thought (incorrectly) that Strict would give priority to the VPN provider's DNS server(s) over those of the WAN. But it doesn't. It's actually no better than specifying Relaxed, since given enough time and activity, DNSMasq will use ALL the DNS servers available to it.

We've had numerous other discussions about this issue, so nothing really new is being added here. As I said at the time, there's no point in having the Strict option. It's really no better than Relaxed in terms of its effects. It's just there for historical reasons. If it was removed, we'd have endless complaints about it. But unfortunately it means users will again and again come to assume it offers something better than Relaxed, but not quite as stringent as Exclusive (which, for example, precludes you from any of the other benefits of DNSMasq, such as local name resolution, local caching, ad blocking, etc.).

As I've stated again and again, that's why DNS is so complicated. There are just too many balls being juggled at the same time, too many variables, too many options, that can all affect the outcome. And why I strongly recommend the DNS monitor to determine what's actually happening. Because in the end, that's all that matters. Very few ppl are familiar enough w/ how it all fits together to understand why you get one set of results vs. another w/ different options. As I said before, why is anyone using the VPN provider's DNS servers anyway if they have DoT on the WAN?! It defeats the purpose (at least if security/privacy is your goal).

I haven't test strict myself but exclusive pushed from the server and DoT results in using both randomly.
It's a family member's router and I would like to use pihole at my home without exposing DNS directly to WAN. DoT is only a backup but I didn't expect it break the exclusive option in OpenVPN client.