Directing only DNS over VPN?

[Ted Danson]

Just wondering if this is reasonably simple to do? I'm currently running dnsmasq to point specific domains over specific DNS IP's. Everything else goes over another DNS IP address set at the WAN configuration level.

Is it possible to have a VPN client up and running and point all DNS traffic only towards the VPN?

Better still, could you point some DNS lookups to one VPN client and others to another VPN client while having everything else go through the main WAN DNS IP's?

 

[Jack Yaz]

Just wondering if this is reasonably simple to do? I'm currently running dnsmasq to point specific domains over specific DNS IP's. Everything else goes over another DNS IP address set at the WAN configuration level.

Is it possible to have a VPN client up and running and point all DNS traffic only towards the VPN?

Better still, could you point some DNS lookups to one VPN client and others to another VPN client while having everything else go through the main WAN DNS IP's?

You could probably do something with a script, to set a mark on any outbound port 53 traffic in the nat table of iptables, on the prerouting chain. Then have an ip rule that sends anything matching that mark to lookup in the vpn client routing table.

I'll try to cobble together an example when I get home, but a more VPN and routing-versed member such as @Martineau may have a script or snippet already available to demonstrate it!

 

[Martineau]

Just wondering if this is reasonably simple to do? I'm currently running dnsmasq to point specific domains over specific DNS IP's. Everything else goes over another DNS IP address set at the WAN configuration level.

Is it possible to have a VPN client up and running and point all DNS traffic only towards the VPN?

Better still, could you point some DNS lookups to one VPN client and others to another VPN client while having everything else go through the main WAN DNS IP's?

When 'Accept DNS Configuration=Exclusive' is set, the firmware creates a DNS lookup table for the appropriate VPN Client:
e.g. ALL router DNS lookup requests pass through all active VPN Clients...

iptables -nvL --line -t nat

Chain PREROUTING (policy ACCEPT 242 packets, 74943 bytes)
num   pkts bytes target     prot opt in     out     source               destination        
1        2   120 DNSVPN2    tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:53
2        8   544 DNSVPN2    udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:53
3        2   120 DNSVPN1    tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:53
4       17  1133 DNSVPN1    udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:53

iptables --line -t nat -nvL DNSVPN1  2>/dev/null;iptables --line -t nat -nvL DNSVPN2 2>/dev/null

Chain DNSVPN1 (2 references)
num   pkts bytes target     prot opt in     out     source               destination        
1        0     0 DNAT       all  --  *      *       172.16.1.1           0.0.0.0/0            to:104.223.91.194
2        0     0 DNAT       all  --  br1    *       10.88.101.0/24       0.0.0.0/0            to:104.223.91.194

Chain DNSVPN2 (2 references)
num   pkts bytes target     prot opt in     out     source               destination        
1        0     0 DNAT       all  --  *      *       172.16.2.1           0.0.0.0/0            to:208.67.222.222
2        0     0 DNAT       all  --  br2    *       10.88.102.0/24       0.0.0.0/0            to:208.67.222.222

If a dnsmasq 'server=/domain.com/xxx.xxx.xxx.xxx' entry is to always use the specific/private regional DNS provided by the VPN ISP then I do have a script

Spoiler: VPN_DNSUpdate script to dynamically update dnsmasq 'server=' directives with current VPN ISP DNS server pushed by VPN ISP

#======================================================================================================= © 2016-2017 Martineau, v01.01
#
# Get the VPN provider's private DNS for the VPN upon starting the VPN Client and dynamically update the dnsmasq directives with the new VPN DNS
#
#     VPN_DNSUpdate     { 'vpn_client' [ 'domain'[ 'domain'..] ] }
#                       [ help | -h ]
#
#     VPN_DNSUpdate     2
#                       Search '/dnsmasq.conf.add' for 'VPN2Domains' e.g. 'ipset=/xxxxxxxx/VPN2Domains' line
#                            and find its matching 'server=/'$DOMAIN' to modify 
#     VPN_DNSUpdate     2 Netflix.com
#                       Search '/dnsmasq.conf.add' for 'server=/Netflix.com/.*' and change it to 'server=/Netflix.com/xxx.xxx.xxx.xxx' for VPN 2 DNS   
#
#
#          Called from vpnclientX-route-up   
#
#                 e.g.
#
#                 /etc/openvpn/dns/client2.resolv actually contains the 10.200.198.1
#
#                 which RMerlin copies to the VPN Client 2 -t nat DNSVPN2 Chain
#
#                 Chain DNSVPN2 (6 references)
#                 num   pkts bytes target     prot opt in     out     source               destination
#                 1        0     0 DNAT       all  --  *      *       172.0.0.2            0.0.0.0/0            to:10.200.198.1
#
#*************************************FUNCTIONS***************************************************************

Not sure if this is what you require? or do you wish to have all DNS lookups for domain xyz.com using say 8.8.8.8 to be resolved by Google explicitly via one of the VPN tunnels to prevent DNS leaks?

 

[Steve_S]

I've been considering doing the same. Your script would be helpful. Cheers!

 

[kman]

When 'Accept DNS Configuration=Exclusive' is set, the firmware creates a DNS lookup table for the appropriate VPN Client:
e.g. ALL router DNS lookup requests pass through all active VPN Clients...

iptables -nvL --line -t nat

Chain PREROUTING (policy ACCEPT 242 packets, 74943 bytes)
num   pkts bytes target     prot opt in     out     source               destination      
1        2   120 DNSVPN2    tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:53
2        8   544 DNSVPN2    udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:53
3        2   120 DNSVPN1    tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:53
4       17  1133 DNSVPN1    udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:53

iptables --line -t nat -nvL DNSVPN1  2>/dev/null;iptables --line -t nat -nvL DNSVPN2 2>/dev/null

Chain DNSVPN1 (2 references)
num   pkts bytes target     prot opt in     out     source               destination      
1        0     0 DNAT       all  --  *      *       172.16.1.1           0.0.0.0/0            to:104.223.91.194
2        0     0 DNAT       all  --  br1    *       10.88.101.0/24       0.0.0.0/0            to:104.223.91.194

Chain DNSVPN2 (2 references)
num   pkts bytes target     prot opt in     out     source               destination      
1        0     0 DNAT       all  --  *      *       172.16.2.1           0.0.0.0/0            to:208.67.222.222
2        0     0 DNAT       all  --  br2    *       10.88.102.0/24       0.0.0.0/0            to:208.67.222.222

If a dnsmasq 'server=/domain.com/xxx.xxx.xxx.xxx' entry is to always use the specific/private regional DNS provided by the VPN ISP then I do have a script

Spoiler: VPN_DNSUpdate script to dynamically update dnsmasq 'server=' directives with current VPN ISP DNS server pushed by VPN ISP

#======================================================================================================= © 2016-2017 Martineau, v01.01
#
# Get the VPN provider's private DNS for the VPN upon starting the VPN Client and dynamically update the dnsmasq directives with the new VPN DNS
#
#     VPN_DNSUpdate     { 'vpn_client' [ 'domain'[ 'domain'..] ] }
#                       [ help | -h ]
#
#     VPN_DNSUpdate     2
#                       Search '/dnsmasq.conf.add' for 'VPN2Domains' e.g. 'ipset=/xxxxxxxx/VPN2Domains' line
#                            and find its matching 'server=/'$DOMAIN' to modify
#     VPN_DNSUpdate     2 Netflix.com
#                       Search '/dnsmasq.conf.add' for 'server=/Netflix.com/.*' and change it to 'server=/Netflix.com/xxx.xxx.xxx.xxx' for VPN 2 DNS 
#
#
#          Called from vpnclientX-route-up 
#
#                 e.g.
#
#                 /etc/openvpn/dns/client2.resolv actually contains the 10.200.198.1
#
#                 which RMerlin copies to the VPN Client 2 -t nat DNSVPN2 Chain
#
#                 Chain DNSVPN2 (6 references)
#                 num   pkts bytes target     prot opt in     out     source               destination
#                 1        0     0 DNAT       all  --  *      *       172.0.0.2            0.0.0.0/0            to:10.200.198.1
#
#*************************************FUNCTIONS***************************************************************

Not sure if this is what you require? or do you wish to have all DNS lookups for domain xyz.com using say 8.8.8.8 to be resolved by Google explicitly via one of the VPN tunnels to prevent DNS leaks?

@Martineau Along the same lines, I only want to route pandora.com to the VPN DNS.

In the dnsmasq.conf.add i have added server=/pandora.com/209.222.18.222 (DNS for VPN), however it is still not routing using "US" location. What am I missing?

Thanks

 

[Martineau]

@Martineau Along the same lines, I only want to route pandora.com to the VPN DNS.

In the dnsmasq.conf.add i have added server=/pandora.com/209.222.18.222 (DNS for VPN), however it is still not routing using "US" location. What am I missing?

Whilst the VPN DNS (209.222.18.222) may resolve 'pandora.com'; the actual traffic will need a specific rule i.e. RPDB or fwmark for the IP returned to access the "US" location.