What's new

Directing only DNS over VPN?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Ted Danson

Regular Contributor
Just wondering if this is reasonably simple to do? I'm currently running dnsmasq to point specific domains over specific DNS IP's. Everything else goes over another DNS IP address set at the WAN configuration level.

Is it possible to have a VPN client up and running and point all DNS traffic only towards the VPN?

Better still, could you point some DNS lookups to one VPN client and others to another VPN client while having everything else go through the main WAN DNS IP's?
 
Just wondering if this is reasonably simple to do? I'm currently running dnsmasq to point specific domains over specific DNS IP's. Everything else goes over another DNS IP address set at the WAN configuration level.

Is it possible to have a VPN client up and running and point all DNS traffic only towards the VPN?

Better still, could you point some DNS lookups to one VPN client and others to another VPN client while having everything else go through the main WAN DNS IP's?
You could probably do something with a script, to set a mark on any outbound port 53 traffic in the nat table of iptables, on the prerouting chain. Then have an ip rule that sends anything matching that mark to lookup in the vpn client routing table.

I'll try to cobble together an example when I get home, but a more VPN and routing-versed member such as @Martineau may have a script or snippet already available to demonstrate it!
 
Just wondering if this is reasonably simple to do? I'm currently running dnsmasq to point specific domains over specific DNS IP's. Everything else goes over another DNS IP address set at the WAN configuration level.

Is it possible to have a VPN client up and running and point all DNS traffic only towards the VPN?

Better still, could you point some DNS lookups to one VPN client and others to another VPN client while having everything else go through the main WAN DNS IP's?

When 'Accept DNS Configuration=Exclusive' is set, the firmware creates a DNS lookup table for the appropriate VPN Client:
e.g. ALL router DNS lookup requests pass through all active VPN Clients...
Code:
iptables -nvL --line -t nat

Chain PREROUTING (policy ACCEPT 242 packets, 74943 bytes)
num   pkts bytes target     prot opt in     out     source               destination        
1        2   120 DNSVPN2    tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:53
2        8   544 DNSVPN2    udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:53
3        2   120 DNSVPN1    tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:53
4       17  1133 DNSVPN1    udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:53
Code:
iptables --line -t nat -nvL DNSVPN1  2>/dev/null;iptables --line -t nat -nvL DNSVPN2 2>/dev/null

Chain DNSVPN1 (2 references)
num   pkts bytes target     prot opt in     out     source               destination        
1        0     0 DNAT       all  --  *      *       172.16.1.1           0.0.0.0/0            to:104.223.91.194
2        0     0 DNAT       all  --  br1    *       10.88.101.0/24       0.0.0.0/0            to:104.223.91.194

Chain DNSVPN2 (2 references)
num   pkts bytes target     prot opt in     out     source               destination        
1        0     0 DNAT       all  --  *      *       172.16.2.1           0.0.0.0/0            to:208.67.222.222
2        0     0 DNAT       all  --  br2    *       10.88.102.0/24       0.0.0.0/0            to:208.67.222.222
If a dnsmasq 'server=/domain.com/xxx.xxx.xxx.xxx' entry is to always use the specific/private regional DNS provided by the VPN ISP then I do have a script
Code:
#======================================================================================================= © 2016-2017 Martineau, v01.01
#
# Get the VPN provider's private DNS for the VPN upon starting the VPN Client and dynamically update the dnsmasq directives with the new VPN DNS
#
#     VPN_DNSUpdate     { 'vpn_client' [ 'domain'[ 'domain'..] ] }
#                       [ help | -h ]
#
#     VPN_DNSUpdate     2
#                       Search '/dnsmasq.conf.add' for 'VPN2Domains' e.g. 'ipset=/xxxxxxxx/VPN2Domains' line
#                            and find its matching 'server=/'$DOMAIN' to modify 
#     VPN_DNSUpdate     2 Netflix.com
#                       Search '/dnsmasq.conf.add' for 'server=/Netflix.com/.*' and change it to 'server=/Netflix.com/xxx.xxx.xxx.xxx' for VPN 2 DNS   
#
#
#          Called from vpnclientX-route-up   
#
#                 e.g.
#
#                 /etc/openvpn/dns/client2.resolv actually contains the 10.200.198.1
#
#                 which RMerlin copies to the VPN Client 2 -t nat DNSVPN2 Chain
#
#                 Chain DNSVPN2 (6 references)
#                 num   pkts bytes target     prot opt in     out     source               destination
#                 1        0     0 DNAT       all  --  *      *       172.0.0.2            0.0.0.0/0            to:10.200.198.1
#
#*************************************FUNCTIONS***************************************************************
Not sure if this is what you require? or do you wish to have all DNS lookups for domain xyz.com using say 8.8.8.8 to be resolved by Google explicitly via one of the VPN tunnels to prevent DNS leaks?
 
When 'Accept DNS Configuration=Exclusive' is set, the firmware creates a DNS lookup table for the appropriate VPN Client:
e.g. ALL router DNS lookup requests pass through all active VPN Clients...
Code:
iptables -nvL --line -t nat

Chain PREROUTING (policy ACCEPT 242 packets, 74943 bytes)
num   pkts bytes target     prot opt in     out     source               destination      
1        2   120 DNSVPN2    tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:53
2        8   544 DNSVPN2    udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:53
3        2   120 DNSVPN1    tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:53
4       17  1133 DNSVPN1    udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:53
Code:
iptables --line -t nat -nvL DNSVPN1  2>/dev/null;iptables --line -t nat -nvL DNSVPN2 2>/dev/null

Chain DNSVPN1 (2 references)
num   pkts bytes target     prot opt in     out     source               destination      
1        0     0 DNAT       all  --  *      *       172.16.1.1           0.0.0.0/0            to:104.223.91.194
2        0     0 DNAT       all  --  br1    *       10.88.101.0/24       0.0.0.0/0            to:104.223.91.194

Chain DNSVPN2 (2 references)
num   pkts bytes target     prot opt in     out     source               destination      
1        0     0 DNAT       all  --  *      *       172.16.2.1           0.0.0.0/0            to:208.67.222.222
2        0     0 DNAT       all  --  br2    *       10.88.102.0/24       0.0.0.0/0            to:208.67.222.222
If a dnsmasq 'server=/domain.com/xxx.xxx.xxx.xxx' entry is to always use the specific/private regional DNS provided by the VPN ISP then I do have a script
Code:
#======================================================================================================= © 2016-2017 Martineau, v01.01
#
# Get the VPN provider's private DNS for the VPN upon starting the VPN Client and dynamically update the dnsmasq directives with the new VPN DNS
#
#     VPN_DNSUpdate     { 'vpn_client' [ 'domain'[ 'domain'..] ] }
#                       [ help | -h ]
#
#     VPN_DNSUpdate     2
#                       Search '/dnsmasq.conf.add' for 'VPN2Domains' e.g. 'ipset=/xxxxxxxx/VPN2Domains' line
#                            and find its matching 'server=/'$DOMAIN' to modify
#     VPN_DNSUpdate     2 Netflix.com
#                       Search '/dnsmasq.conf.add' for 'server=/Netflix.com/.*' and change it to 'server=/Netflix.com/xxx.xxx.xxx.xxx' for VPN 2 DNS 
#
#
#          Called from vpnclientX-route-up 
#
#                 e.g.
#
#                 /etc/openvpn/dns/client2.resolv actually contains the 10.200.198.1
#
#                 which RMerlin copies to the VPN Client 2 -t nat DNSVPN2 Chain
#
#                 Chain DNSVPN2 (6 references)
#                 num   pkts bytes target     prot opt in     out     source               destination
#                 1        0     0 DNAT       all  --  *      *       172.0.0.2            0.0.0.0/0            to:10.200.198.1
#
#*************************************FUNCTIONS***************************************************************
Not sure if this is what you require? or do you wish to have all DNS lookups for domain xyz.com using say 8.8.8.8 to be resolved by Google explicitly via one of the VPN tunnels to prevent DNS leaks?

@Martineau Along the same lines, I only want to route pandora.com to the VPN DNS.

In the dnsmasq.conf.add i have added server=/pandora.com/209.222.18.222 (DNS for VPN), however it is still not routing using "US" location. What am I missing?

Thanks
 
@Martineau Along the same lines, I only want to route pandora.com to the VPN DNS.

In the dnsmasq.conf.add i have added server=/pandora.com/209.222.18.222 (DNS for VPN), however it is still not routing using "US" location. What am I missing?
Whilst the VPN DNS (209.222.18.222) may resolve 'pandora.com'; the actual traffic will need a specific rule i.e. RPDB or fwmark for the IP returned to access the "US" location.
 

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Staff online

Top