NordVPN and DNS

[Ramz]

Hello I was wondering IF I need to use Nordvpn's DNS servers or Can I use Cloudfare, Google or quad9 DNS servers. If yes how can I make this happen?

 

[eibgrad]

If you specify "Disabled" for "Accept DNS configuration" on the OpenVPN client GUI, anything the OpenVPN server attempts to "push" in terms of its preferred DNS servers is ignored. Then it's just a matter of how you've configured DNS locally that continues to prevail. If the VPN is active, your preferred DNS servers are accessed over the VPN, otherwise over the WAN.

The one *gotcha* is if you also use PBR (policy based routing), since this takes the router itself off the VPN, which can lead to DNS leaks (i.e., DNS is still accessed over the WAN). It would be best under such circumstances to add your preferred DNS servers as additional PBR rules containing those public IPs in the destination field (leave the source IP blank) and explicitly binding them to the VPN.

 

[Ramz]

If you specify "Disabled" for "Accept DNS configuration" on the OpenVPN client GUI, anything the OpenVPN server attempts to "push" in terms of its preferred DNS servers is ignored. Then it's just a matter of how you've configured DNS locally that continues to prevail. If the VPN is active, your preferred DNS servers are accessed over the VPN, otherwise over the WAN.

The one *gotcha* is if you also use PBR (policy based routing), since this takes the router itself off the VPN, which can lead to DNS leaks (i.e., DNS is still accessed over the WAN). It would be best under such circumstances to add your preferred DNS servers as additional PBR rules containing those public IPs in the destination field (leave the source IP blank) and explicitly binding them to the VPN.

Thanks so it's best to leave it on Nordvpns DNS servers?

 

[eibgrad]

Thanks so it's best to leave it on Nordvpns DNS servers?

Well that's YOUR call. I wasn't suggesting that using the VPN provider's DNS servers is better or worse. I'm assuming you have your own compelling reasons to use those particular DNS servers instead of those of the VPN provider. I'm merely warning that sometimes this can lead to DNS leaks.

Frankly, even using the VPN provider's DNS servers can sometimes lead to DNS leaks. For example, if the VPN provider pushes *public* DNS servers rather than his own *private* DNS servers in the same IP scope as the tunnel. The former can lead to DNS leaks when PBR is active, for the same reasons I described previously. But at least if YOU are determining the public DNS servers to be accessed, and know of this potential problem, you can be proactive and prevent it. But when you accept the VPN provider's DNS servers, you don't know if this is possibly happening unless you bother to actually check.

 

[eibgrad]

P.S. This whole topic of DNS has always been rather complex. And has gotten even more complex recently given the additional options of DoT and DoH. We even have browsers now that implement their *own* DNS (by default), thereby bypassing your DNS configuration on the router anyway! It always has been and continues to be somewhat of a mess.

 

[New2This]

That’s what I did, pushed cloudflare dns servers through my VPN provider.

 

[Ramz]

That’s what I did, pushed cloudflare dns servers through my VPN provider.

How may I ask??

 

[Wallace_n_Gromit]

How may I ask??

Are you on Windows?

-Open the NordVPN Windows Client App
-Left Click on the [Settings] "Cog" at the upper right of the App
-Left Click on the [Advanced] menu item at the left
-At the top where it says [Custom DNS] Left Click on the line "Set a DNS server address" Then enter your Custom DNS server IP. Keep Left Clicking on "Set a DNS server address" to enter up to 4 custom DNS server IP's
-Toggle the switch to "On" (You may need to turn VPN tunnel off/on)

Test DNS configuration at dnsleaktest.com or dnsleak.com to see if your Custom DNS server is actually being used.

EDIT: After trying this myself (the solution was "obvious" FLW) the Custom DNS servers were never contacted. The Nordvpn servers only. I tried several configurations (OpenVPN, NordLynx--WireGuard), each time turning off/on the VPN tunnel, none resulted in my Custom DNS IP's being contacted. Weird. << back to the drawing board -- (I have noticed that this updated NordVPN Windows client seems to be a bit buggy)

ADD:

P.S. This whole topic of DNS has always been rather complex. And has gotten even more complex recently given the additional options of DoT and DoH. We even have browsers now that implement their *own* DNS (by default), thereby bypassing your DNS configuration on the router anyway! It always has been and continues to be somewhat of a mess.

My secure DNS settings with Brave are:
Use secure DNS
Determines how to connect to websites over a secure connection

With the NordVPN tunnel ON:
>>With your current service provider ENABLED
Secure DNS may not be available all the time
>>With custom DISABLED

at https://dnsleaktest.com/ I see that NordVPN DNS is being contacted.

So my browser shouldn't be interfering in DNS. hummm...
==============================================
With the NordVPN tunnel ON:
>>With your current service provider DISABLED
Secure DNS may not be available all the time
>>With custom ENABLED [CleanBrowsing (Family Filter)]

at https://dnsleaktest.com/ I see that CleanBrowsing DNS is being contacted.
===============================================

 

[Wallace_n_Gromit]

~Frankly, even using the VPN provider's DNS servers can sometimes lead to DNS leaks. For example, if the VPN provider pushes *public* DNS servers rather than his own *private* DNS servers in the same IP scope as the tunnel~

In the specific case of NordVPN they do have their own *private* DNS servers. When one does a dns leak test the IP address of the VPN tunnel and the DNS resolver is one and the same thus no "DNS leak".

If one were to chose a public dns server then the leak test would show the VPN tunnel and the DNS server having two different IP addresses thus a DNS "leak". << If I understand this correctly.

 

[New2This]

How may I ask??

In my VPN tab, I have DoT set for 1.1.1.1-->VPN

 

[Ramz]

Are you on Windows?

-Open the NordVPN Windows Client App
-Left Click on the [Settings] "Cog" at the upper right of the App
-Left Click on the [Advanced] menu item at the left
-At the top where it says [Custom DNS] Left Click on the line "Set a DNS server address" Then enter your Custom DNS server IP. Keep Left Clicking on "Set a DNS server address" to enter up to 4 custom DNS server IP's
-Toggle the switch to "On" (You may need to turn VPN tunnel off/on)

Test DNS configuration at dnsleaktest.com or dnsleak.com to see if your Custom DNS server is actually being used.

EDIT: After trying this myself (the solution was "obvious" FLW) the Custom DNS servers were never contacted. The Nordvpn servers only. I tried several configurations (OpenVPN, NordLynx--WireGuard), each time turning off/on the VPN tunnel, none resulted in my Custom DNS IP's being contacted. Weird. << back to the drawing board -- (I have noticed that this updated NordVPN Windows client seems to be a bit buggy)

ADD:


My secure DNS settings with Brave are:
Use secure DNS
Determines how to connect to websites over a secure connection

With the NordVPN tunnel ON:
>>With your current service provider ENABLED
Secure DNS may not be available all the time
>>With custom DISABLED

at https://dnsleaktest.com/ I see that NordVPN DNS is being contacted.

So my browser shouldn't be interfering in DNS. hummm...
==============================================
With the NordVPN tunnel ON:
>>With your current service provider DISABLED
Secure DNS may not be available all the time
>>With custom ENABLED [CleanBrowsing (Family Filter)]

at https://dnsleaktest.com/ I see that CleanBrowsing DNS is being contacted.
===============================================

No not on Windows. I use VPN client via the router.

 

[Ramz]

In my VPN tab, I have DoT set for 1.1.1.1-->VPN

Sorry not sure why or where I do that in the router.

 

[faria]

No not on Windows. I use VPN client via the router.

Add the following to the custom configuration of your vpn client:
dhcp-option DNS 1.1.1.1

 

[Ramz]

Add the following to the custom configuration of your vpn client:
dhcp-option DNS 1.1.1.1

Thanks a lot.

 

[Nomnom]

If you specify "Disabled" for "Accept DNS configuration" on the OpenVPN client GUI, anything the OpenVPN server attempts to "push" in terms of its preferred DNS servers is ignored. Then it's just a matter of how you've configured DNS locally that continues to prevail. If the VPN is active, your preferred DNS servers are accessed over the VPN, otherwise over the WAN.

The one *gotcha* is if you also use PBR (policy based routing), since this takes the router itself off the VPN, which can lead to DNS leaks (i.e., DNS is still accessed over the WAN). It would be best under such circumstances to add your preferred DNS servers as additional PBR rules containing those public IPs in the destination field (leave the source IP blank) and explicitly binding them to the VPN.

Does this "gotcha" not apply if my PBR includes the router?

ie -

With just the above (set this way just so i can access the force-tunneling and killswitch feature for all LAN devices)..?

I'm trying to use Cloudflare (family) DNSFiltering for my kids' devices, but also use a VPN.. I have tested and the DNSFiltering is working fine, but DNS Leak tests show that I do have a leak, but do also show just my VPN IP.. So both VPN and Cloudflare DNS are working... So the question is... is this REALLY a DNS Leak or can I ignore the test results.. as the DNS data is going through my VPN and then out again to Cloudflare..?

 

[eibgrad]

Does this "gotcha" not apply if my PBR includes the router?

ie -

View attachment 31664

With just the above (set this way just so i can access the force-tunneling and killswitch feature for all LAN devices)..?

I'm trying to use Cloudflare (family) DNSFiltering for my kids' devices, but also use a VPN.. I have tested and the DNSFiltering is working fine, but DNS Leak tests show that I do have a leak, but do also show just my VPN IP.. So both VPN and Cloudflare DNS are working... So the question is... is this REALLY a DNS Leak or can I ignore the test results.. as the DNS data is going through my VPN and then out again to Cloudflare..?

Including the router's LAN network interface, either implicitly (192.168.1.0/24) or explicitly (192.168.1.1), does NOT solve the problem. This is a common misunderstanding about how PBR actually works.

The router is unique in that it is hosting the internet-bound network interfaces (WAN or VPN). And when it needs internet access, those packets do NOT typically use the LAN (192.168.1.1) as their source IP. Instead, it will be either the public IP of the WAN, or assigned IP of the VPN, depending on which of the two is configured as the default gateway. So having the router's LAN ip in PBR accomplishes nothing!

That's one of my complaints about users having to use PBR just to gain access to a kill switch. IMO, a kill switch should be made possible even if NOT using PBR (see below), because requiring PBR forces the router off the VPN, and as a side-effect, all of its internet-bound access is now done over the WAN. And which is why I suggested that if you want the router to use the VPN, you need to bind its use of destination IPs using PBR.

All that said, there are times when despite PBR being active, the router will still use the VPN. For example, if the VPN provider push's DNS servers in the same *private* IP space of the tunnel (e.g., 10.8.0.100), those devices are only accessible over the VPN. And the router knows it based on the current state of the routing table. However, if the VPN provider push's *public* DNS servers (e.g., 8.8.8.8 and 8.8.4.4), which does happen from time to time, those will be accessed over the WAN *unless* you add those public IPs as destinations in PBR.

I don't use DNS Filtering myself, but that's another case where you get around this problem because you are redirecting the DNS queries of those clients to a specific public DNS server. As such, you're not dependent on how the router is or isn't bound to the VPN for the purposes of DNSMasq (the router's DNS server), which would normally be the case. Of course, using a DNS filter introduces its own side-effects, such as having no access to the router's DNS server for local name resolution, ad blocking, or caching (whether that matters to anyone is up to them, but it's just something to be aware of).

That's why this whole area of DNS leaks is so tricky. There are so many configuration options, all of which can affect how DNS is handled, to the point it may even differ from client to client. And why it's not always obvious if and when you have one. Online DNS leak testing tools are notoriously inaccurate when the client is dependent on the router for DNS, as I've discussed many times before, and therefore require a different approach to determining w/ 100% certainty whether you do or don't have a DNS leak.

Using Surfshark on Asus AC1900 with Merlin w/384.13 Have DNS leak .Why ?

When I go to Surfshark page and test DNS it says "fail" . But other than that it seems stable.

www.snbforums.com

Using Surfshark on Asus AC1900 with Merlin w/384.13 Have DNS leak .Why ?

When I go to Surfshark page and test DNS it says "fail" . But other than that it seems stable.

www.snbforums.com

That's why I emphasize again and again just how difficult it is nowadays to know w/ certainty where your DNS queries are being resolved and over which network interface. There are just too many chefs in the DNS kitchen leading to confusion, unless you dig down deep and investigate, sometimes on a client by client basis.

As a side note, one way to add a kill switch when you otherwise don't need PBR, and thus keep the router on the VPN, is to simply add the following firewall rule.

iptables -I FORWARD -i br0 -o $(nvram get wan0_ifname) -j REJECT

Now you avoid all these headaches and concerns about DNS leaks, at least those caused by the use of PBR. I just wish the GUI offered the same.

 

[Nomnom]

Including the router's LAN network interface, either implicitly (192.168.1.0/24) or explicitly (192.168.1.1), does NOT solve the problem. This is a common misunderstanding about how PBR actually works.

The router is unique in that it is hosting the internet-bound network interfaces (WAN or VPN). And when it needs internet access, those packets do NOT typically use the LAN (192.168.1.1) as their source IP. Instead, it will be either the public IP of the WAN, or assigned IP of the VPN, depending on which of the two is configured as the default gateway. So having the router's LAN ip in PBR accomplishes nothing!

That's one of my complaints about users having to use PBR just to gain access to a kill switch. IMO, a kill switch should be made possible even if NOT using PBR (see below), because requiring PBR forces the router off the VPN, and as a side-effect, all of its internet-bound access is now done over the WAN. And which is why I suggested that if you want the router to use the VPN, you need to bind its use of destination IPs using PBR.

All that said, there are times when despite PBR being active, the router will still use the VPN. For example, if the VPN provider push's DNS servers in the same *private* IP space of the tunnel (e.g., 10.8.0.100), those devices are only accessible over the VPN. And the router knows it based on the current state of the routing table. However, if the VPN provider push's *public* DNS servers (e.g., 8.8.8.8 and 8.8.4.4), which does happen from time to time, those will be accessed over the WAN *unless* you add those public IPs as destinations in PBR.

I don't use DNS Filtering myself, but that's another case where you get around this problem because you are redirecting the DNS queries of those clients to a specific public DNS server. As such, you're not dependent on how the router is or isn't bound to the VPN for the purposes of DNSMasq (the router's DNS server), which would normally be the case. Of course, using a DNS filter introduces its own side-effects, such as having no access to the router's DNS server for local name resolution, ad blocking, or caching (whether that matters to anyone is up to them, but it's just something to be aware of).

That's why this whole area of DNS leaks is so tricky. There are so many configuration options, all of which can affect how DNS is handled, to the point it may even differ from client to client. And why it's not always obvious if and when you have one. Online DNS leak testing tools are notoriously inaccurate when the client is dependent on the router for DNS, as I've discussed many times before, and therefore require a different approach to determining w/ 100% certainty whether you do or don't have a DNS leak.

Using Surfshark on Asus AC1900 with Merlin w/384.13 Have DNS leak .Why ?

When I go to Surfshark page and test DNS it says "fail" . But other than that it seems stable.

www.snbforums.com

Using Surfshark on Asus AC1900 with Merlin w/384.13 Have DNS leak .Why ?

When I go to Surfshark page and test DNS it says "fail" . But other than that it seems stable.

www.snbforums.com

That's why I emphasize again and again just how difficult it is nowadays to know w/ certainty where your DNS queries are being resolved and over which network interface. There are just too many chefs in the DNS kitchen leading to confusion, unless you dig down deep and investigate, sometimes on a client by client basis.

As a side note, one way to add a kill switch when you otherwise don't need PBR, and thus keep the router on the VPN, is to simply add the following firewall rule.

iptables -I FORWARD -i br0 -o $(nvram get wan0_ifname) -j REJECT

Now you avoid all these headaches and concerns about DNS leaks, at least those caused by the use of PBR. I just wish the GUI offered the same.

Absolute legend! Thank you very much for explaining this!

Much appreciated!

 

[Kingp1n]

[/QUOTE]

As a side note, one way to add a kill switch when you otherwise don't need PBR, and thus keep the router on the VPN, is to simply add the following firewall rule.

iptables -I FORWARD -i br0 -o $(nvram get wan0_ifname) -j REJECT

Now you avoid all these headaches and concerns about DNS leaks, at least those caused by the use of PBR. I just wish the GUI offered the same.
[/QUOTE]


Where can I add this rule? I would like to try something. Thanks

 

[eibgrad]

Make sure JFFS and JFFS scripts are enabled under Administration->System. Then using the shell (ssh), copy/paste the following script into the window. It will automatically create and install the necessary firewall-start script. When you reboot, the rule(s) will automatically be applied.

#!/bin/sh

SCRIPTS_DIR='/jffs/scripts'
SCRIPT="$SCRIPTS_DIR/firewall-start"

mkdir -p $SCRIPTS_DIR

function create_script() {
cat << "EOF" > $SCRIPT
#!/bin/sh
iptables -I FORWARD -i br0 -o $(nvram get wan0_ifname) -j REJECT
EOF
chmod +x $SCRIPT
}

if [ -f $SCRIPT ]; then
    echo "error: $SCRIPT already exists; requires manual installation"
else
    create_script
    echo 'Done.'
fi

Note, if it finds an existing firewall-start script, it will NOT overwrite it. You'll instead have to add the rule(s) manually to the existing firewall-start script.

 

[Brainstorm]

I'm trying to get x3mRouting working, but at every turn, when I take DNS config off "Exclusive", it fails and I see DNS leaks.
I'm using NORD and EXPRESS. I've just read through eibgrad's posts. I did a what's my ip and DNS leak test using Expresses app. My ip address is the same as reported by the ovpn client window, When I check for DNS leaks, my ip address appears as one of the Express DNS servers. It's the same every time, and it's the same if I test with dnsleaks.
So I took all 3 addresses, and put them in the "Destination IP" field. See pic. Is that correct? Then I set DNS config to Disabled, Relaxed, Strict, and retest with Express leak test, but every time it shows me the DNS configured on the router, and unblocking services doesn't work. What am I doing wrong? Just in the context of DNS, I mean