What's new

OpenVPN Client Accept DNS Configuration Setting

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

mrmason

Occasional Visitor
I have the Asus RT-AC56U Router running Merlin V. 380.64_2.

VPN->OpenVPNClients->Advanced Settings->Accept DNS Configuration. This setting offers several choices in a dropdown list. Strict, Relaxed, Exclusive and Disabled. The VPN server I"m connecting to is a paid commercial vendor well known in the industry. I have found conflicting advice on what these settings mean and have found no official documentation explaining them. So first it would be very helpful if someone could properly explain the meaning of these choices.

My setup:

My DNS Settings:
I have a Raspberry Pi running the Pihole DNS ad blocking server on my network. https://pi-hole.net/
WAN->WAN DNS Setting->Connect to DNS Server automatically = No
WAN->WAN DNS Setting->DNS Server1 = The IP Address of my Raspberry Pi running my Pihole DNS Server.

VPN
VPN->OpenVPNClients-Client3 Settings
Redirect Internet traffic = Policy Rules
Block routed clients if tunnel goes down = Yes
Rules for routing client traffic through the tunnel (Max Limit : 100)
All 192.168.1.0/24 0.0.0.0 VPN (this line effectively defaults all my devices to being on the VPN while maintaining my ability to have a kill switch)
Remaining entries are for entering devices I want to use IFace WAN

As such the Raspberry Pi running the Pihole DNS server is on the VPN by default.This has been verified by ssh connection to the Raspberry Pi and running this command: curl ipinfo.io/ip. It returns the IP address of the VPN.

I'm concerned over security with respect to how my DNS queries are being handled and whether I have a leak.

It appears that the Accept DNS Configuration setting is key here. When it's set to "Relaxed" and I do the ipleak.net test, I see the DNS Servers I setup as the upstream DNS in the Pihole DNS Server. So it appears that the router is using the DNS as set in my WAN settings for DNS Server. When I change the setting to "Exclusive" the DNS, ipleak.net reports a single server owned by the VPN Provider matching the IP address returned by the VPN Provider. So when set to "Exclusive" it seems to be using the DNS Server of the VPN Provider. When set to "Relaxed" it appears to be using my WAN DNS Settings.

As such, according to ipleak.net's definition of a DNS Leak =
In this context, with "DNS leak" we mean an unencrypted DNS query sent by your system OUTSIDE the established VPN tunnel.

When the setting is "Relaxed" and its using my WAN settings for DNS, I assume it's OUTSIDE the established encrypted tunnel. However, my WAN forwards to the Raspberry Pi which is running the Pihole DNS Server and the Raspberry Pi is on the VPN. I think this is the flow. The router forwards to the Raspberry Pi via LAN, then when the DNS Server on the Raspberry Pi queries DNS, it's on the encrypted tunnel so all DNS queries are encrypted within the tunnel. However, since the initial forward is on the LAN, then my DNS query is exposed to potential third party snooping for a brief moment during this part of its journey.

However, when the setting is set to "Exclusive" as mentioned previously the DNS server is the one provided by the DNS Provider and so I assume this is inside the encrypted tunnel, but how can I be sure? Also, I noticed my connection is noticeably slower when using the "Exclusive" choice and using the DNS provided by the VPN Vendor.

Thank you in advance for help!




 

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top