I have the Asus RT-AC56U Router running Merlin V. 380.64_2.
VPN->OpenVPNClients->Advanced Settings->Accept DNS Configuration. This setting offers several choices in a dropdown list. Strict, Relaxed, Exclusive and Disabled. The VPN server I"m connecting to is a paid commercial vendor well known in the industry. I have found conflicting advice on what these settings mean and have found no official documentation explaining them. So first it would be very helpful if someone could properly explain the meaning of these choices.
My setup:
My DNS Settings:
I have a Raspberry Pi running the Pihole DNS ad blocking server on my network. https://pi-hole.net/
WAN->WAN DNS Setting->Connect to DNS Server automatically = No
WAN->WAN DNS Setting->DNS Server1 = The IP Address of my Raspberry Pi running my Pihole DNS Server.
VPN
VPN->OpenVPNClients-Client3 Settings
Redirect Internet traffic = Policy Rules
Block routed clients if tunnel goes down = Yes
Rules for routing client traffic through the tunnel (Max Limit : 100)
All 192.168.1.0/24 0.0.0.0 VPN (this line effectively defaults all my devices to being on the VPN while maintaining my ability to have a kill switch)
Remaining entries are for entering devices I want to use IFace WAN
As such the Raspberry Pi running the Pihole DNS server is on the VPN by default.This has been verified by ssh connection to the Raspberry Pi and running this command: curl ipinfo.io/ip. It returns the IP address of the VPN.
I'm concerned over security with respect to how my DNS queries are being handled and whether I have a leak.
It appears that the Accept DNS Configuration setting is key here. When it's set to "Relaxed" and I do the ipleak.net test, I see the DNS Servers I setup as the upstream DNS in the Pihole DNS Server. So it appears that the router is using the DNS as set in my WAN settings for DNS Server. When I change the setting to "Exclusive" the DNS, ipleak.net reports a single server owned by the VPN Provider matching the IP address returned by the VPN Provider. So when set to "Exclusive" it seems to be using the DNS Server of the VPN Provider. When set to "Relaxed" it appears to be using my WAN DNS Settings.
As such, according to ipleak.net's definition of a DNS Leak =
In this context, with "DNS leak" we mean an unencrypted DNS query sent by your system OUTSIDE the established VPN tunnel.
When the setting is "Relaxed" and its using my WAN settings for DNS, I assume it's OUTSIDE the established encrypted tunnel. However, my WAN forwards to the Raspberry Pi which is running the Pihole DNS Server and the Raspberry Pi is on the VPN. I think this is the flow. The router forwards to the Raspberry Pi via LAN, then when the DNS Server on the Raspberry Pi queries DNS, it's on the encrypted tunnel so all DNS queries are encrypted within the tunnel. However, since the initial forward is on the LAN, then my DNS query is exposed to potential third party snooping for a brief moment during this part of its journey.
However, when the setting is set to "Exclusive" as mentioned previously the DNS server is the one provided by the DNS Provider and so I assume this is inside the encrypted tunnel, but how can I be sure? Also, I noticed my connection is noticeably slower when using the "Exclusive" choice and using the DNS provided by the VPN Vendor.
Thank you in advance for help!
VPN->OpenVPNClients->Advanced Settings->Accept DNS Configuration. This setting offers several choices in a dropdown list. Strict, Relaxed, Exclusive and Disabled. The VPN server I"m connecting to is a paid commercial vendor well known in the industry. I have found conflicting advice on what these settings mean and have found no official documentation explaining them. So first it would be very helpful if someone could properly explain the meaning of these choices.
My setup:
My DNS Settings:
I have a Raspberry Pi running the Pihole DNS ad blocking server on my network. https://pi-hole.net/
WAN->WAN DNS Setting->Connect to DNS Server automatically = No
WAN->WAN DNS Setting->DNS Server1 = The IP Address of my Raspberry Pi running my Pihole DNS Server.
VPN
VPN->OpenVPNClients-Client3 Settings
Redirect Internet traffic = Policy Rules
Block routed clients if tunnel goes down = Yes
Rules for routing client traffic through the tunnel (Max Limit : 100)
All 192.168.1.0/24 0.0.0.0 VPN (this line effectively defaults all my devices to being on the VPN while maintaining my ability to have a kill switch)
Remaining entries are for entering devices I want to use IFace WAN
As such the Raspberry Pi running the Pihole DNS server is on the VPN by default.This has been verified by ssh connection to the Raspberry Pi and running this command: curl ipinfo.io/ip. It returns the IP address of the VPN.
I'm concerned over security with respect to how my DNS queries are being handled and whether I have a leak.
It appears that the Accept DNS Configuration setting is key here. When it's set to "Relaxed" and I do the ipleak.net test, I see the DNS Servers I setup as the upstream DNS in the Pihole DNS Server. So it appears that the router is using the DNS as set in my WAN settings for DNS Server. When I change the setting to "Exclusive" the DNS, ipleak.net reports a single server owned by the VPN Provider matching the IP address returned by the VPN Provider. So when set to "Exclusive" it seems to be using the DNS Server of the VPN Provider. When set to "Relaxed" it appears to be using my WAN DNS Settings.
As such, according to ipleak.net's definition of a DNS Leak =
In this context, with "DNS leak" we mean an unencrypted DNS query sent by your system OUTSIDE the established VPN tunnel.
When the setting is "Relaxed" and its using my WAN settings for DNS, I assume it's OUTSIDE the established encrypted tunnel. However, my WAN forwards to the Raspberry Pi which is running the Pihole DNS Server and the Raspberry Pi is on the VPN. I think this is the flow. The router forwards to the Raspberry Pi via LAN, then when the DNS Server on the Raspberry Pi queries DNS, it's on the encrypted tunnel so all DNS queries are encrypted within the tunnel. However, since the initial forward is on the LAN, then my DNS query is exposed to potential third party snooping for a brief moment during this part of its journey.
However, when the setting is set to "Exclusive" as mentioned previously the DNS server is the one provided by the DNS Provider and so I assume this is inside the encrypted tunnel, but how can I be sure? Also, I noticed my connection is noticeably slower when using the "Exclusive" choice and using the DNS provided by the VPN Vendor.
Thank you in advance for help!