DDWRT VPN and DNS

The latest edition can be found at: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=331017

Prerequisite: build 52281 or higher

Index
DNS Leaks when using a VPN .................................................................................................................... 2
Stop using ISP DNS server.......................................................................................................................... 2
Stopping roque clients............................................................................................................................... 2
Stop using WAN route for VPN DNS server ............................................................................................... 2
Split DNS .................................................................................................................................................... 3
Using DNSMasq to specify Alternate DNS server/Gateway for specific clients. ....................................... 3
Alternate DNS server ............................................................................................................................. 3
Alternate Gateway................................................................................................................................. 3
Alternative rerouting gateway traffic with static routes or iptables..................................................... 4
Bind DNS server to Destination ................................................................................................................. 4
Manual override of all set/pushed DNS servers........................................................................................ 5
Encrypted DNS (SmartDNS) ....................................................................................................................... 5
Researching which DNS server is used ...................................................................................................... 6
Troubleshooting ........................................................................................................................................ 6
OpenVPN DNS server ................................................................................................................................ 7
Routing per port using iptables ................................................................................................................. 7
DNSMasq log ................................................................................................................................................. 8

DNS is used to resolve domains to IP addresses.

By default DNSMasq hands out its own (=the routers) ip address as DNS server to all attached clients.
DNSMasq then forwards DNS queries from clients to DNS servers which it keeps in the
/tmp/resolv.dnsmasq file.
This file is filled with the DNS servers you specify in Static DNS 1,2,3 on the Setup page and with the DNS
server coming from the ISP (depending on the WAN setup).

It is recommended to enter at least two Static DNS servers, use trusted public DNS servers, personally at
this moment I use 9.9.9.9 and 1.0.0.1 but that is subject to change.
Furthermore keep Gateway and Local DNS at their default 0.0.0.0.

When using a VPN you often want to use different DNS servers specified by your VPN providers to get
the maximum security. The process to do that is usually automated and works via manipulating of the
resolv.dnsmasq file.
DNS servers specified in WireGuard ("DNS servers via tunnel"), or pushed by OpenVPN providers are
replacing the DNS servers in resolv.dnsmasq.
So any DNSMasq setting which stops the use of the resolv.dnsmasq file (no-resolv, or the use of other
DNS servers replacing DNSMasq e.g. stubby, unbound, smartdns etc) is not compatible with the DNS use
of VPN's.

Last edited by egc 12-2-2024 1

 It is possible to use encrypted DNS e.g. DoT and DoH but then you have to manually add the IP addresses
of the DNS servers you are using to route those via the VPN, although encrypted as the DNS queries are
it is only useful in case of detection of DNS origin e.g. by Netflix.

As the DNS servers are replaced by the VPN DNS servers the use of "Query DNS in Strict Order" (Services
Page) is no longer necessary and it is actually strongly recommended to disable it.

DNS Leaks when using a VPN

A DNS leak is when you are using a VPN and the DNS server used is your ISP’s and/or the DNS query is
send out over the WAN interface and thus can be seen/intercepted).

Stop using ISP DNS server

If you enable "Ignore WAN DNS" option in the setup page the ISP's DNS server is no longer added to
resolv.dnsmasq. This can of course also be useful without using a VPN.
This setting is only available/necessary if you are using Automatic DHCP, in all other cases you set DNS
manually and are free to set your own DNS servers.

Stopping roque clients

Clients are handed out the routers IP address as DNS server but clients can be setup with static IP
address/DNS server and nowadays browsers are also using their own DNS servers (check for your own
Browser)
There are several ways to mitigate this
1. To intercept rogue DNS queries from clients you can enable "Forced DNS redirection" on Setup
page
Note: depending on your setup this can interfere with VPN's "Split DNS"
2. To intercept rogue DoT (NS over TLS) or 5353 queries you can add this to "Administration/Save
Firewall" (first test from CLI):
iptables -t nat -A PREROUTING -i br0 -p tcp --dport 53 -j DNAT --to $(nvram get lan_ipaddr):53
iptables -t nat -A PREROUTING -i br0 -p udp --dport 53 -j DNAT --to $(nvram get lan_ipaddr):53
iptables -t nat -A PREROUTING -i br0 -p tcp --dport 5353 -j DNAT --to $(nvram get lan_ipaddr):53
iptables -t nat -A PREROUTING -i br0 -p udp --dport 5353 -j DNAT --to $(nvram get lan_ipaddr):53
iptables -t nat -A PREROUTING -i br0 -p tcp --dport 853 -j DNAT --to $(nvram get lan_ipaddr):53
iptables -t nat -A PREROUTING -i br0 -p udp --dport 853 -j DNAT --to $(nvram get lan_ipaddr):53
Newer builds have the GUI option: Forced DNS Redirection DoT enable this to stop roque DoT clients
e.g. some webrowser like FireFox
3. Stopping DoH (DNS over HTTPS, used by secure DNS of web browsers) you have to revert to
blocking lists using IPSET

An interesting option could be the use of Deep Packet Inspection (not available on all routers)
iptables -t nat -I PREROUTING -m ndpi --dns -j DNAT --to $(nvram get lan_ipaddr):53
iptables -t nat -I PREROUTING -m ndpi --doh_dot -j DNAT --to $(nvram get lan_ipaddr):53

Make sure to load ndpi first with something like:

insmod xt_ndpi

Stop using WAN route for VPN DNS server

Care has been taken that DNS servers specified in WireGuard ("DNS servers via tunnel"), or pushed by
OpenVPN providers are always routed via the VPN so to stop any DNS leaking via the WAN.

Last edited by egc 12-2-2024 2

The exception is the extra DNS servers you add manually to OpenVPN as described elsewhere

Split DNS
Both OpenVPN and WireGuard have an option in the GUI to use use Split DNS, meaning that the Policy
Based Routing (PBR) sources will use the DNS server which is using their route e.g. if the selected sources
are routed via the VPN they will use the VPN DNS server and other sources which are routed via the
WAN will use the WAN DNS servers.
When the selected sources are routed via the WAN this reverses.

To accomplish this iptables rules are used which can be made visible with iptables -vnL -t nat e.g.:
iptables -t nat -I PREROUTING -p tcp -s 192.168.1.32/27 --dport 53 -j DNAT --to 9.9.9.9
iptables -t nat -I PREROUTING -p udp -s 192.168.1.32/27 --dport 53 -j DNAT --to 9.9.9.9

Note 1
This same mechanism is used when enabling Forced DNS redirection or setting a DNS server for an
unbridged interface so these things might interfere with each other.

When using Split DNS some clients are NOT using DNSMasq anymore, they obviously lose any benefits it
offers, such as local name resolution, caching, ad blocking, etc.
There is an alternative way to use split DNS using DNSMasq.

Using DNSMasq to specify Alternate DNS server/Gateway for specific clients.

Alternate DNS server
First set a static lease for all those clients you want to use an alternate DNS server (usually the ones in
the PBR box)
Set this static lease to use alternate settings, in Additional DNSMasq Options:
dhcp-host=xx:xx:xx:xx:xx:xx,set:altdnsgw,192.168.1.5,MyLaptop,infinite
where xx:xx etc is the MAC address of my laptop.

Note:
If you already set this in the Static Leases section of DNSMasq then you should remove it there!

It is also possible to specify an alternate DNS server for a whole unbridged interface e.g. a guest WLAN
with:
dhcp-option=<interface, e.g. br1 or wl0.1>, option:dns-server, <ip dns server 1>,<ip dns server 2>

Now specify the DNS servers which altdnsgw will use, again in the Additional DNSMasq options:
If it is the VPN providers DNS server you want to use
dhcp-option=tag:altdnsgw,option:dns-server,<IP-address of DNS server>

You can specify more than one DNS server delimited by a comma.
Take care of the routing of the used DNS server(s)!

Alternate Gateway
The same can be done to specify an alternate Gateway
e.g. when running a VPN client on a WAP and you want to handout a different gateway (the WAP) to
clients, you also specify the alternate gateway and tag that with option:router so that the tag has both
the alternate server and the alternate gateway:
dhcp-option=tag:altdnsgw,option:router,192.168.1.2

For Windows users you can use a utility called NetSetMan or Free IP Switcher or do it manually

Last edited by egc 12-2-2024 3

If you're using Windows, open a CMD window w/ adminstrative privileges (important!) and issue the
following commands.

set VPN_GW="[192.168.1.2]"
route add 0.0.0.0/1 %VPN_GW%
route add 128.0.0.0/1 %VPN_GW%[/code]

Provided the VPN is active, your Windows machine should now be routed through the VPN and have a
different public IP.

Note, this change is only temporary, it will be lost on a reboot unless you include the -p option on the
route commands.

set VPN_GW="[192.168.1.2]"
route -p add 0.0.0.0/1 %VPN_GW%
route -p add 128.0.0.0/1 %VPN_GW%[/code]

To return to ISP's gateway, use the following commands.

set VPN_GW="[192.168.1.2]"
route delete 0.0.0.0/1 %VPN_GW%
route delete 128.0.0.0/1 %VPN_GW%[/code]

Reference: http://www.linksysinfo.org/index.php?threads/specific-gateway-dns-for-specific-
clients.72461/

If you want to have split DNS and really need DNSMasq to do the DNS forwarding (e.g. using an ad
blocker) it is possible to run multiple instances of DNSMasq each listening on its own port.
You can then use iptables rules to direct the queries of your clients to the running DNSMasq daemon.

Alternative rerouting gateway traffic with static routes or iptables

Alternatively you can set a static route on the Main router to redirect your designated LAN clients to
redirect traffic to the WAP or use iptables to redirect client traffic:
https://serverfault.com/questions/567487/iptables-packet-forwarding-to-one-of-two-gateways-
depending-on-origin

Bind DNS server to Destination

This can be useful when you use Destination based routing
I will use ipleak.net as example
It is possible to bind a specific domain to a specific DNS server and then route that DNS server the way
you want.

In the Additional DNSMasq options add:

server=/ipleak.net/8.8.8.8

So if you want to resolve the ipleak.net domain the DNS server 8.8.8.8 is used.
If you want to send the queries using 8.8.8.8 via the WAN (assuming that is also the routing of ipleak.net
itself) then:
For OpenVPN add in the Additional Config:
route 8.8.8.8 255.255.255.255 net_gateway
For WireGuard you can use the Destination Based Routing option

It is often asked if this can also be done for e.g. Amazon, Netflix, BBC etc.

Last edited by egc 12-2-2024 4

Unfortunately Amazon (and Netflix, BBC, Youtube etc) have multiple changing DNS servers and multiple
domains and you have to catch them all so in reality this probably will not work.
IPSET might be able to mitigate this (for an example see:
https://www.linksysinfo.org/index.php?threads/using-ipset-to-bypass-a-vpn.73136/page-2
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=327102&highlight=youtube )

Manual override of all set/pushed DNS servers

To completely ignore the DNS servers pushed/placed by WireGuard or OpenVPN (which are placed in the
resolv.dnsmasq file) you can add no-resolv in the "Additional DNSMasq options" (Services/Services page)
and the enter the DNS servers you want DNSMasq to use:

In case your DNS queries are rerouted /hijacked by your DNS provider you can specify a port redirection,
quad nine also listens on port 9953, and Adguard also listens on port 5353 in that case enter in the
Additional DNSMasq options:
no-resolv
server=9.9.9.9#9953
server=176.103.130.130#5353

If you do this you also have to take care of the routing of the DNS servers you are using

Encrypted DNS (SmartDNS)

As more and more VPN providers started hijacking your DNS , instead of using your pre-set DNS servers
the VPN providers diverts DNS traffic (port 53) to their own, you might want to use Encrypted DNS (DoT,
DoH) via Smart DNS.
For this Enable Smart DNS, enable "Use Additional Servers Only" and use as servers (add in Additional
Options):
server-tls 1.1.1.1:853
server-tls 9.9.9.9:853
Make sure to take of care of NTP settings as outlined in the SmartDNS guide or you will not get correct
time and without correct time no DNS.
Next in the WireGuard or OpenVPN DNS settings add 1.1.1.1 and 9.9.9.9 and you will be using Encrypted
DNS via the tunnel.

Last edited by egc 12-2-2024 5

Researching which DNS server is used
It all starts with knowing what DNS servers are in use, and which network interfaces are being used

The ONLY way to determine which DNS servers are in-use by the router at any given time is to monitor
connection tracking and port 53 (DNS) on the outbound traffic.

Code:
cat /proc/net/ip_conntrack | grep ' dport=53'

# sorted by age, newest to oldest

watch -tn5 "cat /proc/net/nf_conntrack | grep ' dport=53 ' | sort -nrk3"
(different version use ip_conntrack)

For Stubby checking:

watch -tn5 " grep 'dport=853 ' /proc/net/nf_conntrack"

watch -tn5 "cat /proc/net/nf_conntrack | grep -E ' dport=(53|853) ' | sort -nrk3"
See:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=317107

An amazing and very useful tool to monitor DNS traffic, brought to us by @eibgrad, can be found at:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=331856

Another quick and dirty way to detect if you have a DNS leak is to temporarily block all DNS queries over
the WAN. Once the VPN is well established (you don't want to block it before the Server IP/Name has
been resolved by the OpenVPN client!), go to a shell (telnet/ssh) and execute the following commands.
Code:
WAN_IF="$(ip route | awk '/^default/{print $NF}')"
iptables -I FORWARD -o $WAN_IF -p tcp --dport 53 -j REJECT
iptables -I FORWARD -o $WAN_IF -p udp --dport 53 -j REJECT
iptables -I OUTPUT -o $WAN_IF -p tcp --dport 53 -j REJECT
iptables -I OUTPUT -o $WAN_IF -p udp --dport 53 -j REJECT

If you reverse the process and delete those rules, and things start working again, that's yet another
indication it's a DNS leak.
Code:
WAN_IF="$(ip route | awk '/^default/{print $NF}')"
iptables -D FORWARD -o $WAN_IF -p tcp --dport 53 -j REJECT
iptables -D FORWARD -o $WAN_IF -p udp --dport 53 -j REJECT
iptables -D OUTPUT -o $WAN_IF -p tcp --dport 53 -j REJECT
iptables -D OUTPUT -o $WAN_IF -p udp --dport 53 -j REJECT

Online check tool:

https://dnscheck.tools/
https://ipleak.net/
https://dnsleaktest.com/

Troubleshooting
You can test routing with nmap (https://nmap.org/ ) at least that is what I am doing.
from cmd from your (windows) client:
Nmap –p 51413 –traceroute 209.222.18.222

Last edited by egc 12-2-2024 6

Or from the routers CLI:
tcpdump -i tun1 tcp port 51413 -v

OpenVPN DNS server

To view which DNS servers are pushed by the server/provider do:
In the OpenVPN Additional config add: verb 5
On the OpenVPN Status page look for the following:
20211209 15:34:53 PUSH: Received control message: 'PUSH_REPLY dhcp-option DNS 10.31.0.1 sndbuf
524288 rcvbuf 524288 redirect-gateway def1 explicit-exit-notify comp-lzo no route-gateway 10.31.0.1
topology subnet ping 10 ping-restart 60 socket-flags TCP_NODELAY ifconfig

If you do not want to use the pushed DNS servers add:

pull-filter ignore "dhcp-option DNS"
in the Additional Config of the VPN

You can add your own DNS servers in the OpenVPN clients Additional Config:
dhcp-option DNS 8.8.4.4

Contrary to the pushed DNS servers these are not automatically routed via the VPN.
You can manually route them by specifying the route to take in the OpenVPN client's Additional config:
route 8.8.4.4 255.255.255.255 vpn_gateway #always route this destination via the VPN

If you want to route via the WAN specify net_gatewya e.g.:

route 8.8.4.4 255.255.255.255 net_gateway

Routing per port using iptables

When you have a client on your network i.e. a NAS which you wanted to be accessible from the WAN but
you have transmission running on this NAS and you want the Transmission traffic running through the
VPN then we cannot use IP addresses but we have to use netfilter/iptables to mark the protocol and
ports which we want to route over the VPN.
The prerequisite, in this example, is that you are using the simple PBR solution from the first post.

We do this by marking the traffic from the NAS (IP address 192.168.1.91) using port 51413
(Transmission) and we instruct netfilter to use table 11 for the marked traffic (table 11 is the table which
has a default route via the VPN) :
ip rule add fwmark 5 table 11
iptables -t mangle -I PREROUTING -s 192.168.1.91 -p tcp --dport 51413 -j MARK --set-mark 5

Test the above commands from the CLI and if it works go to Administration/Commands and Save
Firewall.

If you want to route some ports of the router itself you have to use the OUTPUT chain.
Let's say you want to route DNS traffic from the router via the VPN you add the following
ip rule add fwmark 5 table 11
iptables -t mangle -I OUTPUT -p tcp --dport 53 -j MARK --set-mark 5
iptables -t mangle -I OUTPUT -p udp --dport 53 -j MARK --set-mark 5

I have not extensively tested the last solution, but I have used advanced scripts from @eibgrad which use
this method and it was working then

Last edited by egc 12-2-2024 7

DNSMasq log
To use when DNSMasq causes problems
Add to the additional options:
log-queries=extra
log-debug
log-facility=/tmp/dnsmasq.log

This will log DNSMasq to /tmp/dnsmasq.log and adds extra log information.

Reboot the router and when it happens again send output of:
[cat /tmp/dnsmasq.log
cat /tmp/dnsmasq.conf
cat /var/log/messages

Last edited by egc 12-2-2024 8