Automatic DNS prioritization?

dlg · February 2, 2023, 8:00pm

Hi, I have a Slate Plus being used in repeater mode, connecting to a WireGuard network. The wireguard configuration specifies a DNS server.

In the DNS settings, I am set to “Automatic”, and I see both “DNS From Repeater” and “DNS from WireGuard” entries, but it seems to only query the DNS from Repeater, and queries are never sent to the WireGuard-specified DNS server.

Is there some way to change the prioritization here? Query the WireGuard DNS server first, and then the Repeater DNS? I don’t want to set my DNS servers manually every time I connect and disconnect from my VPN!

Thanks!

luochongjun · February 3, 2023, 1:43am

VPN DNS is always preferred, you can see the DNS currently in use from the system log (we will do some optimization on the DNS page later).

If you still can’t confirm, choose to Manuall DNS and enter the DNS address in the VPN configuration file in the input field.

dlg · February 3, 2023, 2:56am

Nope!

See “using name server 4.2.2.1”, which is what’s coming from the upstream provider.
At this point, it doesn’t even show up in the DNS settings!
(image coming next post because I can only post one.)

dlg · February 3, 2023, 2:57am

Magic? bug?

luochongjun · February 3, 2023, 4:12am

Please provide your firmware version.
Also, can you share your wireguard configuration? You can hide the key in the configuration file, but keep the DNS related configuration.

dlg · February 3, 2023, 4:23am

Version 4.1.2
Firmware Type release3
Compile Time 2022-12-27 15:09:12(UTC+08:00)

and the wireguard conf:

[Interface]
Address = 172.20.99.7/32
ListenPort = 51820
PrivateKey = secretkeyhahanosorryinternetses
DNS = 172.20.4.1

[Peer]
AllowedIPs = 0.0.0.0/0, 172.20.99.0/24, 172.20.2.0/24, 172.20.3.0/24, 172.20.4.0/24, 172.20.6.0/24
Endpoint = vpn.mydomain.net:51820
PersistentKeepalive = 25
PublicKey = notsecret+butstillnotgoingtoshare=

luochongjun · February 3, 2023, 6:21am

Ok, let’s do some test first and get back to you.

hansome · February 4, 2023, 9:58am

Hi,

My test shows WireGuard-specified DNS server is always used.
You can confirm by capture dns traffic. it’s normal if it goes by wgclient interface.

opkg update
opkg install tcpdump
tcpdump -i wgclient -s0 -n port 53

dlg · February 9, 2023, 3:07pm

It isn’t used - run the provided tcpdump command and no queries are logged.

Change the interface to eth2, the upstream interface, and lots of DNS queries going outbound.

rhester72 · April 1, 2023, 9:17pm

I can confirm precisely the same issue on MT3000 with firmware 4.2.1.

sammutd88 · April 1, 2023, 10:56pm

I can also confirm on Slate Plus and Beryl as well. Unless it’s manually specified, and even then there are dns leaks.

luochongjun · April 3, 2023, 2:20am

What is your method of testing? I usually use dnsleaktest for testing

luochongjun · April 3, 2023, 3:45am

I connected wireguard on version 4.2.1, and then tested it using the dnsleaktest website. The router always used the DNS in the wireguard configuration file. I also tested it after the router restarted, and tried to change the DNS configuration repeatedly, always with the same results.

rhester72 · April 4, 2023, 3:11am

My Wireguard server is my own, at home - when in ‘road warrior’ mode, simple nslookup tests fail to resolve names defined on the other end of my VPN tunnel.