There are a few domains that won't resolve when the VPN is up. I'm running dnsmasq on the router.
I've spoken to Mullvad support, who says the primaries for these domains are rejecting requests from their DNS servers; this would explain the inability to resolve domains through Mullvad's DNS servers. However there are a couple of other oddities:
Mullvad doesn't recognize the DNS server that the AX1800 claims that it is getting "from Wireguard" (193.138.219.228) and, indeed, it's not one of their servers. Question 1: Where is this coming from?
If I log into the router, I can resolve the addresses using nslookup on the AX1800; it gives me two responses -- the IP address, and an error. I assume the IP address is coming from the secondary DNS servers that the AX1800 is getting from the ethernet provider (Comcast, in my case) -- "DNS from ethernet" are 75.75.75.75 and 75.75.76.76 -- although if I try to query those directly from my computer, I get failures. So, question 2 is: if the router can resolve the domains, why isn't it providing those addresses to connected clients?
Would someone else who's using Wireguard with Mullvad and automatic DNS configuration check these domains and see if they can resolve them?
In default, GL firmware does not intercept filtering the ort 53 DNS requests.
Instead, if Mullvad VPN is enabled, the Mullvad will listen to all 53 DNS traffic, and all DNS request traffic will through Mullvad DNS.
If the Mullvad DNS unable to resolve the domains, so the VPN client cannot access these resource.
If you want to avoid intercepting DNS from Mullvad, you can use the GL GUI> NETWORK > DNS > choose the Encrypt DNS.
Instead, if Mullvad VPN is enabled, the Mullvad will listen to all 53 DNS
traffic, and all DNS request traffic will through Mullvad DNS.
If the Mullvad DNS unable to resolve the domains, so the VPN client cannot access these resource.
I've been speaking with Mullvad support. They confirm some upstream DNS servers
reject their 2nd level DNS queries, so that's probably the root of the problem. However, he also said:
From Stefan @ Mullvad:
My colleague found out that we used 193.138.219.228 as a DNS address
more than five years ago, but it's not in use anymore.
Are the DNS routers for the built-in VPN providers hard-coded in the GL-iNet
firmware? Where do the routers get the DNS information for a given VPN provider?
The current DNS routers for Mullvad are 194.242.2.2 and 194.242.2.3; I bought
this router after Mullvad stopped using 193.138.219.228 as a DNS server, yet you
can see that the router is claiming that's the IP of the
DNS server that it got "from Wireguard":
Please check the VPN profile DNS = x.x.x.x from the WireGuard client, our SDK code will not have hardcoded using this DNS, this DNS address probably comes from the VPN profile.
Please check the VPN profile DNS = x.x.x.x from the WireGuard client, our
SDK code will not have hardcoded using this DNS, this DNS address probably
comes from the VPN profile.
I've also been talking to Stefan at Mullvad, and he says that's an old name
server they do not use any more, and would not be providing in their
configurations. Specifically, Stefan says:
Another user with a GL.iNet Beryl router contacted us and said that it
looks like it is defaulting to 193.138.219.228 under the DNS section also.
I am almost certain that the DNS is not coming from our API. Could they
check with a developer to make sure that they did not hardcode it?
I've looked everywhere I can think of in the GUI, and can't find that DNS
setting; I've got it set to "DNS from Wireguard" and see no place in the
Wireguard configuration where this would be set. Could you point me to where I
should look?
My list of exit nodes was populated with the "Refresh Servers" function, so the configurations were generated -- they aren't something I edited. Supposedly, either the router is calling a Mullvad API to get each of these configurations, or is calling an API to get a list of exit nodes, and is generating the configurations.
Which Mullvad API is being called to generate these configurations? If you could let me know which Mullvad service is being called, then we could identify where this DNS setting is coming from. For exampe, if the router is calling a Mullvad API that's providing full wg-quick configurations with the DNS server in them, then I can pass that information along to the Mullvad tech and they can track it down on their side.
Double checked the SDK code, confirm the DNS 193.138.219.228 has hard code to fixed value. It has nothing to do with the API. Sorry about this.
However, no matter what DNS the router uses, as long as it is connected to Mullvad VPN, Mullvad will redirect DNS 53 traffic to Mullvad own DNS and then resolve the domain.
For the hard code DNS (193.138.219.228), the PM team will evaluate whether it is removed. Thanks.
