Beryl AX VPN / DNS issue with 4.6.2

I have updated my Beryl AX to 4.6.2. My setup is that I have a permanent connection to a Wireguard VPN setup as Global Proxy. (It connects to my home, where I have pihole DNS filtering.) My DNS server settings are 'Automatic', and it lists both the ISP and VPN DNS servers.

I noticed straight away that things normally being blocked by pihole were showing. After playing around, resetting back to 4.5.16 (everything went back to normal), and reinstalling 4.6.2, I isolated it to this new setting:

Allow Custom DNS to Override VPN DNS

The way this is phrased would appear to me to mean:

Off = VPN DNS is used
On = Custom DNS is used instead of VPN DNS

However, when it is 'Off' it appears to use the ISP DNS server, loading things that should be blocked when using the VPN DNS.

When it is 'On' everything works as it should / used to, i.e. the VPN DNS is used (not overridden).

Is this a case of lost in translation, or a bug? I have searched the forums and note that there have been some issues, but I'm not sure any have been quite like this / mentioned the Beryl AX specifically.

Do you have "Custom DNS" configured? "Automatic" is not custom dns.

If not, then either option on or off, you should all use the VPN dns.

I do not - it is set to Automatic.

However with the setting 'On', it uses the VPN DNS.
With the setting 'Off', it does not - I presume using the upstream / ISP DNS.

I'm not sure this has quite been understood so I'll try and phrase it differently.

I do not have custom DNS enabled - it is set to 'automatic'.

My setup is such that I have a WireGuard VPN connecting me to my home, where I have DNS filtering via Pi Hole. The VPN is set in 'Global Proxy' mode.

My expectation (and previous experience) is that the Beryl AX uses WireGuard for DNS, rather than the ISP. This was happening under 4.5.xx without any issues (in fact, I love it!).

When I upgraded to 4.6.2 this was no loger happening – I was seeing adverts etc.

I went through the settings and discovered the new one 'Allow Custom DNS to Override VPN DNS'. It was switched off – and (to my mind) it should be off because I am not using custom DNS.

However, in desperation I turned it on to see what would happen, and suddenly the Beryl AX was using the WireGuard DNS correctly, despite DNS server mode being set to 'Automatic'.

There is obviously something wrong somewhere in the firmware, or I am not understanding what this switch means.

I guess I found the issue:

Steps:

  1. Connect Mullvad wireguard. Use dhcp on my windows.
  2. On my router I set up encrypted dns, like below.

When I turn on "Allow Custom DNS to Override VPN DNS" it uses Cloudflare.
When I turn it off, it uses DNS from Mullvad.

So seems it works OK.

But if you "Automatic" or non-encrypted DNS, on 4.6.2, all dns will go via VPN and will capture by the vpn dns.

So you have to use Encrypted DNS to test.

While you dns test, if not encrypted, may always go to the vpn side.

What you can do is post your dns test with screen capture so we can tell if it works normally.

1 Like

Hi, no - what you describe is what I expect to happen.

For me:

Scenario 1
VPN = connected
DNS = automatic
Allow custom DNS to override VPN = off
Result = uses ISP DNS

Scenario 2
VPN = connected
DNS = automatic
Allow custom DNS to override VPN = on
Result = uses VPN DNS

I don’t know how to explain it another way but this does not make sense to me.

To me, both of these scenarios should use the VPN DNS, whether custom DNS override is set to on or off.

To me, custom DNS override should only make a difference if custom DNS is enabled (ie not set to automatic).

Imo if DNS is automatic then it should use the WAN interface DNS.

The wording of the custom DNS is off imo

I'd say if DNS is automatic it should use the WAN interface DNS... or the VPN DNS if connected, especially in Global Proxy mode.