By default, the router sends its own packets (hop > 1) through the vpn interface. And we do some special operations to ensure that Dns packets can be sent through the WAN interface. (You can get the rules by looking at the OUTPUT chain of the Mangle table.) Unfortunately, we ignored the encrypted Dns packet.
Another shitty update on the stable branch for the Brume2! DNS Leaks Galore.... Don't release your firmware when it is full of holes please.
@teleney @hansome this bug is back again within Brume 2 - fw: 4.6.2
I tested with clean install and again the VPN DNS is used for client that are not using the VPN
I am using policy based routing "USE VPN" for a selection of clients but all other clients that are to go out via WAN get a VPN DNS results with encrypted DNS in the glinet gui or when using adguard.
I have downgraded to 4.6.1 (the version that was pulled with the adguard timebug) however that version works, only problem on 4.6.1 is that "override VPN DNS" will actually use the clear wan DNS and not send it via tunnel.
Please check as 4.6.2 is now stable and live but it also seems to have reverted the fix you guys made...
It was fixed in version 4.6.1, but introduced new security issues. So, it is not included in 4.7. Maybe I should build a firmware with new solution for you to try.
I can run a build to test, that's not really an issue. Downside is that my brume is the main router so serves the home, I do have a time whereby I can upgrade (hence me going to the latest today)
I'm experiencing no issues on 4.6.1 apart from the use custom DNS leak but I just have that setting off and it's fine. I just updated to 4.6.2 to rule out any potential bugs but if anything it was worse as now the default behaviour routes DNS over VPN which I can't have.
Unfortunately that it does not work for your case.
In the current firmware, encrypted dns can only go to one stream, cannot split. We choose to go to vpn, as we do in 4.6.2 firmware.
To split encrypted dns, we need to have a new solution
@alzhao I'm not sure what you are referring too?
I am running a test build now and it's working as expected with both VPN DNS going via VPN and non VPN DNS going via clearnet with DoT enabled....
If you got a test build it seems that developer get the new solution running.
Firmware 4.6.1 didn't fix the issue. Just to clarify.