As per title. Using policy based routing and adguard home with handle all clients toggled on forwards all my non VPN devices DNS to use the VPN DNS.
Resulting in. Non VPN WAN IP (expected) but a VPN DNS query from the VPN country region
(A ipleak test will show UK wan but foreign DNS country flag)
Expected behaviour (which was working) is that any device that's NOT going via VPN should use both the ISP WAN country/tunnel for both the wan and DNS.
@teleney you managed to fix this in the previous builds...why does this keep getting reverted? It means I now need to downgrade again...
To replicate what I mean.
Enable adguard home and clients to route
Use cloudflare DoT for upstream
Turn off VPN
Visit ipleak.net on a non routed device (I am using policy based routing via VPN for selected Mac addresses)
You will now get WAN IP and country region flag, the DNS will also be appearing from the same country.
Now turn on the VPN - say your VPN was connecting to India for example, you will now find that your DNS results on ipleak.net are now appearing from India. The DNS should only appear from the VPN country if the said device is selected to be policy routed via VPN.
Any device that's not to be routed via VPN should have both results from the same country / region (like it was working)
@teleney I actually downgraded to the 4.6.4 and the DNS is wrong too. Although I believe I updated from the test 4.6.3 build you sent me to 4.6.4 when it was stable and the DNS was working correctly. Either way, the DNS isnt working like before.
I have downgraded to the test build you sent me and restored settings and now the DNS and WAN match the correct region as expected.
Can you please take another look at the current firmware releases
As you said, adguard will take over all dns requests and forward them all to the VPN peer.
Because we currently have no good way to split the DNS traffic of adguard home, for security reasons, all requests are resolved through VPN.
The key to the problem is to split the dns requests from adguard according to the policy and send them through the WAN port and VPN interface respectively. We have tried several methods, but they all have some limitations.
Well the test build that you gave me worked exactly I expected, I have had zero issues with it.
Whatever the limitations are I haven't noticed.
The problem with that approach is that all DNS queries are routed via the VPN. If the VPN is split DNS then that could cause potential problems for certain streaming services that check against location to access (I know that approach works via WAN IP, maybe it works via DNS too)
Another thing with that approach is that if the VPN client is connected to a region that's halfway across the globe then the DNS queries will take longer to happen. I have policy routed VPN devices for that very reason too. I don't want any queries for say my gaming equipment to go via VPN if they are NOT supposed to be policy routed and that includes DNS.
Again, I've no idea what other attempts are required considering that the build you sent me worked exactly as expected and I was running it for a few months with zero problems. I am actually back to running that very build now due to the VPN DNS problem.
In our design, the domain name resolution service is also controlled by policy, and DNS traffic can be split according to the policy. Whether the DNS request is made through VPN can also be controlled.
Regarding the issue you mentioned in your post, I will continue to try to solve it. I recently found a new method for splitting DNS traffic.
If that's the case then adguard should also follow the flow, in which case it doesn't on these firmware builds. You got it right with the release I received.
What about guest side for different DNS?
You have 3 DNS resolvers (wan, Adguard home and VPN). So try work only Adguard home for everything.
I did non VPN devices (smart TV) and working only wan with Adguard home. Other devices working with VPN and Adguard home.
Not sure if that is aimed at me. I do everything via Adguard home. Adguard handles all my clients and therefore the upstream DNS is what I put in adguard home. How it works on the test image I received, everything that goes via VPN ignores adguard home and uses the VPN DNS exclusively which is what I want, if I wanted to "use custom DNS for VPN" then I would toggle that on I guess however that isn't what I want.
On 4.6.8 the VPN routed clients are using the adguard home DNS upstream but as a result it then means that the DNS queries come via that country and it effects even non routed VPN clients (all clients will now appear to use VPN DNS even when they shouldn't)
Not really. It's not the DNS that's getting changed, it's where it's going out from (the interface) that's changing. I know I could use external DNS and then avoid the router altogether but then certain functions won't work.