This is any old post. But from Firmware v3.x when you set up openvpn client, it will respect the dns settings in the ovpn file.
Hi. I use vpn from avast. can it leak my dns too? 
You can avoid dns leak by setting custom dns. If you upgrade to v3.0 firmware, you can enable Cloudflare DNS Over TLS.
I have a question actually about this topic. How are the resolves handled by the router, if you set up a OpenVPN connection? As I understand, they are going through the wan/tether/4g/repeater connection and not the OpenVPN connection, no? This would mean that every DNS resolv the router does would leak information about any sites any client behind the router visits to the ISP. Is there a way to force ALL traffic, including DNS resolves over the VPN once it is connected? There would be need a change in the firewall rules I guess for this to happen, for each OpenVPN connect/disconnect event.
Clients->GL-INET router (OpenVPN)->4g modem
The problem is, first, to resolv the DNS of the OpenVPN server, if it is not a IP, the Gl-INIT router has to open a DNS request over non encrypted line to the ISP. Then it knows the IP of the OpenVPN server. Then it opens the OpenVPN connection… but now, what? Every DNS resolv still would happen non encrypted over the normal WAN line, not the tun line.
If the ISP logs, it will know every DNS resolv any client does through the GLINIT router, even if using OpenVPN.
Also, is there an option to block every redirect traffic from the clients to internet, if the OpenVPN connection drops?
Before OpenVPN connection established, dns resolving goes to normal internet. After OpenVPN connection established, dns resolving will go through vpn.
But you can set up dns encryption and the dns resolving should always go encrypted to the dns server. Both your isp and vpn service provider cannot see your dns.
1 Like
@alzhao Ah ok I just noticed the latest firmware has support for encrypted DNS through cloudfare. How is this implemented? I saw it making a resolver entry into dnsmasq at port 127.0.0.1#535353 or something. What software is running on that port? How would I use this together with adblock dns host list entry in dnsmasq config? Would that still work, wouldnt dnsmasq stop being the resolver in this case?
Also, how do I set it up that the moment the VPN breaks, all client traffic is blocked so nothing leaks through wan?
There is a program in the background that change dns data to encrypted data via tls.
By default if you enable vpn but vpn break, you will not have Internet.
I am not sure about dnsmasq rules. But it should still take effect. You may test by yourself.
command line to prevent dns leak
uci set network.wan.peerdns=“0”
uci set network.wan6.peerdns=“0”
uci commit network
service network reload