Firmware openwrt-ar750s-3.201-0402.tar, possible still same DNS leak or again

Technical Support for Routers
43

One more which have possible the same possible DNS leak:

44

They are any plan and time frame to fix the DNS leak on 3.201 firmware ?

45

As I understand it, it’s possible only if you want a/b/g/n
There is no free open source driver for ac

46

What are the benefit for user of a VPN with a DNS leak ?

What are the benefit of dont useing existing wifi hardware which have open source driver ?

What are the benefit for user of a router firmware which have a closed source part ?

What are the benefit of a DNS leaky router based solution against only installing a VPN software on the PC which need a VPN ?

47

What are the benefit for user of a VPN with a DNS leak ?

I can’t tell because I don’t see one DNS leak, either on the client sent to the VPN or the one excluded. Both use CloudFlare DoT through the VPN (which isn’t optimal but cannot be called leak).

What are the benefit of dont useing existing wifi hardware which have open source driver ?

Having better speed with WIfi ac (because there is no open source wifi ac or ax).

What are the benefit for user of a router firmware which have a closed source part ?

see above : faster wifi and functions not available as open source like trend micro on ASUSWRT.

What are the benefit of a DNS leaky router based solution against only installing a VPN software on the PC which need a VPN ?

Not all devices behind a router (and I don’t see it leaking in the case of my MV1000) are PCs. Once properly configured in the router, I can chose which device goes in the VPN or not without having to install anything on each and every device (when ever a VPN can possibly be installed, try that in a cloud camera for example).

48

Source: Firmware openwrt-ar750s-3.201-0402.tar, possible still same DNS leak or again - #32 by Willist

“Based on openwrt 19.07.7

Important bugfix:

3. Fixed DNS leakage BUG when using CloudFlare after connecting to OpenVPN”
Source: https://dl.gl-inet.com/firmware/snapshots/3.203_beta4/ar750s/ReleaseNote.txt

Its great to see the fixed version from open wrt will be used now. So it will be possible in future to use one newer non DNS leak version than the last one released without DNS leak 3.105

Pls. dont forget to delete the known DNS leaky RELEASED Firmware 3.1x and or 3.2x …

49

I checked this week the GL.iNet download center
Its still the same DNS leak. So the last one known not DNS leaky is still the 3.105 (tested on AR-750S)

Any news about fixing the DNS leak ?

50

Any news about fixing DNS leak on firmware >= 3.2xx ?

51

Now I cannot find DNS leak in beta4 firmware. I am using Nord. Can you give a little details of how you test this time?

52

Leaky Configuration:

  • IPV4: on, IPV6: off
  • Wireguard service: disabled on startup
  • Dropebear: disabled on startup
  • DNS on GL router: Cloudlfare
  • DNS on ISP DSL router: Cloudflare
  • Firefox, DNS from Mozilla by DOH about:config is set: off (network.trr.mode 0)
  • Override DNS Settings for All Clients: on
  • Internet Kill switch: on
  • OpenVPN, Proton VPN
  • detecting the leak by: My IP Address - BrowserLeaks

DNS leak by unseeing external DNS like Cloudlfare, no DNS leak by unseeing VPN provider own DNS.

53

I am using Nord and used the same settings but I don’t have DNS Leak.

Previously the problem was in the default vpn policy.

Can you check if you have configured any vpn policy? The “Use VPN for all processes on the router” must be on. This should be the default setting on 3.203 beta4.

Can you turn on/off this option can try again? Just to make sure this is not the problem caused.

54

Leaky Configuration:

It is the country that is leaking, since Clouflare takes the closest servers, I’m not sure that this is a router problem, but still an interesting observation…

55

Let’s be clear.

3.201 has DNS leak. You have to enable vpn policy and select “use DNS for processes on the router” to avoid DNS leak.

This is fixed in 3.203.

1 Like
57

According to your configuration in firmware 3.203, I am get the DNS server by the VPN service provider. This is a normal situation.

58

Thanks! Yes, version 3.203-0722 not leaked!

59

Now I was doing a very short test of ar-750s and actual beta firmware with the follow results:

Antesting the openwrt-ar750s-3.203-0703.tar:

  • Updated from working configuration to openwrt-ar750s-3.203-0703.tar
  • got a vpn connection a at minimum no https traffic to outside was possible
  • looked a little bit around on the settings without to see a misconfiguration
  • doing a reboot which didnt help on this
  • stopped antesting of openwrt-ar750s-3.203-0703.tar

Antesting the openwrt-ar750s-3.203-0703.tar:

  • updated the router to openwrt-ar750s-3.203-0701.tar
  • vpn are working
  • http and https are working to outside
  • Leaktest by router firmware by menu item offered cloudflare DNS, are still leaky. In this configuration a DNS from cloudflare are used which is the closest to the router location and not the closes one to the VPN endpoint position. So its still leaky. If I remember right from previous tests, this is also a way for getting slow unnecessary DNS answers. You can check the DNS leaks by p.e.
  • My IP Address - BrowserLeaks
  • https://ipleak.net

Testing of possible available non leaky configurations:

  • If you select NextDNS against Coudflare by gl webmenue item, the DNS is not leaky, it mean you get answers from DNS server which are the closest to the VPN endpoint and not from DNS server which are the closes to your router position. The DNS is also fast on this way.
  • If you configure by self a DNS server, p.e. a external one, re one which is offered from your VPN provider inside the vpn channel, its not leaky too and a fast depend on short ways.

My suggestion for this is:

  • Deactivation of the Cloudflare DNS offered per menu item, as long as the implementation is leaky. Finally, presumably not every user checks what the router actually does when you use this and that menu item, but trusts that even before a firmware was released also tried times.
  • Recall of the released and known DNS leaky firmware 3.201.
    Replacement of the 3.201 firmware with a firmware that does not offer Cloudflare as a menu item, as long as it is not implemented in a non-leaky way.
60

Buddy, I had exactly the same problem with DNS Clouflare, but after I updated the firmware version of my MT1300 Beryl to version 3.203-0722, the problem disappeared, the DNS is shown closest to the VPN! I can check how things are with the AR750S later if you want…

62

I have been testing exactly according to your steps, and still no leak was found.
If possible, I can help analyze this problem remotely.

63

NextDNS and Cloudflare use exactly the same implementation. It is hard to understand why NextDNS works but cloudflare does not.

I suggest you can do more testing comparing NextDNS and Cloudfalre. Maybe you can easily find the reason, if a remote check is not a choice.

64

  • I don’t have a problem. I am using a configuration which are not affected by this leak. I described the two available non leaky ways already.

  • The gl firmware have problem which are used by some thousand customers which possible not checking by self what the firmware are doing.

  • I think, security bugs should be fixed at minimum.

It can be NextDNS and Cloudflare are getting the same information about the router location, a only Cloudflare are use this for offering the closest DNS server…

If I remember right, I have seen a “Cloudflare Bug” and a fix on open wrt bug tracker some month ago …