Firmware openwrt-ar750s-3.201-0402.tar, possible still same DNS leak or again

0496bc97ab · 2021-07-28T20:49:17.965Z

Thanks! Yes, version 3.203-0722 not leaked!

Henry_Bruns · 2021-07-30T11:23:10.201Z

alzhao:

Let’s be clear.

3.201 has DNS leak. You have to enable vpn policy and select “use DNS for processes on the router” to avoid DNS leak.

This is fixed in 3.203.

Now I was doing a very short test of ar-750s and actual beta firmware with the follow results:

Antesting the openwrt-ar750s-3.203-0703.tar:

Updated from working configuration to openwrt-ar750s-3.203-0703.tar
got a vpn connection a at minimum no https traffic to outside was possible
looked a little bit around on the settings without to see a misconfiguration
doing a reboot which didnt help on this
stopped antesting of openwrt-ar750s-3.203-0703.tar

Antesting the openwrt-ar750s-3.203-0703.tar:

updated the router to openwrt-ar750s-3.203-0701.tar
vpn are working
http and https are working to outside
Leaktest by router firmware by menu item offered cloudflare DNS, are still leaky. In this configuration a DNS from cloudflare are used which is the closest to the router location and not the closes one to the VPN endpoint position. So its still leaky. If I remember right from previous tests, this is also a way for getting slow unnecessary DNS answers. You can check the DNS leaks by p.e.
My IP Address - BrowserLeaks
https://ipleak.net

Testing of possible available non leaky configurations:

If you select NextDNS against Coudflare by gl webmenue item, the DNS is not leaky, it mean you get answers from DNS server which are the closest to the VPN endpoint and not from DNS server which are the closes to your router position. The DNS is also fast on this way.
If you configure by self a DNS server, p.e. a external one, re one which is offered from your VPN provider inside the vpn channel, its not leaky too and a fast depend on short ways.

My suggestion for this is:

Deactivation of the Cloudflare DNS offered per menu item, as long as the implementation is leaky. Finally, presumably not every user checks what the router actually does when you use this and that menu item, but trusts that even before a firmware was released also tried times.
Recall of the released and known DNS leaky firmware 3.201.
Replacement of the 3.201 firmware with a firmware that does not offer Cloudflare as a menu item, as long as it is not implemented in a non-leaky way.

0496bc97ab · 2021-07-30T20:20:25.394Z

Buddy, I had exactly the same problem with DNS Clouflare, but after I updated the firmware version of my MT1300 Beryl to version 3.203-0722, the problem disappeared, the DNS is shown closest to the VPN! I can check how things are with the AR750S later if you want…

robotluo · 2021-07-31T02:21:01.883Z

I have been testing exactly according to your steps, and still no leak was found.
If possible, I can help analyze this problem remotely.

alzhao · 2021-07-31T03:28:39.093Z

NextDNS and Cloudflare use exactly the same implementation. It is hard to understand why NextDNS works but cloudflare does not.

I suggest you can do more testing comparing NextDNS and Cloudfalre. Maybe you can easily find the reason, if a remote check is not a choice.

Henry_Bruns · 2021-07-31T08:06:50.443Z

robotluo:

I have been testing exactly according to your steps, and still no leak was found.
If possible, I can help analyze this problem remotely.

I don’t have a problem. I am using a configuration which are not affected by this leak. I described the two available non leaky ways already.
The gl firmware have problem which are used by some thousand customers which possible not checking by self what the firmware are doing.
I think, security bugs should be fixed at minimum.

alzhao:

NextDNS and Cloudflare use exactly the same implementation. It is hard to understand why NextDNS works but cloudflare does not.

It can be NextDNS and Cloudflare are getting the same information about the router location, a only Cloudflare are use this for offering the closest DNS server…

If I remember right, I have seen a “Cloudflare Bug” and a fix on open wrt bug tracker some month ago …

Henry_Bruns · 2021-08-05T11:29:22.059Z

Any news about bugfixing ?

0496bc97ab · 2021-08-05T13:15:35.668Z

Are you trolling or something? You wrote above that you have no problems and we checked and confirmed that there are no leaks in the new firmware, then what fixes do you need?

Henry_Bruns · 2021-08-06T09:54:32.704Z

0496bc97ab:

You wrote above that you have no problems … then what fixes do you need?

Not every user are checking which configuration are leaky and which ca used. So I think it will be better for perhaps 80% of user a firmware which dont have parts which are DNS leaky.
You can find the leaky and the noon leaky one configuration on follow: Firmware openwrt-ar750s-3.201-0402.tar, possible still same DNS leak or again - #59 by Henry_Bruns

0496bc97ab:

… and we checked and confirmed that there are no leaks in the new firmware, then what fixes do you need?

You confirmed the DNS leak yourself. Follow your own words:

0496bc97ab:

Leaky Configuration:

Firmware 3.201

Wireguard Clent: On and connect Mullvad

DNS on GL router: Manual DNS Server Settings 1.1.1.1 1.0.0.1

Internet Kill switch: on

Connect Client to WiFi

detecting the leak by: My IP Address, DNS Leak Test, WebRTC Leak Test, IPv6 Leak Test, HTTP Headers, IP Whois - BrowserLeaks

It is the country that is leaking, since Clouflare takes the closest servers, I’m not sure that this is a router problem, but still an interesting observation…

0496bc97ab:

Buddy, I had exactly the same problem with DNS Clouflare, but after I updated the firmware version of my MT1300 Beryl to version 3.203-0722, the problem disappeared, the DNS is shown closest to the VPN! I can check how things are with the AR750S later if you want…

alzhao · 2021-08-06T10:17:56.575Z

@Henry_Bruns
I understand you still have DNS leak. But we tested and still cannot replicate the problem. But I do believe there may be a problem somewhere that we didn’t think of. We prefer to release 3.203 now and continue to investigate.

Henry_Bruns · 2021-08-06T13:00:01.832Z

alzhao:

I understand you still have DNS leak. But we tested and still cannot replicate the problem. But I do believe there may be a problem somewhere that we didn’t think of. We prefer to release 3.203 now and continue to investigate.

Its easy to to protect the possible 80% of user which don’t check by self what the firmware are doing, by gray out the offered leaky cloudlare menu point, so long the DNS leak are not fixed.

See follow 3.201 related:

Henry_Bruns:

Any news about the research and fixing the DNS leak of 3.201-0402 firmware ?

alzhao:

I can replicate the problem and developers are fixing on this.

What are a possible conclusion?

So I guess the available open wrt fix for this are possible not installed for every hardware versions of openwrt-ar750s-3.203-0701.tar beta 4 firmware version, p.e. not on gl-ar750s firmware version.

alzhao · 2021-08-06T14:21:46.962Z

Firmware version should not be the case. As we checked before. The problem was identified as default vpn policy change. So we fixed that. Surely checked AR750S

Henry_Bruns · 2021-08-12T22:37:28.443Z

Firmware or Cloudflare related DNS leak. One of them. If no fix are possible. Disable the Cloudfllare menue item for protecting user which dont check by self what the router are doing by selcting this menue item. Remember. The 3.105 firmware doont have this DNS leake.

By the way. If you mean the 3.2.03 firmware fixing a known 3.201 DNS leak, it can be it will be a good idea to remove this firmware version from download for protecting gl customer.

alzhao · 2021-08-13T10:40:29.695Z

Henry_Bruns:

By the way. If you mean the 3.2.03 firmware fixing a known 3.201 DNS leak, it can be it will be a good idea to remove this firmware version from download for protecting gl customer.

You are right. We will remove 3.201 then

Henry_Bruns · 2021-09-08T13:16:49.852Z

Henry_Bruns:

Firmware or Cloudflare related DNS leak. One of them. If no fix are possible. Disable the Cloudfllare menue item for protecting user which dont check by self what the router are doing by selcting this menue item. Remember. The 3.105 firmware doont have this DNS leake.

By the way. If you mean the 3.2.03 firmware fixing a known 3.201 DNS leak, it can be it will be a good idea to remove this firmware version from download for protecting gl customer.

Does there are any news about bug fixing DNS leak or deactivating leaky menu item ?

alzhao · 2021-09-09T09:41:37.408Z

Henry_Bruns:

Firmware or Cloudflare related DNS leak. One of them. If no fix are possible. Disable the Cloudfllare menue item for protecting user which dont check by self what the router are doing by selcting this menue item. Remember. The 3.105 firmware doont have this DNS leake.

Sorry I still cannot verify that Cloudflare leaks while NextDNS not.

Henry_Bruns · 2021-09-30T06:59:22.480Z

alzhao:

Sorry I still cannot verify that Cloudflare leaks while NextDNS not.

Any news about bug fixing DNS leak or deactivating leaky menu item ?
It can be openwrt can do this task for gl. If I remember right, they offer help like this.

alzhao · 2021-09-30T09:54:23.885Z

Henry_Bruns:

Any news about bug fixing DNS leak or deactivating leaky menu item ?

As I said, I cannot verify this. So no progress on this.

Henry_Bruns · 2021-10-14T12:07:00.636Z

alzhao:

As I said, I cannot verify this. So no progress on this.

0496bc97ab:

Buddy, I had exactly the same problem with DNS Clouflare, but after I updated the firmware version of my MT1300 Beryl to version 3.203-0722, the problem disappeared, the DNS is shown closest to the VPN! I can check how things are with the AR750S later if you want…

0496bc97ab:

Leaky Configuration:

Firmware 3.201

Wireguard Clent: On and connect Mullvad

DNS on GL router: Manual DNS Server Settings 1.1.1.1 1.0.0.1

Internet Kill switch: on

Connect Client to WiFi

detecting the leak by: My IP Address, DNS Leak Test, WebRTC Leak Test, IPv6 Leak Test, HTTP Headers, IP Whois - BrowserLeaks

It is the country that is leaking, since Clouflare takes the closest servers, I’m not sure that this is a router problem, but still an interesting observation…

Henry_Bruns:

alzhao:

Let’s be clear.

3.201 has DNS leak. You have to enable vpn policy and select “use DNS for processes on the router” to avoid DNS leak.

This is fixed in 3.203.

Now I was doing a very short test of ar-750s and actual beta firmware with the follow results:

Antesting the openwrt-ar750s-3.203-0703.tar:

Updated from working configuration to openwrt-ar750s-3.203-0703.tar

got a vpn connection a at minimum no https traffic to outside was possible

looked a little bit around on the settings without to see a misconfiguration

doing a reboot which didnt help on this

stopped antesting of openwrt-ar750s-3.203-0703.tar

Antesting the openwrt-ar750s-3.203-0703.tar:

updated the router to openwrt-ar750s-3.203-0701.tar

vpn are working

http and https are working to outside

Leaktest by router firmware by menu item offered cloudflare DNS, are still leaky. In this configuration a DNS from cloudflare are used which is the closest to the router location and not the closes one to the VPN endpoint position. So its still leaky. If I remember right from previous tests, this is also a way for getting slow unnecessary DNS answers. You can check the DNS leaks by p.e.

My IP Address, DNS Leak Test, WebRTC Leak Test, IPv6 Leak Test, HTTP Headers, IP Whois - BrowserLeaks

https://ipleak.net

Testing of possible available non leaky configurations:

If you select NextDNS against Coudflare by gl webmenue item, the DNS is not leaky, it mean you get answers from DNS server which are the closest to the VPN endpoint and not from DNS server which are the closes to your router position. The DNS is also fast on this way.

If you configure by self a DNS server, p.e. a external one, re one which is offered from your VPN provider inside the vpn channel, its not leaky too and a fast depend on short ways.

My suggestion for this is:

Deactivation of the Cloudflare DNS offered per menu item, as long as the implementation is leaky. Finally, presumably not every user checks what the router actually does when you use this and that menu item, but trusts that even before a firmware was released also tried times.

Recall of the released and known DNS leaky firmware 3.201.
Replacement of the 3.201 firmware with a firmware that does not offer Cloudflare as a menu item, as long as it is not implemented in a non-leaky way.

Can be a external testing and bug fixing can be one way. If I remember right, p.e. openwrt are offering service like this.

See forward.

Henry_Bruns · 2021-11-21T20:01:00.166Z

Any news about bug fixing DNS leak or deactivating leaky menu item ?
It can be openwrt can do this task for gl. If I remember right, they offer help like this.