Firmware openwrt-ar750s-3.201-0402.tar, possible still same DNS leak or again

Henry_Bruns · July 31, 2021, 8:06am

I don’t have a problem. I am using a configuration which are not affected by this leak. I described the two available non leaky ways already.
The gl firmware have problem which are used by some thousand customers which possible not checking by self what the firmware are doing.
I think, security bugs should be fixed at minimum.

It can be NextDNS and Cloudflare are getting the same information about the router location, a only Cloudflare are use this for offering the closest DNS server…

If I remember right, I have seen a “Cloudflare Bug” and a fix on open wrt bug tracker some month ago …

Henry_Bruns · August 5, 2021, 11:29am

Any news about bugfixing ?

0496bc97ab · August 5, 2021, 1:15pm

Are you trolling or something? You wrote above that you have no problems and we checked and confirmed that there are no leaks in the new firmware, then what fixes do you need?

Henry_Bruns · August 6, 2021, 9:54am

Not every user are checking which configuration are leaky and which ca used. So I think it will be better for perhaps 80% of user a firmware which dont have parts which are DNS leaky.
You can find the leaky and the noon leaky one configuration on follow: Firmware openwrt-ar750s-3.201-0402.tar, possible still same DNS leak or again - #59 by Henry_Bruns

You confirmed the DNS leak yourself. Follow your own words:

alzhao · August 6, 2021, 10:17am

@Henry_Bruns
I understand you still have DNS leak. But we tested and still cannot replicate the problem. But I do believe there may be a problem somewhere that we didn’t think of. We prefer to release 3.203 now and continue to investigate.

Henry_Bruns · August 6, 2021, 1:00pm

Its easy to to protect the possible 80% of user which don’t check by self what the firmware are doing, by gray out the offered leaky cloudlare menu point, so long the DNS leak are not fixed.

See follow 3.201 related:

What are a possible conclusion?

So I guess the available open wrt fix for this are possible not installed for every hardware versions of openwrt-ar750s-3.203-0701.tar beta 4 firmware version, p.e. not on gl-ar750s firmware version.

alzhao · August 6, 2021, 2:21pm

Firmware version should not be the case. As we checked before. The problem was identified as default vpn policy change. So we fixed that. Surely checked AR750S

Henry_Bruns · August 12, 2021, 10:37pm

Firmware or Cloudflare related DNS leak. One of them. If no fix are possible. Disable the Cloudfllare menue item for protecting user which dont check by self what the router are doing by selcting this menue item. Remember. The 3.105 firmware doont have this DNS leake.

By the way. If you mean the 3.2.03 firmware fixing a known 3.201 DNS leak, it can be it will be a good idea to remove this firmware version from download for protecting gl customer.

alzhao · August 13, 2021, 10:40am

You are right. We will remove 3.201 then

Henry_Bruns · September 8, 2021, 1:16pm

Does there are any news about bug fixing DNS leak or deactivating leaky menu item ?

alzhao · September 9, 2021, 9:41am

Sorry I still cannot verify that Cloudflare leaks while NextDNS not.

Henry_Bruns · September 30, 2021, 6:59am

Any news about bug fixing DNS leak or deactivating leaky menu item ?
It can be openwrt can do this task for gl. If I remember right, they offer help like this.

alzhao · September 30, 2021, 9:54am

As I said, I cannot verify this. So no progress on this.

Henry_Bruns · October 14, 2021, 12:07pm

Henry_Bruns:

alzhao:

Let’s be clear.

3.201 has DNS leak. You have to enable vpn policy and select “use DNS for processes on the router” to avoid DNS leak.

This is fixed in 3.203.

Now I was doing a very short test of ar-750s and actual beta firmware with the follow results:

Antesting the openwrt-ar750s-3.203-0703.tar:

Updated from working configuration to openwrt-ar750s-3.203-0703.tar

got a vpn connection a at minimum no https traffic to outside was possible

looked a little bit around on the settings without to see a misconfiguration

doing a reboot which didnt help on this

stopped antesting of openwrt-ar750s-3.203-0703.tar

Antesting the openwrt-ar750s-3.203-0703.tar:

updated the router to openwrt-ar750s-3.203-0701.tar

vpn are working

http and https are working to outside

Leaktest by router firmware by menu item offered cloudflare DNS, are still leaky. In this configuration a DNS from cloudflare are used which is the closest to the router location and not the closes one to the VPN endpoint position. So its still leaky. If I remember right from previous tests, this is also a way for getting slow unnecessary DNS answers. You can check the DNS leaks by p.e.

My IP Address, DNS Leak Test, WebRTC Leak Test, IPv6 Leak Test, HTTP Headers, IP Whois - BrowserLeaks

https://ipleak.net

Testing of possible available non leaky configurations:

If you select NextDNS against Coudflare by gl webmenue item, the DNS is not leaky, it mean you get answers from DNS server which are the closest to the VPN endpoint and not from DNS server which are the closes to your router position. The DNS is also fast on this way.

If you configure by self a DNS server, p.e. a external one, re one which is offered from your VPN provider inside the vpn channel, its not leaky too and a fast depend on short ways.

My suggestion for this is:

Deactivation of the Cloudflare DNS offered per menu item, as long as the implementation is leaky. Finally, presumably not every user checks what the router actually does when you use this and that menu item, but trusts that even before a firmware was released also tried times.

Recall of the released and known DNS leaky firmware 3.201.
Replacement of the 3.201 firmware with a firmware that does not offer Cloudflare as a menu item, as long as it is not implemented in a non-leaky way.

Can be a external testing and bug fixing can be one way. If I remember right, p.e. openwrt are offering service like this.

See forward.

Henry_Bruns · November 21, 2021, 8:01pm

Any news about bug fixing DNS leak or deactivating leaky menu item ?
It can be openwrt can do this task for gl. If I remember right, they offer help like this.

alzhao · November 22, 2021, 5:53am

I have a question: If you are testing with windows, did you set up dns server on your windows pc?

Henry_Bruns · November 22, 2021, 8:08am

I dont have windows PCs in the testing envirement.

Does it mean its from your point of view still the follow:

alzhao · November 22, 2021, 8:23am

I believe there must be a problem. Just need to find out.

OK that is fine. Recently got some feedback that router’s encrypted dns does not work. Finally find out it is because when the user set 8.8.8.8 or 1.1.1.1 in Windows system, the system automatically encrypted DNS so not possible for the router to override the DNS query. So asking if this could be your case.

Henry_Bruns · November 22, 2021, 8:58am

Ok. Thats sounds for me, its still the follow from gl side:
Does it mean its from your point of view still the follow:

Now the good news. The follow firmware dont have the DNS leak !!!:

Firmware 3.211 Beta1

Tested by me:

on 3 installations
on 3 endpoints
and 3 time with and without cloudflare

Congratulation. Its looks for me, the the bug are possible fixed by updating some components (p.e. components from openwrt). Thats much better, than a DNS leak. So the user can now use a newer firmware than the last known not DNS leaky one (3.104 or 3.105, i think the 3.105 one was the last not DNS leky one before the 3.211 Beta 1)

Thats great. Thanks from my side, to all people which taken care this bug.
THX

Remark:
The full list of found and solved bugs, realisized asked product improvements and possible additional proposal for product improvements can be found on:

2021, gl-inet Firmware Firmware 3.211 Beta1, shorttest of snapshot version

alzhao · November 22, 2021, 8:59am

Great to hear. But it is just very strange.