Firmware openwrt-ar750s-3.201-0402.tar, possible still same DNS leak or again

under what conditions is the leak occurring? I’m looking to reproduce my self. can you explain your environment. thanks

for example
default settings, Override DNS Settings for All Clients?
cloudsflare, nextdns dnscrypt proxy?
wireguard,openvpn,tor?
internet kill swith?

fyi if you looking to use protonvpn internal vpn dns servers they are at 10.8.8.1 and 10.7.7.1. perhaps these address are conficting internally with your networking environment.

  • IPV4: on, IPV6: off
  • Wireguard service: disabled on startup
  • Dropebear: disabled on startup
  • Override DNS Settings for All Clients: on
  • Internet Kill switch: on
  • OpenVPN, Proton VPN

How are you connecting to internet? If it’s another router/modem, then it is probably set to use your ISP DNS - you need to disable that in settings.

I still can’t reproduce a leak, even using your settings (I tested using a USB broadband dongle).

  1. is your wan connected directly to the internet and recieving dns from isp?

  2. can you post your .ovpn file without the auth line of course.

  3. after router is up and vpn connected and client machine is connected what is the dns of the client machine “ipconfig /all” or /etc/resolve.conf

  4. how are you detecting the leak? dnsleaktest.com or wireshark, etc?

  5. what browser are you using and do you have dns-https disabled?

Alza wrote:
“If you use cloudflare etc. it will not use the dns offered by dhcp.”

My answer:
Thats exactly what the dns leak are doing. The GL firmware use the DNS from DHCP and ignore the on gl router configured DNS.

Leaky Configuration:

I cant check /etc/resolve.conf on this time with the buggy 3.201 firmware, because I use now only the last not DNS leaking one 3.105 firmware.

thanks for the response.

  1. Did all leak sites detect the leak? I have not been able to reproduce with all your settings.

  2. are you the only client on the router? terado, ipv6-over-ipv4?

  3. here is the last question no admin likes to hear including me… did you start with a fresh install or did you upgrade with keep settings on router firmware?

Now I have found one other user which looks like have the same DNS leak by useing Wireguard against me by useing OpenVPN:

" I do have custom DNS settings configured, however I am also using the AR750 as a Wireguard client. My issue is that the device does not configure DNS correctly. My client devices always use the upstream devices DNS server."

Source: Wireguard client not honoring DNS setting [workaround discovered]

But that is on a very old firmware, isn’t it?

The same bug on a verry old and a actual firmware. In boot cases, the client devices always use the upstream devices DNS server and not the on router configured one.

I hope the hint can help how to check, find and fix this bug on actual firmware versions again.

Good afternoon, I can confirm that firmware version 3.201 does leak DNS, and I “solved” the problem by reverting to version 3.105. However I still seem to have problems casting (BBC) to chromecast. after 20 mins or so the screen says: Ready to cast and I have to stop casting and restart.

1 Like

THX for checking the DNS leak. And THX for report the result.

Hi, thnx for the thnx.
I retract my comment about losing the connection to the BBC stream. I have been testing now for several hours BBC and Channel5. and no problems at all.

Any news about the research and fixing the DNS leak of 3.201-0402 firmware ?

I can replicate the problem and developers are fixing on this.

Thats sounds great.

By the way. It can be it make sense to fix the menue (if I remember right) which can only set to “use the DNS of your ISP” or so on, to disable if used coudflare or whatever user defined non ISP DNS…

Now I added this to the bug list:

Thanks for your hard work.

But the logic is to use user defined DNS other than the ISP DNS.

There should NoT be an option to use ISP defined DNS rather than user defined DNS

The menu item for using the ISP DNS should be deselectable when specifying a different DNS than the ISP DNS …

Yes, the ISP DNS must be avoided but, for example under ASUSWRT Merlin, I can chose between VPN provider DNS or DoT. The choice would even be better to be able to have VPN DNS for VPN clients and DoT DNS for those excluded from the VPN. You cannot assume only one logic here. ASUSWRT Merlin also gives a large choice of DoT servers.
I think that GL has made a few things too simple giving almost no choice to the user.
These are a few options that I would really need when I’m using the MV1000. And these are from the older GUI version from john9527


1 Like

Wow. The possibility to disable to disable weak chipper suites looks interesting. Is the asus wrt full open source or does it have closed source parts like DDWRT and the gl firmware ?

I was looking now for Asus router. And found some models in dsl router size, a didnt find on travel router size on this time.

Unfortunately, it’s not. This is one of the reason why I use an older version based fork from John because the Merlin’s fork is less and less open source (because of asus choices). I believe Wifi is never OSS while the rest is. The other problem is that my RT-AC68U uses a very old 2.6 kernel (so no wireguard). I don’t think asus has produced a small size router.