How to ensure Wireguard DNS always works?

I have been using wireguard for a long time without any issues.

Suddenly it stopped working, and of my friends tried an alternative DNS which worked, and turns out that I have been using the faulty DNS (64.6.64.6).

So I understand that DNS server is used for name resolution, and it is typically assigned by the ISP.

But, here is my question:

  1. Why does Wireguard on GL-INET not use the DNS server provided by the ISP?

  2. What can I do to ensure that this DNS problem does not happen again?

  3. Why did the DNS Server that my wireguard was using went down?

  4. Can using a different DNS server somehow reveal my actual location?

  5. Why did not, by default wireguard use the google DNS server, considering it is one of the best?

  6. When I enable “Manual DNS Server settings” as an option in GL-Inet UI config, it says “Leave blank to auto choose DNS Servers” .
    Should I select this? Considering GL Inet is deciding it, this certainly sounds good to me.

=====================
My wireguard Config:
[Interface]
Address = 10.0.0.3/32
ListenPort = 34061
PrivateKey = aOMTCuzaFdyGwMCGb5ekEjmWm1OImuisYIoY91C5lnU=
DNS = 64.6.64.6

[Peer]
AllowedIPs = 0.0.0.0/0,::/0
Endpoint = 76.69.60.207:51820
PersistentKeepalive = 25
PublicKey = /9yPzqTjLwbyybcjSa06kJJy6BHJ0JLMuCKC37fvhAs=

It does as long as its needed, but only if the DNS on your router is set to the ISP one. Mostly wireguard will work with IPs instead of DNS - depends on the config.

Choose an trustworthy DNS server.

Ask the DNS server owner :smiley:

Yep, but this is a general problem. It‘s called DNS leak. Using wireguard is a bit dangerous anyway because the internet will just switch to normal internet if the VPN connections is down. (As long as your client does not support to cut the internet off if there is a problem)

It’s not one of the best. It’s one of the most stable an reliable ones - but definitely not the best. If you use VPN for privacy reasons you should avoid Google DNS like a devil avoids holy water. :slightly_smiling_face:

Well, this depends on your needs. Mostly I would say „Yes“ but it’s up to you. Using the ISPs DNS is a problem in privacy as well. You can choose any trustworthy one - for example your own DNS service (like AdGuard DNS, paid) or one of your local IT privacy group - if something like this exists in your country.

Since you posted your whole wireguard config (even with the private key, which is used as an password) you should delete the whole wireguard account and create a new one - for safety reasons.

Please keep in mind that DNS is a client thing. So you can always choose a different DNS on your client which could raise or lower your privacy.

1 Like

Many thanks for the detailed reply.

I am working from a different country and don’t want to reveal my location, that is my need.
Would “Manual DNS Server settings” be a good, reliable option in this case?
What DNS address would you recomment?

Let me ask the next question to understand your needs better. Who is the one that should not know your location? The company you work for? Your ISP? The government?

If it’s just the company you could choose any DNS you like. They won’t recognize it because the DNS traffic takes many routes before it gets to them. In that case Google DNS (8.8.8.8) or Quad9 (9.9.9.9) or Cloudflare (1.1.1.1) is totally fine.

I got somewhat confused by this. In the configuration above, since we mention field DNS explicitly in config, it should be a “server thing” right?
I believed that the GL INET server will decrypt the requests with the domain name and then use IP for the resolution. Is that correct?

Thanks. Mostly the company but it would be helpful if ISP in client country does not know as well… Although I am happy with company not knowing I am curious to know the solution for hiding it from ISP, because I am thinking of vacationing to other countries.

I am not totally sure about how DNS works with wireguard but I would assume that it’s just an option that gets pushed to to client. It depends on the client to use the DNS server you selected.

There are even situation where you want to speak to different DNS servers the same time - called Split-DNS. (Often used for company-VPNs)

All in all I would not be too scared about DNS because location tracking based on DNS is not common and more like „I need to hide myself because the CIA is trying to catch me“

I’d use google DNS but your comment above totally scared me lol honestly. Maybe that’s why I’d use Quad, but don’t know!

Well, if you need privacy using Google DNS is wrong because they don’t respect privacy. I mean they say so - but it’s still Google. :sweat_smile:

Using Quad9 should be fine.

1 Like

My last question:
What about “Manual DNS Server settings” in UI? Is it better than Quad9?

This just let you enter manual IPs for DNS servers. Results are the same.

I meant like this setting: Leave blank to auto choose DNS Servers

I am not sure about it, sorry.
If it appears within the wireguard GUI it means that rhe routers DNS servers will be chosen.

If it’s within the network details of the router it means that the DNS server will be provisioned by DHCP mostly, so it will be the ISPs one.

Okay, thanks. Server ISP you mean, right?

Yep. Depends on which DNS server your ISP announces.

1 Like