Wireguard DNS leak


#1

Hi, I’m using this guide to set up WG https://docs.gl-inet.com/en/2/app/wireguard/ on my B1300, I’m connecting with my Android official Wireguard app, leaving DNS blank would have DNS leak, setting it 10.0.0.1 is leaking as well. any idea what should be the correct DNS to set to let the router resolve DNS?

also, how do we add more peers?


#2

If you use the Android app, please set the DNS to 8.8.8.8 or another reliable DNS server. The DNS filed can’t be blank.


#3

so if DNS over TLS is set up in the router I can’t use that?


#4

Yes, you can use it to avoid dns leak. But you say you have B1300, while DNS over TLS only support in v3.0 firmware.


#5

I’ve got dns over TLS set up using Unbound.
in that case, for extra peers do I do this?

config wireguard_wg0
option public_key ‘…’ # Client’s public key
option route_allowed_ips ‘1’
list allowed_ips ‘10.0.0.0/24’

instead of wg0 I set wg1, wg2 etc etc.
and what range do I set in allowed IPs?


#6

Is it server side? If you have some peer, you can set it as below.

config wireguard_wg0
    option public_key ‘…’ # Client1’s public key
    option route_allowed_ips ‘1’
    list allowed_ips ‘10.0.0.2/32’
config wireguard_wg0
    option public_key ‘…’ # Client2’s public key
    option route_allowed_ips ‘1’
    list allowed_ips ‘10.0.0.3/32’

#7

getting back to this, I’ve upgraded to v3, tested the Wireguard server, all works well.
However I’d like to ask how do I change the default DNS generated in the config file? I’d like to set it to 192.168.8.1 so that it will resolve DoT by cloudflafe in the router instead of 64.6.64.6 now.


#8

I think you can just change the DNS in the config manually without touching the server


#9

sure I know that’s possible, but for me it’s better if I can change the default DNS to the router, that way sharing it with other people is easy without changing any configuration.


#10

Can you set up customized dns server on the server to check if this option is put into WG config.


#11

where is the server config file located? on the V3 GUI theres only server and port.


#12

I mean: more settings->custom dns server


#13

currently I have DNS over TLS checked on that page.
WG server settings does not reflect that, neither is it my ISP DNS server.


#14

I mean you can set up a custom dns server in the server side.

DNS via tls will not pass to the client in wireguard settings.


#15

that’s the problem, which is why I want the DNS to default to 192.168.8.1 so it will follow the router’s DNS, which is set to DNS over TLS.


#16

I think the best way is to change the DNS settings when you export settings from WG. This is the best way now.

192.168.8.1 for dns will not be accessible by client after WG connected. So you need to put in the WG settings.

image


#17

based on this, the solution is to set DNS to router IP.