Wireguard - name servers, domains and search domains

I've been looking at this issue for a while but I've not been confident of the source for the information I was finding.

On looking through the information at https://www.wireguard.com/ I could not find configuration file information with respect to DNS settings.

However the man files for wg and wg-quick are authored by the creator, Jason A. Donenfeld, so I'm confident of quoting from them.

So from the man files the DNS statements can be:

  • a comma-separated list of IP (v4 or v6) addresses to be set as the interface's DNS servers,
  • or non-IP hostnames to be set as the interface's DNS search domains.
  • May be specified multiple times.

So this DNS configuration statement:

DNS = 192.168.1.254, fe80::a4cb:8cff:fe83:70ce, example.com

Is functionally the same as the following statements:

DNS = 192.168.1.1
DNS = fe80::a4cb:8cff:fe83:70ce
DNS = example.com

And would be expected to appear as the following in the corresponding /tmp/resolv.conf.d/resolv.conf.wgclientx config file.

nameserver 192.168.1.1
nameserver fe80::a4cb:8cff:fe83:70ce
search example.com

Testing a couple of configurations on my Beryl AX:

VPN Config 1

[Interface]
Address = 192.168.1.55/32
DNS = 192.168.1.1, fe80::a4cb:8cff:fe83:70ce, example.com
PrivateKey = 0A87PHsfU+Wvt8c49xjqFR6rdn2xGpTFTB8M3qK+2EQ=

[Peer]
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = wgx.example.com:51820
PreSharedKey = ebwdIcJnaAPqqU4u2tBamP/drw7HEqmAyvnnMAcErfw=
PublicKey = FnRpQdkELqDKhFBITJ2KRWZOlhWrV5fER7leh9FzYjw=
PersistentKeepalive = 25

Beryl AX active config:

root@GL-MT3000:/tmp/resolv.conf.d# cat resolv.conf.wgclient1

# Interface wgclient1
nameserver 192.168.1.1
nameserver fe80::a4cb:8cff:fe83:70ce
nameserver example.com

VPN Config 2

[Interface]
Address = 192.168.1.55/32
DNS = 192.168.1.1
DNS = fe80::a4cb:8cff:fe83:70ce
DNS = example.com
PrivateKey = 0A87PHsfU+Wvt8c49xjqFR6rdn2xGpTFTB8M3qK+2EQ=

[Peer]
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = wgx.example.com:51820
PreSharedKey = ebwdIcJnaAPqqU4u2tBamP/drw7HEqmAyvnnMAcErfw=
PublicKey = FnRpQdkELqDKhFBITJ2KRWZOlhWrV5fER7leh9FzYjw=
PersistentKeepalive = 25

Beryl AX active config:

root@GL-MT3000:/tmp/resolv.conf.d# cat resolv.conf.wgclient1

Interface wgclient1

nameserver 192.168.1.1
nameserver fe80::a4cb:8cff:fe83:70ce
nameserver example.com

While the nameserver {IP address} entries are fine.

The nameserver example.com is not as it is not an IP address [and would need to be a FQDN should it have been valid].

While the search domain is never configured.

Do you have the kill switch on?

FYI: GL's confs for WG are segregated from OWRT's method of just putting it all in /etc/config/network. GL's are @ ll /etc/config/wireguard*

Hi,

I think Profile should not support DNS for domain names, but only IP DNS server.

Even if you can import profile files through "upload file", but it should not take effect.

It is impossible to import by manually entering the Profile.
(The red box means that the content is incorrect)

Search Domains are part of the Wireguard functionality.

The wireguard configs all import without generating an error.

The same configs can be sucessfullty imported to any other device and work as expected.

From here that looks like there is a bug in your Wireguard implementation.

1 Like

Hi,

Thanks for pointing out the misunderstanding.

Please allow me to correct this statement, and the R&D mentioned that this issue will be improved.