Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


openmedia

3071 posts

Uber Geek

Trusted

#312124 19-Mar-2024 15:36
Send private message quote this post

 

 

 

 

Any recommendations to avoid local DNS leaks on a Linux based peer?

I've got a reliable wireguard configuration between my laptop and my freshtomato based router at home, but laptop DNS resolution is first going to the LAN or WiFi DNS server and only failing back to the DNS server on the wireguard gateway.

Looking at resolvectl I can see the dns server for the local wireless endpoint, plus the DNS server for my wireguard endpoint. Basic DNS queries are going via the local endpoint, so I've had to fail back to an OpenVPN configuration which forces the DNS over the VPN.

My local LAN wifi connection is configured to have IPV6 disabled to reduce the risk of leakage, plus I've looked at modifying ipv4.dns-priority with no success.

 

 

 

Has anyone here seen similar issues with wireguard and come up with a solution?

 

 

 

 





Generally known online as OpenMedia, now working for Red Hat APAC as a Technology Evangelist and Portfolio Architect. Still playing with MythTV and digital media on the side.


Create new topic
cychronz
52 posts

Master Geek

ID Verified

  #3208077 19-Mar-2024 16:11
Send private message quote this post

Might not be what you're after, but I used iptables rules in wireguard post-up to block DNS out on any other interface. Can also redirect with nat to the right dns server via the tunnel.

 

in Post-down you can just delete the rules to go back to normal operation.

 

 

 

 


 
 
 

You will find anything you want at MightyApe (affiliate link).
Tinkerisk
3383 posts

Uber Geek


  #3208079 19-Mar-2024 16:17
Send private message quote this post

nano /etc/NetworkManager/NetworkManager.conf

 

 

 

[main]
dns=none

 

 

 

Restart NetworkManager service

 

Restart VPN

 

When problems on public wifi occur, comment both lines.





- NET: FTTH, OPNsense, 10G backbone, GWN APs, ipPBX
- SRV: HA server cluster, 0.1PB storage capacity on premise
- IoT:   thread, zigbee, tasmota, BidCoS, LoRa, WX suite, IR
- 3D:    two 3D printers, 3D scanner, CNC router, laser cutter


cychronz
52 posts

Master Geek

ID Verified

  #3208080 19-Mar-2024 16:18
Send private message quote this post

<wg dns server ip> = wireguard dns server

 

iptables -t nat -A PREROUTING ! -d <wg dns server ip> -i wg+ -p udp -m udp --dport 53 -j DNAT --to-destination <wg dns server ip>
iptables -t nat -A PREROUTING ! -d <wg dns server ip> -i wg+ -p tcp -m tcp --dport 53 -j DNAT --to-destination <wg dns server ip>

 

 




openmedia

3071 posts

Uber Geek

Trusted

  #3208472 20-Mar-2024 11:23
Send private message quote this post

Tinkerisk:

 

nano /etc/NetworkManager/NetworkManager.conf

 

 

 

[main]
dns=none

 

 

 

Restart NetworkManager service

 

Restart VPN

 

When problems on public wifi occur, comment both lines.

 

 

a bit brute force. I was really hoping I'd missed an option in my wireguard peer configuration.





Generally known online as OpenMedia, now working for Red Hat APAC as a Technology Evangelist and Portfolio Architect. Still playing with MythTV and digital media on the side.


Tinkerisk
3383 posts

Uber Geek


  #3208587 20-Mar-2024 13:37
Send private message quote this post

openmedia:

 

a bit brute force. I was really hoping I'd missed an option in my wireguard peer configuration.

 

 

I can't know how urgent it was for you and whether security has the highest priority? The method certainly has no DNS leaks. I would also check whether the DNS forwarding cache of the router has been deleted. This is sometimes forgotten and leads to strange behavior. https://dnscheck.tools/





- NET: FTTH, OPNsense, 10G backbone, GWN APs, ipPBX
- SRV: HA server cluster, 0.1PB storage capacity on premise
- IoT:   thread, zigbee, tasmota, BidCoS, LoRa, WX suite, IR
- 3D:    two 3D printers, 3D scanner, CNC router, laser cutter


Create new topic





News and reviews »

One New Zealand Extends 3G Switch-off Date
Posted 11-Apr-2024 08:56


Amazon Echo Hub Review
Posted 10-Apr-2024 18:57


Epson Launches New Versatile A4 Desktop Scanners
Posted 10-Apr-2024 15:31


Motorola Mobility Launches New Android Phones in New Zealand
Posted 10-Apr-2024 14:59


Logitech G Unveils the PRO X 60 Gaming Keyboard
Posted 9-Apr-2024 19:01


Logitech Unveils Signature Slim Keyboard and Combo
Posted 9-Apr-2024 13:33


ExpressVPN Launches Aircove Go Portable Router With Built-in VPN
Posted 26-Mar-2024 21:25


Shure MoveMic Review
Posted 25-Mar-2024 12:47


reMarkable 2 Launches at JB Hi-Fi New Zealand
Posted 20-Mar-2024 08:36


Samsung Galaxy S24 Ultra review
Posted 19-Mar-2024 11:37


Google Nest Wifi Pro Review
Posted 16-Mar-2024 11:28


Samsung Galaxy A55 5G and Galaxy A35 5G
Posted 12-Mar-2024 12:41


Cricut EasyPress Mini Zen Blue launches at Spotlight New Zealand
Posted 12-Mar-2024 12:32


Logitech Introduces MX Brio Webcam
Posted 12-Mar-2024 12:24


HP Unveils Broadest Consumer Portfolio of AI-Enhanced Laptops
Posted 3-Mar-2024 18:09









Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.







GoodSync is the easiest file sync and backup for Windows and Mac