Avoiding Wireguard DNS Leaks

Forums › LAN (ethernet/Wifi/routers/Bluetooth) › Avoiding Wireguard DNS Leaks

openmedia

3449 posts

Uber Geek
+1 received by user: 877

Trusted

#312124 19-Mar-2024 15:36

Any recommendations to avoid local DNS leaks on a Linux based peer?

I've got a reliable wireguard configuration between my laptop and my freshtomato based router at home, but laptop DNS resolution is first going to the LAN or WiFi DNS server and only failing back to the DNS server on the wireguard gateway.

Looking at resolvectl I can see the dns server for the local wireless endpoint, plus the DNS server for my wireguard endpoint. Basic DNS queries are going via the local endpoint, so I've had to fail back to an OpenVPN configuration which forces the DNS over the VPN.

My local LAN wifi connection is configured to have IPV6 disabled to reduce the risk of leakage, plus I've looked at modifying ipv4.dns-priority with no success.

Has anyone here seen similar issues with wireguard and come up with a solution?

Generally known online as OpenMedia, now working for Red Hat APAC as a Technology Evangelist and Portfolio Architect. Still playing with MythTV and digital media on the side.

cychronz

67 posts

Master Geek
+1 received by user: 22

ID Verified

#3208077 19-Mar-2024 16:11

Might not be what you're after, but I used iptables rules in wireguard post-up to block DNS out on any other interface. Can also redirect with nat to the right dns server via the tunnel.

in Post-down you can just delete the rules to go back to normal operation.

Tinkerisk

4798 posts

Uber Geek
+1 received by user: 3660

#3208079 19-Mar-2024 16:17

nano /etc/NetworkManager/NetworkManager.conf

[main]
dns=none

Restart NetworkManager service

Restart VPN

When problems on public wifi occur, comment both lines.

- NET: FTTH & VDSL, OPNsense, 10G backbone, GWN APs
- SRV: 12 RU HA server cluster, 0.1 PB storage on premise
- IoT: thread, zigbee, tasmota, BidCoS, LoRa, WX suite, IR
- 3D: two 3D printers, 3D scanner, CNC router, laser cutter

cychronz

67 posts

Master Geek
+1 received by user: 22

ID Verified

#3208080 19-Mar-2024 16:18

<wg dns server ip> = wireguard dns server

iptables -t nat -A PREROUTING ! -d <wg dns server ip> -i wg+ -p udp -m udp --dport 53 -j DNAT --to-destination <wg dns server ip>
iptables -t nat -A PREROUTING ! -d <wg dns server ip> -i wg+ -p tcp -m tcp --dport 53 -j DNAT --to-destination <wg dns server ip>

openmedia

3449 posts

Uber Geek
+1 received by user: 877

Trusted

#3208472 20-Mar-2024 11:23

Tinkerisk:

nano /etc/NetworkManager/NetworkManager.conf

[main]
dns=none

Restart NetworkManager service

Restart VPN

When problems on public wifi occur, comment both lines.

a bit brute force. I was really hoping I'd missed an option in my wireguard peer configuration.

Generally known online as OpenMedia, now working for Red Hat APAC as a Technology Evangelist and Portfolio Architect. Still playing with MythTV and digital media on the side.

Tinkerisk

4798 posts

Uber Geek
+1 received by user: 3660

#3208587 20-Mar-2024 13:37

openmedia:

a bit brute force. I was really hoping I'd missed an option in my wireguard peer configuration.

I can't know how urgent it was for you and whether security has the highest priority? The method certainly has no DNS leaks. I would also check whether the DNS forwarding cache of the router has been deleted. This is sometimes forgotten and leads to strange behavior. https://dnscheck.tools/