Wed Nov 20, 2024 9:13 pm
Always a good topic to discuss....... I feel like DNS is like one of the key enzymes in the human body!!
Forgetting about static for now to keep it simple.......
To use for pointing out all my wrong assumptions and incorrect thinking and for general discussion.
What I understand.
CASE A: Remote Requests NOT Enabled. DNS-SERVER not assigned on DHCP ( any entry here is meaningless in this not-enabled status )
a. router will pass ISP provided DNS address to LAN devices ( assumes use PEER DNS=yes )
b. router will use identified dynamic servers ( public server ) identified in IP DNS set server=1.1.1.1 internally and pass the result to users. ( assumes peer dns=no )
(the router processes the request, and the public sever IP is not sent directly to the user)
Note: THE DNS-SERVER SETTING itself is useless ( no effect ) UNLESS remote requests are enabled.
CASE B: Remote Requests ENABLED: ( automatically opens up port 53 and router services and activates dns-server setting )
a. The DNS servers entered into dhcp DNS-SERVER are now used by the router and a valid entry is the subnet gateway IP
( assuming here the router uses either peer DNS or a dynamic server or cache to provide answers to users )
b. The DNS servers entered into dhcp DNS-SERVER are now used by the router and for add any identified dynamic dns servers as 1.1.1.1 they are sent directly to the LAN user for its use.
c. DNS SErver entry in DHCP is sent to none --> any entered dynamic servers are not sent directly to the user,
( an we assume in case c, that this entry is here to force the user only to use the Router cache or router to source answer vice being sent directly to a dynamic server ????? )
NOTE: When remote requests are enabled we ensure LAN users (ONLY) have access to dns services on the router input chain firewall rules.
Q1 : When remote requests are NOT enabled, how does the MT device resolve DNS, IF:
and peer DNS is set to NO and there are no dynamic servers?
Now looking at wireguard, DNS rears its ugly head again. Having a good understanding of the above helps!!
A third party provider:
Scenario1. gives one a specific DNS address to use.
OR
Scenario2. does not provide a DNS.
Clearly in case a. it appears that the wg provider expects DNS requests to come through the tunnel.
In case b. it is not so clear and thus HOW TO PROCEED??
I see two USE cases.
(i) Where the user is okay with DNS requests going out the local WAN and then traffic heading out the wireguard tunnel
(issue this is called leaking out the ISP and may or may not be acceptable to the user )
(ii) Where the user wants the DNS requests also to go out the tunnel
WITH THIS IN MInd lets look at Scenario1:
- We should enable remote requests and ensure the DHCP dns-server entry contains only the DNS address provided by third party
- We should identify a separate public server only on IP DNS, this allows the router to go out with initial wireguard handshake.
- We could optionally also drive identified wg subnet(s) via dstnat to proper address...
add chain=dstnat action=dst-nat src-address=subnet dst-port=53 protocol=tcp/udp to-address=3rdParty-DNS-adress
Note1: There is no need for a specific IP router for the DNS address to gateway=wireguard table=main UNLESS, the DNS address is outside the
identified wireguard network.
Note2: A forward chain firewall rule is required to allow subnet users to Wireguard interface.
LOOKING at Scenario 2.
With no DNS identified by the end user, Recommend simply using the Wireguard gateway IP as the DNS address of choice.
For example if assigned wg address is 172.16.0.5 use for DNS address 172.16.0.1 ( as per scenario 1)
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
NOW Moving onto the niche BTH functionality, providing an end user with QR code etc............. One of the pertinent config lines is.
client-dns (IP/IPv6 prefix; Default: ) --->Specify when using WireGuard Server as a VPN gateway for peer traffic.
I am assuming this is the MT router telling the client device which DNS address to use.
So the question becomes, in this case. How does this tie into the current IP DNS situation on the MT router.
What should we setup to ensure success?????