[Error] DNS sometimes leak when side-tunneling

[NanoCode012]

Using https://www.dnsleaktest.com/, my DNS leaks very often for both standard and extended tests when using Wireguard DNS side-tunneling (aka the default conf files). vpnmode=dns

I took the conf file to made it a full VPN by setting AllowedIps to 0.0.0.0/0 and encountered no leaks on both standard and extended tests.

I do not want to use a full VPN and only want the DNS tunneled by default as it should be. Does anyone else experience this issue?

I did not make any custom changes. The below is the conf I use for DNS tunneling with private info removed.

[Interface]
PrivateKey = 
ListenPort = 51820
Address = 172.19.0.3/32
DNS = 172.18.0.3

[Peer]
PublicKey = 
AllowedIPs = 172.18.0.3/32, 172.18.0.5/32
Endpoint = <ip>:51820

[chadgeary]

Hey @NanoCode012 - which client are you using? Windows? Mac? Something else?

Also, can you validate your client's DNS servers (outside of the wireguard conf)? E.g. ipconfig /all

[NanoCode012]

Hello, it is Windows. I just tested on IOS with the configuration, and it worked perfectly. I guess I will need to figure what's wrong with my PC.

For your second question, my Wifi adapter's DNS and wireguard DNS is seen below. Both are private ips.

ipconfig /all

// wifi
DNS Servers . . . . . . . . . . . : 192.168.Y.X
                                    192.168.Y.X

// Wireguard
DNS Servers . . . . . . . . . . . : 172.18.0.3

[chadgeary]

This is mostly due to having multiple DNS servers on a single system (the ones from WiFi/LAN and the one from Wireguard). Operating systems are in charge of handling the behavior at this point. I suspect you could re-configure your WLAN interface to use the 172.18.0.3 address. It was talked about here: https://www.reddit.com/r/WireGuard/comments/os6f36/wireguard_dns_leaks_with_windows_client/ and someone came up with a similar solution: https://www.ovpn.com/en/blog/deactivate-smart-multi-homed-name-resolution-in-windows-8-8-1-and-10/

…

On Sat, Feb 26, 2022 at 4:03 PM NanoCode012 ***@***.***> wrote: Hello, it is Windows. I just tested on IOS with the configuration, and it worked perfectly. I guess I will need to figure what's wrong with my PC. For your second question, my Wifi adapter's DNS and wireguard DNS is seen below. Both are private ips. I am on my university's network. ipconfig /all // wifi DNS Servers . . . . . . . . . . . : 192.168.Y.X 192.168.Y.X // Wireguard DNS Servers . . . . . . . . . . . : 172.18.0.3 — Reply to this email directly, view it on GitHub <#45 (reply in thread)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABIFRMOF5XKQIVQXAJ2OZ6DU5E5ZDANCNFSM5PMTTYZQ> . You are receiving this because you commented.Message ID: ***@***.***>

[NanoCode012]

Thanks @chadgeary for those links. I tried applying the fix by turning off the smart dns and by setting the static DNS server via the adapters for the WIndows client.

To be thorough, I conducted a few tests on my IOS device and Windows client using 2 network, a home network and the university network. The configurations are DNS only and Full tunnel. Both WIFI and Wireguard show the same 172.18.0.3 as DNS server for both networks. Other network adapters are unplugged/disabled. DNS test https://www.dnsleaktest.com/ is run multiple times for each setting to find at least one leak.

A leak is if the DNS leak test shows a DNS server at my real area instead of the server's area.

The IOS device showed no leak on either network on both configurations.
The Windows device showed no leak on home network on both configurations, but leaks on university network for both configurations.

I am confused as the university network works for the IOS device but not for Windows. ipconfig /all is run to verify that the DNS server is the same.