Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

DNS setting has no effect since Version 3.17.4 #501

Open
jkrasinger opened this issue Jul 13, 2024 · 19 comments
Open

DNS setting has no effect since Version 3.17.4 #501

jkrasinger opened this issue Jul 13, 2024 · 19 comments
Labels
bug Something isn't working

Comments

@jkrasinger
Copy link

For me it is necessary to use my local DNS server even when using the VPN. Since version 3.17.4, the "nordvpn set DNS" setting has no effect and my local DNS is no longer used.
@mariusSincovici
Copy link
Contributor

hi,
thanks for your feedback.
Could you please let us know what is your setup for the DNS server? Is the DNS server on another machine in you LAN or is it on the same one or to some external IP address?

@jkrasinger
Copy link
Author

@mariusSincovici : hi
My DNS Server is running on another server in the local LAN in my House. Here my nordvpn configuration which shows this:

Technology: NORDLYNX
Firewall: enabled
Firewall Mark: 0xe1f1
Routing: enabled
Analytics: enabled
Kill Switch: disabled
Threat Protection Lite: disabled
Notify: disabled
Auto-connect: disabled
IPv6: disabled
Meshnet: disabled
DNS: 192.168.89.1            
LAN Discovery: disabled  
Allowlisted ports:    
            137 (UDP|TCP)
           5353 (UDP)
           5900 (UDP|TCP)
          53317 (TCP)
Allowlisted subnets:
        192.168.89.0/24    <- local LAN  with DNS Server
        192.168.80.0/24

@mariusSincovici
Copy link
Contributor

Hi,
Thanks, we'll try to reproduce it, but until then have you've tried instead of allow list to use LAN Discovery?

@jkrasinger
Copy link
Author

Hi,
With LAN Discovery access to my local LANs (with IP-Addresses) is working, but not the DNS (Tested with Version 3.18.2).

@keliramu
Copy link
Contributor

keliramu commented Jul 15, 2024
edited
Loading

Hi, @jkrasinger, could you give us more details: what linux distro you are using? and how you determine that nordvpn set dns has no effect? are dns queries going to different nameserver? do you track your dns queries with e.g. wireshark or tcpdump?

@jkrasinger
Copy link
Author

Hi,
excuse me, here the informations:

OS: (K)ubuntu 24.04 with ZFS

Until Version 3.17.3 i was working with the above nordvpn settings and my local DNS answered my requests for my local domain (i.e. ping server.my.domain.com). Since Version 3.17.4 my DNS request where no longer resolved with the existing nordvpn settings. Restoring Version 3.17.3 and all is again working for me.

Also nslookup is working fine with Version 3.17.3, since Version 3.17.4 it fails with "** server can't find service1.xxx.yyy.com: NXDOMAIN"

I have not traced the DNS request until now, but if needed i can do so tomorrow.

@sprokkel78
Copy link

sprokkel78 commented Jul 25, 2024
edited
Loading

For me it is necessary to use my local DNS server even when using the VPN. Since version 3.17.4, the "nordvpn set DNS" setting has no effect and my local DNS is no longer used.

With this configuration using ip route ip rule and iptables you can contact your local DNS through marking dns packets in iptables and source-nat them to the right interface.

cat /home/sprokkel/control-traffic.sh

#!/bin/sh
date >> /var/log/control-traffic.log;
echo "Running CONTROL-Traffic." >> /var/log/control-traffic.log

#sudo modprobe iptables
sudo modprobe iptable_mangle
sudo modprobe ip_conntrack

CLEAR ALL PREVIOUS CONFIG

sudo ip route del default via 192.168.1.100 dev end0 table end0_table
sudo ip rule del fwmark 1
sudo echo > /etc/iproute2/rt_tables

Create the routing tables for iproute2

echo "1 end0_table" | sudo tee -a /etc/iproute2/rt_tables
#cat /etc/iproute2/rt_tables

Assign the default routes for the new tables:

sudo ip route add default via 192.168.1.100 dev end0 table end0_table

Set Up IP Rules for DNS Traffic

sudo ip rule add fwmark 1 table end0_table

Flush existing rules

sudo ip route flush cache

Use iptables to Mark DNS Traffic

sudo iptables -t mangle -F
sudo iptables -t mangle -A OUTPUT -p tcp --dport 53 -j MARK --set-mark 1
sudo iptables -t mangle -A OUTPUT -p tcp --dport 53 -j CONNMARK --save-mark
sudo iptables -t mangle -A OUTPUT -p udp --dport 53 -j MARK --set-mark 1
sudo iptables -t mangle -A OUTPUT -p udp --dport 53 -j CONNMARK --save-mark

Setup the NAT table to SOURCE-NAT DNS Traffic

sudo iptables -t nat -F
sudo iptables -t nat -A POSTROUTING -p tcp --dport 53 -m mark --mark 1 -j SNAT --to-source 192.168.1.100
sudo iptables -t nat -A POSTROUTING -p udp --dport 53 -m mark --mark 1 -j SNAT --to-source 192.168.1.100

Show ip route table list

ip route list table all | grep _table | grep end0

Show ip rule table list

ip rule list

Show the iptables mangle table

echo "=================="
echo "IPTABLES -t MANGLE"
echo "=================="
sudo iptables -t mangle -L OUTPUT -vn

Show the iptables nat table

echo "==============="
echo "IPTABLES -t NAT"
echo "==============="
sudo iptables -t nat -L POSTROUTING -vn

Show the routing table

echo "============="
echo "IP ROUTE LIST"
echo "============="
ip r

#EOF
echo "Done." >> /var/log/control-traffic.log

INFO: end0 is my LAN network card. 192.168.1.100 it it's IP - address. (depending on your configuration you need to tweak these settings.)

I automatically run this script every time the VPN-connection goes up by adding a 01-control-traffic file to /etc/NetworkManager/dispatcher.d/

sprokkel@mac-mini ~ $ cat /etc/NetworkManager/dispatcher.d/01-control-traffic
#!/bin/bash

INTERFACE=$1
STATUS=$2

if [ "$INTERFACE" = "nordtun" ] && [ "$STATUS" = "up" ]; then # Replace nordtun with your vpn interface name
IP_ADDRESS=$(ip -4 addr show "$INTERFACE" | grep -oP '(?<=inet\s)\d+(.\d+){3}')
/home/sprokkel/control-traffic.sh
fi

then restart NetworkManager.

Hope this helps.

@acud
Copy link

acud commented Jul 26, 2024

I can confirm this is also happening for me. I'm running nordvpn on Manjaro Sway from the AUR repo binary:

yay -Q nordvpn-bin
nordvpn-bin 3.18.2-1

Here, you can see in series as I show the nordvpn settings when it is disconnected, connect, then cat /etc/resolv.conf:

acud@acud-strikes-back ~ » nordvpn settings
Technology: NORDLYNX
Firewall: enabled
Firewall Mark: 0xe1f1
Routing: enabled
Analytics: enabled
Kill Switch: disabled
Threat Protection Lite: disabled
Notify: enabled
Tray: disabled
Auto-connect: disabled
IPv6: disabled
Meshnet: disabled
DNS: disabled
LAN Discovery: disabled
acud@acud-strikes-back ~ » nordvpn status
Status: Disconnected
acud@acud-strikes-back ~ » cat /etc/resolv.conf
nameserver 8.8.8.8
nameserver 2.2.2.2
acud@acud-strikes-back ~ » nordvpn  c mx
Connecting to Mexico #107 (mx107.nordvpn.com)
You are connected to Mexico #107 (mx107.nordvpn.com)!
acud@acud-strikes-back ~ » nordvpn status 
Status: Connected
Server: Mexico #107
Hostname: mx107.nordvpn.com
IP: 155.133.15.133
Country: Mexico
City: Mexico
Current technology: NORDLYNX
Current protocol: UDP
Transfer: 6.00 KiB received, 10.46 KiB sent
Uptime: 2 seconds
acud@acud-strikes-back ~ » cat /etc/resolv.conf 
# Generated by NordVPN
nameserver 103.86.96.100
nameserver 103.86.99.100%
acud@acud-strikes-back ~ » nordvpn version 
NordVPN Version 3.18.2

@jkrasinger
Copy link
Author

@sprokkel78 : Thanks for your example to bring the local DNS back to life. I did not make a test for this until now, but I'm sure that your script/settings are working, but, however, it would be of great interest to me that the “set DNS” setting contained in NordVpn works. This has already worked and was then made ineffective with an update or no longer effective due to an error. I also officially reported a bug a few months ago, but have not yet received a solution.
Thanks again for your script, I will certainly try it, but I see this as just a workaround and not a solution.

@keliramu keliramu added the bug Something isn't working label Jul 29, 2024
@mariusSincovici
Copy link
Contributor

Hi, @acud
Thanks fro your feedback. Could you let us know what is the issue in your case, because the app seams to behave as expected?

At the moment, while you're connected to the VPN the application will always set some DNS servers and not use the OS settings, it is not possible to disable this.
When no custom DNS is set into the app(when DNS: disabled) the app will use the NordVPN DNS servers. If you want to use custom DNS servers while connected to the VPN, e.g. 2.2.2.2, you will need to configure NordVPN app: nordvpn set dns 2.2.2.2.

@mariusSincovici
Copy link
Contributor

@jkrasinger A new app version is available 3.18.4 which contains some fixes for allowlists.
Could you please try it and see if you can still reproduce the issue?

@jkrasinger
Copy link
Author

@mariusSincovici Thank you for this information, but this new Version has not changed anything and i can reproduce this error. Perhaps the following output from the "resolvectl" command show something interesting.

resolvectl on Version 3.17.3

$ resolvectl
Global
         Protocols: -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
  resolv.conf mode: stub

Link 2 (enp0s3)
    Current Scopes: DNS
         Protocols: +DefaultRoute -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
Current DNS Server: 192.168.89.1
       DNS Servers: 192.168.89.1

Link 6 (nordlynx)
    Current Scopes: DNS
         Protocols: +DefaultRoute -LLMNR -mDNS -DNSOverTLS DNSSEC=allow-downgrade/supported
       DNS Servers: 192.168.89.1
        DNS Domain: ~\126

resolvectl on Version 3.18.4

$ resolvectl
Global
         Protocols: -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
  resolv.conf mode: stub

Link 2 (enp0s3)
    Current Scopes: DNS
         Protocols: +DefaultRoute -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
Current DNS Server: 192.168.89.1
       DNS Servers: 192.168.89.1

Link 5 (nordlynx)
    Current Scopes: DNS
         Protocols: +DefaultRoute -LLMNR -mDNS -DNSOverTLS DNSSEC=allow-downgrade/supported
Current DNS Server: 192.168.89.1
       DNS Servers: 192.168.89.1
        DNS Domain: ~.

I can see a difference in the "DNS Domain" line on Nordlynx Link between these Versions. I can not interpret for myself, but it may be a reason for failing.

@mariusSincovici
Copy link
Contributor

Yes, actually on version 3.17.3 there was a bug that resulted in DNS leaks, so having DNS Domain: ~\126 is actually not correct.
Could you please try in version 3.18.4 to whitelist port 53 and the subnet to contain 192.168.89.1?
Thanks

@jkrasinger
Copy link
Author

@mariusSincovici Done, but nothing changed.

Here my settings:

$ nordvpn settings
Technology: NORDLYNX
Firewall: enabled
Firewall Mark: 0xe1f1
Routing: enabled
Analytics: enabled
Kill Switch: disabled
Threat Protection Lite: disabled
Notify: enabled
Tray: enabled
Auto-connect: disabled
IPv6: disabled
Meshnet: disabled
DNS: 192.168.89.1
LAN Discovery: disabled
Virtual Location: enabled
Allowlisted ports:
       53 (UDP|TCP)
Allowlisted subnets:
        192.168.89.0/24

Test:

$ ping nas2.xxx.yyy.com
ping: nas2.xxx.yyy.com: Name or service not known

$ nordvpn d
You are disconnected from NordVPN.
How would you rate your connection quality on a scale from 1 (poor) to 5 (excellent)? Type 'nordvpn rate [1-5]'.

$ ping nas2.xxx.yyy.com
PING nas2.xxx.yyy.com (192.168.89.38) 56(84) bytes of data.
64 bytes from 192.168.89.38: icmp_seq=1 ttl=64 time=2.55 ms
64 bytes from 192.168.89.38: icmp_seq=2 ttl=64 time=3.55 ms

@mariusSincovici
Copy link
Contributor

Thanks for testing.
I've managed to reproduce it. Could you please try to run, while connected to VPN
nslookup nas2.xxx.yyy.com 192.168.89.1 and let me know if it works?

@jkrasinger
Copy link
Author

Here the output of the command "nslookup nas2.xxx.yyy.com 192.168.89.1" while VPN active:

$ nslookup nas2.xxx.yyy.com 192.168.89.1
Server:         192.168.89.1
Address:        192.168.89.1#53

Name:   nas2.xxx.yyy.com
Address: 192.168.89.38

$ ping nas2.xxx.yyy.com
ping: nas2.xxx.yyy.com: Name or service not known

@mariusSincovici
Copy link
Contributor

mariusSincovici commented Aug 23, 2024
edited
Loading

Thanks, I've registered an issue on our side.

Until then, there might be a hackish "workaround"(at least it worked for me), but this needs to be run every time DNS fails(because sometimes NordVPN app reconfigures the DNS in the background automatically). After you're connected to the VPN configure the DNS on the tunnel interface and restart systemd-resolver, e.g.:
sudo resolvectl domain nordlynx ""
sudo systemctl restart systemd-resolved.service
and check afterwards.

@jkrasinger
Copy link
Author

@mariusSincovici Thank you for your help and that you filed an issue.

I tested your workaround and it's working.

I just made another test:
I downloaded an OpenVPN and a Wireguard config for the NetworkManager. When i activate the VPN with NetworkManager all seems to work without a problem, access to local LANs and also the local DNS is working. I checked with DNS leak checker in the Browser and also on the command line and could not find a leak. Maybe that could be my Solution for the Problem (without kill switch).

Regards Jonny

@paullcox
Copy link

paullcox commented Sep 3, 2024

That also fixed it for me, NordVPN Version 3.18.3 on Mint22:
nordvpn whitelist add port 53
then
sudo resolvectl domain nordlynx ""
sudo systemctl restart systemd-resolved.service

Thanks MariusSincovici, you're a star

Paul

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@paullcox @jkrasinger @acud @keliramu @mariusSincovici @sprokkel78