Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Mullvad DNS issue #1687

Open
Rubber-Duckie opened this issue Sep 9, 2024 · 0 comments
Open

Mullvad DNS issue #1687

Rubber-Duckie opened this issue Sep 9, 2024 · 0 comments
Labels
bug TYPE: a report on something that isn't working

Comments

@Rubber-Duckie
Copy link

Rubber-Duckie commented Sep 9, 2024
edited
Loading

Can you check, this still seems unresolved .

Steps;

  1. Connect to Mullvad and select a server in a different country.
  2. Make sure all DNS sec in the browser is turned off.
  3. Verify that the DNS check is green. https://mullvad.net/en/check
  4. Now note the location reported by the Mullvad DNS check, it matches your exit country.

The fact the DNS server is showing in the same country as the VPN server your connected to is normal in this configuration, because the VPN is relaying the DNS query to a server in the exit jurisdiction.

Now start Portmaster with these settings.

image
image

At this point, DNS is broken - there is no connectivity to the internet. It appears that Portmaster is not respecting the Mullvad VPN’s gateway - despite the documentation stating it should be forwarding DNS to the system assigned DNS server - which is available from the TAP adapter interface that was created by the VPN.

Suggestion previous was to manually set a DNS server in Portmaster to a public server i.e.

dot://extended.dns.mullvad.net?ip=194.242.2.5&name=mullvad&blockedif=empty

But this is not what we want. The DNS requests should be passed to a Mullvad VPN Relay (via the client) not sent direct to a public server.

See here why bypassing a VPN Relay using a public facing DNS server is not a good idea; https://www.privacyguides.org/en/advanced/dns-overview/#why-shouldnt-i-use-encrypted-dns

Lets try to redirect DNS to the Mullvad local listener IP that is designed to Relay DNS...

dns://10.64.0.1?name=Mullvad&blockedif=zeroip

This is specified as a valid resolver here ; https://mullvad.net/en/help/running-wireguard-router

This results in incredibly unstable DNS resolution. It works for a moment, then fails and packs in all together - possibly some cache reminants. As soon as I disable Portmaster, everything works as normal.

The Portmaster documentation states that it only intercepts and forwards DNS queries through two possible paths:

  1. Any configured DNS servers within the section shown above, bypassing the system network-configured DNS entirely.
  2. If there are no entries configured in the Portmaster DNS server list, it reverts to using the network-configured DNS server.

Given # 2 is the chosen path since no DNS servers have been configured within Portmaster, Portmaster remains oblivious to the VPN local service that inserted its IP in the IP tables configuration.

I simply cannot get Portmaster to connect using Mullvad VPN and Mullvad DNS Relay.

image
@Rubber-Duckie Rubber-Duckie added the bug TYPE: a report on something that isn't working label Sep 9, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug TYPE: a report on something that isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Rubber-Duckie and others