I connect to a WireGuard installed on my VPS. Then I go to a random VPN service marketing page on which I’ll discover that my DNS leaks. And which is correct because I’ve specified DNS = 1.1.1.1 in [Interface]
for all the Peers.
In order to avoid DNS leakadge, do I have to a) run DNS server on the a VPS – along with WireGuard, and b) use this one and only it, instead of 1.1.1.1
?
But if so, how will this possibly work?
[Peer]
PublicKey = [....;....]
PresharedKey = [......]
Endpoint = wg.my_domain123.com:51820
In order to resolve Endpoint
of my VPS to begin with, other DNS server will have to be used – by IP. But there’ll be none because I’ll use a DNS on my VPS instead of 1.1.1.1
. In other words, it’ll be a circular dependency.
You may want to ask this in a selfhosted community, not in programming. With that out of the way:
I don’t think hosting your own DNS server on VPS will help much, for several reasons:
DNS “leakage” happens in two ways:
To fix DNS leaks you need to do two things:
a) Use a DNS service that has an explicit mission statement of protecting the users’ privacy. Here’s a good start.
b) You need to connect using encrypted DNS. The most widespread form is DoH (DNS over HTTPS) which uses port 443 and is virtually indistinguishable from regular web traffic (aside from the fact it connects to known public DNS servers). You can also use DoT (DNS over TLS) on port 853 (as opposed to unencrypted DNS on 53).
You can set up DoH or DoT with the address of a privacy-respecting public DNS service on a wide variety of apps and devices:
There are also downsides to DoH/DoT. For example, you can’t coerce LAN devices or apps that use a hardcoded DoH/DoT server to use the one you want. You could hijack their name resolution to the server name but you can’t satisfy their TLS certificate, especially if it’s also hardcoded and doesn’t rely on a central store (like the Android or iOS certificate store). This is often the case with Chinese ioT devices who like to phone home. Google has also started to do this with Chrome on mobile, to prevent DNS-based adblocking.
Use https://www.dnsleaktest.com/ to test what you leak.