DNS resolution differs between WAN and client device

I have recently configured a Pepwave Surf SOHO MK3 device that is running firmware version 8.0.0 build 1429. The DNS settings on the WAN side have been configured with OpenDNS IP addresses - 208.67.222.222 and 208.67.220.220.

When connecting to streaming services such as Netflix, it seems that there is DNS communication with 8.8.8.8. Is this expected? The output below is from the the list of outbound connections under “Active Sessions”

|TCP|192.168.52.11:33857|54.69.229.154:443|SSL/Netflix|WAN|00:00:01|
|TCP|192.168.52.11:33859|54.69.229.154:443|SSL/Netflix|WAN|00:00:01|
|TCP|192.168.52.11:37450|216.58.203.98:443|SSL/Google Ads|WAN|00:00:01|
|TCP|192.168.52.11:35376|45.57.90.1:443|SSL/Netflix|WAN|00:00:05|
|TCP|192.168.52.11:58336|45.57.91.1:443|SSL/Netflix|WAN|00:00:05|
|TCP|192.168.52.11:49710|202.124.127.66:443|SSL/Netflix|WAN|00:00:06|
|UDP|192.168.52.11:50153|8.8.8.8:53|DNS|WAN|00:00:11|

I’m not sure if it is expected but having LAN devices and even applications themselves running on :LAN devices using specific DNS servers can be a way for those devices and apps to bypass DNS based restrictions / web filtering etc.

If you go to Network > Misc Settings | Service Forwarding and enable DNS forwarding what do you observe afterwards?
image

1 Like

The behavior is interesting since the devices are smart devices such as TVs. There isn’t the option to specify DNS servers so this would suggest that it’s hardcoded.

My understanding of enabling DNS Forwarding Setup is that, all VLANs will be proxied via the DNS servers specified under the WAN settings i.e. these cannot be setup as distinct configurations for each VLAN. Is this correct?

If yes, will 8.8.8.8 still display under “Active Sessions”?

Yes potentially.

Not quite. Any outbound DNS requests will be sent via the local DNS proxy, which in turn can either use the DNS servers in WAN settings or Google DNS Servers. The proxy will also resolve local DNS records and can cache DNS requests. I would expect any DNS servers set in the DHCP server section of a VLAN will effectively be ignored as when clients try and use them the DNS requests will be forced via the DNS proxy instead.

No, there should not be an active session from a LAN side device to google DNS servers.

1 Like

Is the local DNS proxy the DNS servers under the WAN configuration?
Why would it be the Google DNS servers if I have not checked the option to use these?
What do you mean by local DNS requests? Do you mean DNS resolution of internal hosts e.g. device1.domain.local?
Will it only cache external DNS requests or internal or both?

No, under LAN settings:

It wouldn’t unless you check them in the DNS proxy settings section (or on WAN Settings).

Yes see above

I would expect both but have not tested this.

1 Like

I’m confused.

Do you mean to say that if I select the option “DNS Forwarding Setup”, it proxies the DNS request to the local DNS records? These are currently blank.

No. It proxies the requests to either the DNS servers configured on the wan or to google DNS servers if you tick the ‘Include Google Public DNS servers’ checkbox.

An added benefit is that if you have local DNS records configured then those are also served by the proxy.

1 Like

Thanks for the clarification. How long are the DNS records cached for?

Alternatively, is there another option to route the DNS requests to use the one specified under the WAN configuration without the DNS Forwarding Setup so that distinct DNS servers can be used for each of the VLANs?

For example, devices in VLAN 1 are routed with the DNS servers under the WAN settings whilst devices in VLAN 2 traverse the DNS servers for the VLAN?

This is defined by the DNS record itself.

I think we’re both confused by the requirement.
To clarify, devices in a VLAN can either:

  1. Get their DNS servers allocated to them via DHCP (statically or automatically assigned)
  2. Use statically assigned DNS entries (configured on the device itself).
  3. Have either of those settings above overridden at a networking level by the router when DNS service forwarding is set. In this case any outbound DNS request sent by a LAN device is redirected by the router via the embedded proxy.

DNS proxy is very powerful and useful in a multi-wan environment. It lets you set DNS servers by VLAN, you can set custom DNS resolvers per domain too, and you can set custom DNS servers per WAN/VPN route as well.

When DNS servers are assigned automatically at a VLAN level:

I would expect all DNS servers set at a WAN level to be passed to the DHCP clients but have never tested this.

1 Like

Thanks. The use of the term “DNS proxy” is unclear to me. This is because the router has the options “DNS Proxy Settings” and “DNS Forwarding Setup”.

The description for the former is “A DNS proxy server can be enabled to serve DNS requests originating from LAN/PPTP/PepVPN peers. Requests are forwarded to the DNS servers/resolvers defined in each WAN connection.” and the definition of the latter is “When this option is enabled, all outgoing DNS lookups will be intercepted and redirected to the built-in DNS name server.”

I would expect that when “DNS Proxy Settings” is checked that all traffic including those statically assigned on each device e.g. laptop, inherit the DNS servers under the WAN configuration. This isn’t the current behavior.

If “DNS Forwarding Setup” is checked, my understanding in reading the guide and your feedback is that all DNS requests are intercepted (I am unsure how this differs to a proxy since by its very definition, a proxy is intended to intercept traffic). Additionally, it’s my understanding that when “DNS Forwarding Setup” is enabled, it inherits the DNS settings under the WAN configuration or alternatively Google DNS servers (if this option is checked and interestingly it’s an option under “DNS Proxy Settings”).

If yes, is the " built-in DNS name server." referring to the WAN DNS server?
How can the DNS proxy support “It lets you set DNS servers by VLAN, you can set custom DNS resolvers per domain too, and you can set custom DNS servers per WAN/VPN route as well.” if all DNS requests are being intercepted and enforcing the inheritance of the WAN defined DNS servers?

DNS Proxy is when the router responds to DNS requests from LAN clients that choose to ask it to resolve DNS. That choice is either manual by setting the LAN clients DNS servers to the LAN IP of the router, or DHCP on the router does this automatically.

DNS Service Forwarding removes the choice. When enabled, all DNS resolution requests from clients on the LAN of the router - no matter what public DNS server address they are trying to use, are forcibly sent to the DNS proxy on the router to be dealt with.

Unless the LAN clients are told (or chose) to use the DNS proxy on the router, enabling DNS Proxy will have no affect on DNS requests from those clients.

Yes, in that when DNS service forwarding is enabled all requests are forwarded to the embedded DNS proxy and the proxy will be default try and resolve DNS requests using the DNS servers listed in the WAN connection settings.

Look in the menu under the blue ‘?’ icon on the DNS Proxy bar and you’ll see two links - one for advanced DNS resolvers and the other for domain based dedicated lookup
image

When you click those you will see a section where you can add domain names and then specify which WAN’s DNS servers should be used eg for peplink.com only use WAN1 and USB WAN for DNS resolution:

You will also see a section where you can choose which WANs DNS servers should be used as forwarding DNS resolvers. By default its all WANs but you can limit it to specific WANS and you can choose to resolve all DNS queries over a PePVPN connection too if you want.

So a combination of these advanced settings using the DNS proxy and manually setting DNS servers on the DHCP servers of some VLANS and leaving others set to the internal proxy means that you have loads of control as to which LAN clients resolve their DNS queries where.

2 Likes