3

My OpenVPN server has the following lines in it's configuration file, but when I connect to my VPN with Linux Network Manager and check my DNS, it shows I'm using DNS server 89.187.179.174:

push  "dhcp-option DNS 94.140.14.14"
push  "dhcp-option DNS 94.140.15.15"
push  "redirect-gateway def1 bypass-dhcp"

I know this address is not my ISP's DNS and am guessing it's the DNS of the server's ISP, however why am I seeing my server's ISP DNS instead of 94.140.14.14 or 94.140.15.15?

  • Is there a way to fix it or check which DNS am I really using?
  • How do I make my OpenVPN server use 94.140.14.14 or 94.140.15.15?
$ systemd-resolve --status

Global
       LLMNR setting: no                  
MulticastDNS setting: no                  
  DNSOverTLS setting: no                  
      DNSSEC setting: no                  
    DNSSEC supported: no                  
  Current DNS Server: 94.140.14.14        
         DNS Servers: 94.140.14.14        
                      94.140.15.15        
          DNSSEC NTA: 10.in-addr.arpa     
                      16.172.in-addr.arpa 
                      168.192.in-addr.arpa
                      17.172.in-addr.arpa 
                      18.172.in-addr.arpa 
                      19.172.in-addr.arpa 
                      20.172.in-addr.arpa 
                      21.172.in-addr.arpa 
                      22.172.in-addr.arpa 
                      23.172.in-addr.arpa 
                      24.172.in-addr.arpa 
                      25.172.in-addr.arpa 
                      26.172.in-addr.arpa 
                      27.172.in-addr.arpa 
                      28.172.in-addr.arpa 
                      29.172.in-addr.arpa 
                      30.172.in-addr.arpa 
                      31.172.in-addr.arpa 
                      corp                
                      d.f.ip6.arpa        
                      home                
                      internal            
                      intranet            
                      lan                 
                      local               
                      private             
                      test                

Link 3 (tun0)
      Current Scopes: none
DefaultRoute setting: no  
       LLMNR setting: yes 
MulticastDNS setting: no  
  DNSOverTLS setting: no  
      DNSSEC setting: no  
    DNSSEC supported: no  

Link 2 (eth0)
      Current Scopes: none
DefaultRoute setting: no  
       LLMNR setting: yes 
MulticastDNS setting: no  
  DNSOverTLS setting: no  
      DNSSEC setting: no  
    DNSSEC supported: no
Improve this question

1 Answer 1

Reset to default
3

The test you use cannot detect which DNS server you are querying. It can only detect which DNS server made a query to the test owner.

dhcp-option is only effective on Windows clients in concert with the TAP-Win32 virtual network adapter:

--dhcp-option type [parm]
Set extended TAP-Win32 TCP/IP properties, must be used with --ip-win32 dynamic or --ip-win32 adaptive. This option can be used to set additional TCP/IP properties on the TAP-Win32 adapter, and is particularly useful for configuring an OpenVPN client to access a Samba server across the VPN.DOMAIN name -- Set Connection-specific DNS Suffix.

To set the DNS servers on non-Windows clients, you need to use up/down scripts. update-systemd-resolved is a script that does what you want. As per its setup instructions, you need to put the following in your OpenVPN client config (after finishing the installation):

script-security 2
setenv PATH /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
up /etc/openvpn/scripts/update-systemd-resolved
up-restart
down /etc/openvpn/scripts/update-systemd-resolved
down-pre

If you want to see which DNS server is active, check /etc/resolv.conf. When the systemd-resolved stub resolver is active, check resolvectl.

If you want to make sure your DNS traffic leaves to the desired hosts, try a packet sniffer like tcpdump (CLI tool) or Wireshark (GUI tool). You could use tcpdump like this:

tcpdump -n -i tun0 port 53

You will then be able to verify that DNS traffic does in fact use the VPN tunnel and by looking at the remove IP address you will see where it’s going to.

Improve this answer
3
  • 1
    I have those lines in my client config (although I'm not sure if they even work, because I don't know how to check which DNS I'm actually using). But how do I pinpoint DNS server then if dhcp-option DNS only works for windows?
    – Simon Rusinov
    Commented Mar 2, 2022 at 9:57
  • You already know how to query systemd-resolved. When not in use (or not using the stub resolver), just check /etc/resolv.conf directly.
    – Daniel B
    Commented Mar 2, 2022 at 10:03
  • Just for kicks, I also tried querying a non-existent domain where I host the DNS myself via 94.140.14.14. I had incoming queries from 45.136.153.145, 45.136.153.155, 162.158.85.124, 172.217.45.194, 172.253.2.131, 172.253.225.35 and 172.253.197.1. Just to illustrate how the test is inaccurate.
    – Daniel B
    Commented Mar 2, 2022 at 10:08

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .