On Sun, 12 Jun 2022 17:13:29 -0400 Celejar <cele...@gmail.com> wrote: > Package: wireguard-tools > Version: 1.0.20210914-1 > Severity: normal > > I use wg-quick to setup a tunnel to my home LAN from various wireless > (WiFi) networks that I don't control. My /etc/wireguard/wg0.conf > contains the line: > > DNS = yy.yy.yy.yy > > where yy.yy.yy.yy is a DNS server on my LAN. > > With a typical WiFi network, when I initially connect to it, > /etc/resolv.conf becomes populated with something like the following: > > nameserver xx.xx.xx.xx > search nnn.nnn.nnn > > When I then do 'wg-quick' up, resolv.conf ends up like this: > > nameserver yy.yy.yy.yy > nameserver xx.xx.xx.xx > search nnn.nnn.nnn > > So DNS queries will generally go through my designated DNS server, which > is good, but if something goes wrong with my server, queries will leak > out to the DNS server supplied by the WiFi network, which is not good. > Similarly, queries for addresses like 'example.com.nnn.nnn.nnn' > sometimes end up going out into the DNS system, which is also not good. > > I would think that the correct behavior would be for wg-quick to *replace* > the existing contents of resolv.conf, rather than just *prepending* the > specified DNS server. I understand that as per the man page, I can > presumably get this behavior by using the PostUp and PostDown keys, but > I think the default should be changed, or at least that users should be > warned of the leak potential in the documentation.
I just have setup wireguard-tools together with openresolv and it behaves exactly as you like it: it replaces completely the DNS servers in resolv.conf. For you this behavior is the desired one, for me not ;). Because I am losing my local DNS configuration poiting to my local hosts. Anyway I think we see, that there is no general behavior that suits all users... Cheers, Mathias
