DNS setting has no effect since Version 3.17.4

[jkrasinger]

For me it is necessary to use my local DNS server even when using the VPN. Since version 3.17.4, the "nordvpn set DNS" setting has no effect and my local DNS is no longer used.

[mariusSincovici]

hi, thanks for your feedback. Could you please let us know what is your setup for the DNS server? Is the DNS server on another machine in you LAN or is it on the same one or to some external IP address?

[jkrasinger]

@mariusSincovici : hi My DNS Server is running on another server in the local LAN in my House. Here my nordvpn configuration which shows this:

Technology: NORDLYNX
Firewall: enabled
Firewall Mark: 0xe1f1
Routing: enabled
Analytics: enabled
Kill Switch: disabled
Threat Protection Lite: disabled
Notify: disabled
Auto-connect: disabled
IPv6: disabled
Meshnet: disabled
DNS: 192.168.89.1            
LAN Discovery: disabled  
Allowlisted ports:    
            137 (UDP|TCP)
           5353 (UDP)
           5900 (UDP|TCP)
          53317 (TCP)
Allowlisted subnets:
        192.168.89.0/24    <- local LAN  with DNS Server
        192.168.80.0/24

[mariusSincovici]

Hi, Thanks, we'll try to reproduce it, but until then have you've tried instead of allow list to use LAN Discovery?

[jkrasinger]

Hi, With LAN Discovery access to my local LANs (with IP-Addresses) is working, but not the DNS (Tested with Version 3.18.2).

[keliramu]

Hi, @jkrasinger, could you give us more details: what linux distro you are using? and how you determine that nordvpn set dns has no effect? are dns queries going to different nameserver? do you track your dns queries with e.g. wireshark or tcpdump?

[jkrasinger]

Hi, excuse me, here the informations:

OS: (K)ubuntu 24.04 with ZFS

Until Version 3.17.3 i was working with the above nordvpn settings and my local DNS answered my requests for my local domain (i.e. ping server.my.domain.com). Since Version 3.17.4 my DNS request where no longer resolved with the existing nordvpn settings. Restoring Version 3.17.3 and all is again working for me.

Also nslookup is working fine with Version 3.17.3, since Version 3.17.4 it fails with "** server can't find service1.xxx.yyy.com: NXDOMAIN"

I have not traced the DNS request until now, but if needed i can do so tomorrow.

[sprokkel78]

For me it is necessary to use my local DNS server even when using the VPN. Since version 3.17.4, the "nordvpn set DNS" setting has no effect and my local DNS is no longer used.

With this configuration using ip route ip rule and iptables you can contact your local DNS through marking dns packets in iptables and source-nat them to the right interface.

cat /home/sprokkel/control-traffic.sh

!/bin/sh

date >> /var/log/control-traffic.log; echo "Running CONTROL-Traffic." >> /var/log/control-traffic.log

sudo modprobe iptables

sudo modprobe iptable_mangle sudo modprobe ip_conntrack

CLEAR ALL PREVIOUS CONFIG

sudo ip route del default via 192.168.1.100 dev end0 table end0_table sudo ip rule del fwmark 1 sudo echo > /etc/iproute2/rt_tables

Create the routing tables for iproute2

echo "1 end0_table" | sudo tee -a /etc/iproute2/rt_tables

cat /etc/iproute2/rt_tables

Assign the default routes for the new tables:

sudo ip route add default via 192.168.1.100 dev end0 table end0_table

Set Up IP Rules for DNS Traffic

sudo ip rule add fwmark 1 table end0_table

Flush existing rules

sudo ip route flush cache

Use iptables to Mark DNS Traffic

sudo iptables -t mangle -F sudo iptables -t mangle -A OUTPUT -p tcp --dport 53 -j MARK --set-mark 1 sudo iptables -t mangle -A OUTPUT -p tcp --dport 53 -j CONNMARK --save-mark sudo iptables -t mangle -A OUTPUT -p udp --dport 53 -j MARK --set-mark 1 sudo iptables -t mangle -A OUTPUT -p udp --dport 53 -j CONNMARK --save-mark

Setup the NAT table to SOURCE-NAT DNS Traffic

sudo iptables -t nat -F sudo iptables -t nat -A POSTROUTING -p tcp --dport 53 -m mark --mark 1 -j SNAT --to-source 192.168.1.100 sudo iptables -t nat -A POSTROUTING -p udp --dport 53 -m mark --mark 1 -j SNAT --to-source 192.168.1.100

Show ip route table list

ip route list table all | grep _table | grep end0

Show ip rule table list

ip rule list

Show the iptables mangle table

echo "==================" echo "IPTABLES -t MANGLE" echo "==================" sudo iptables -t mangle -L OUTPUT -vn

Show the iptables nat table

echo "===============" echo "IPTABLES -t NAT" echo "===============" sudo iptables -t nat -L POSTROUTING -vn

Show the routing table

echo "=============" echo "IP ROUTE LIST" echo "=============" ip r

EOF

echo "Done." >> /var/log/control-traffic.log

INFO: end0 is my LAN network card. 192.168.1.100 it it's IP - address. (depending on your configuration you need to tweak these settings.)

I automatically run this script every time the VPN-connection goes up by adding a 01-control-traffic file to /etc/NetworkManager/dispatcher.d/

sprokkel@mac-mini ~ $ cat /etc/NetworkManager/dispatcher.d/01-control-traffic

!/bin/bash

INTERFACE=$1 STATUS=$2

if [ "$INTERFACE" = "nordtun" ] && [ "$STATUS" = "up" ]; then # Replace nordtun with your vpn interface name IP_ADDRESS=$(ip -4 addr show "$INTERFACE" | grep -oP '(?<=inet\s)\d+(.\d+){3}') /home/sprokkel/control-traffic.sh fi

---

then restart NetworkManager.

Hope this helps.

[acud]

I can confirm this is also happening for me. I'm running nordvpn on Manjaro Sway from the AUR repo binary:

yay -Q nordvpn-bin
nordvpn-bin 3.18.2-1

Here, you can see in series as I show the nordvpn settings when it is disconnected, connect, then cat /etc/resolv.conf:

acud@acud-strikes-back ~ » nordvpn settings
Technology: NORDLYNX
Firewall: enabled
Firewall Mark: 0xe1f1
Routing: enabled
Analytics: enabled
Kill Switch: disabled
Threat Protection Lite: disabled
Notify: enabled
Tray: disabled
Auto-connect: disabled
IPv6: disabled
Meshnet: disabled
DNS: disabled
LAN Discovery: disabled
acud@acud-strikes-back ~ » nordvpn status
Status: Disconnected
acud@acud-strikes-back ~ » cat /etc/resolv.conf
nameserver 8.8.8.8
nameserver 2.2.2.2
acud@acud-strikes-back ~ » nordvpn  c mx
Connecting to Mexico #107 (mx107.nordvpn.com)
You are connected to Mexico #107 (mx107.nordvpn.com)!
acud@acud-strikes-back ~ » nordvpn status 
Status: Connected
Server: Mexico #107
Hostname: mx107.nordvpn.com
IP: 155.133.15.133
Country: Mexico
City: Mexico
Current technology: NORDLYNX
Current protocol: UDP
Transfer: 6.00 KiB received, 10.46 KiB sent
Uptime: 2 seconds
acud@acud-strikes-back ~ » cat /etc/resolv.conf 
# Generated by NordVPN
nameserver 103.86.96.100
nameserver 103.86.99.100%
acud@acud-strikes-back ~ » nordvpn version 
NordVPN Version 3.18.2

[jkrasinger]

@sprokkel78 : Thanks for your example to bring the local DNS back to life. I did not make a test for this until now, but I'm sure that your script/settings are working, but, however, it would be of great interest to me that the “set DNS” setting contained in NordVpn works. This has already worked and was then made ineffective with an update or no longer effective due to an error. I also officially reported a bug a few months ago, but have not yet received a solution. Thanks again for your script, I will certainly try it, but I see this as just a workaround and not a solution.

[mariusSincovici]

Hi, @acud Thanks fro your feedback. Could you let us know what is the issue in your case, because the app seams to behave as expected?

At the moment, while you're connected to the VPN the application will always set some DNS servers and not use the OS settings, it is not possible to disable this. When no custom DNS is set into the app(when DNS: disabled) the app will use the NordVPN DNS servers. If you want to use custom DNS servers while connected to the VPN, e.g. 2.2.2.2, you will need to configure NordVPN app: nordvpn set dns 2.2.2.2.

[mariusSincovici]

@jkrasinger A new app version is available 3.18.4 which contains some fixes for allowlists. Could you please try it and see if you can still reproduce the issue?

[jkrasinger]

@mariusSincovici Thank you for this information, but this new Version has not changed anything and i can reproduce this error. Perhaps the following output from the "resolvectl" command show something interesting.

resolvectl on Version 3.17.3

$ resolvectl
Global
         Protocols: -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
  resolv.conf mode: stub

Link 2 (enp0s3)
    Current Scopes: DNS
         Protocols: +DefaultRoute -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
Current DNS Server: 192.168.89.1
       DNS Servers: 192.168.89.1

Link 6 (nordlynx)
    Current Scopes: DNS
         Protocols: +DefaultRoute -LLMNR -mDNS -DNSOverTLS DNSSEC=allow-downgrade/supported
       DNS Servers: 192.168.89.1
        DNS Domain: ~\126

resolvectl on Version 3.18.4

$ resolvectl
Global
         Protocols: -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
  resolv.conf mode: stub

Link 2 (enp0s3)
    Current Scopes: DNS
         Protocols: +DefaultRoute -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
Current DNS Server: 192.168.89.1
       DNS Servers: 192.168.89.1

Link 5 (nordlynx)
    Current Scopes: DNS
         Protocols: +DefaultRoute -LLMNR -mDNS -DNSOverTLS DNSSEC=allow-downgrade/supported
Current DNS Server: 192.168.89.1
       DNS Servers: 192.168.89.1
        DNS Domain: ~.

I can see a difference in the "DNS Domain" line on Nordlynx Link between these Versions. I can not interpret for myself, but it may be a reason for failing.

[mariusSincovici]

Yes, actually on version 3.17.3 there was a bug that resulted in DNS leaks, so having DNS Domain: ~\126 is actually not correct. Could you please try in version 3.18.4 to whitelist port 53 and the subnet to contain 192.168.89.1? Thanks

[jkrasinger]

@mariusSincovici Done, but nothing changed.

Here my settings:

$ nordvpn settings
Technology: NORDLYNX
Firewall: enabled
Firewall Mark: 0xe1f1
Routing: enabled
Analytics: enabled
Kill Switch: disabled
Threat Protection Lite: disabled
Notify: enabled
Tray: enabled
Auto-connect: disabled
IPv6: disabled
Meshnet: disabled
DNS: 192.168.89.1
LAN Discovery: disabled
Virtual Location: enabled
Allowlisted ports:
       53 (UDP|TCP)
Allowlisted subnets:
        192.168.89.0/24

Test:

$ ping nas2.xxx.yyy.com
ping: nas2.xxx.yyy.com: Name or service not known

$ nordvpn d
You are disconnected from NordVPN.
How would you rate your connection quality on a scale from 1 (poor) to 5 (excellent)? Type 'nordvpn rate [1-5]'.

$ ping nas2.xxx.yyy.com
PING nas2.xxx.yyy.com (192.168.89.38) 56(84) bytes of data.
64 bytes from 192.168.89.38: icmp_seq=1 ttl=64 time=2.55 ms
64 bytes from 192.168.89.38: icmp_seq=2 ttl=64 time=3.55 ms

[mariusSincovici]

Thanks for testing. I've managed to reproduce it. Could you please try to run, while connected to VPN nslookup nas2.xxx.yyy.com 192.168.89.1 and let me know if it works?

[jkrasinger]

Here the output of the command "nslookup nas2.xxx.yyy.com 192.168.89.1" while VPN active:

$ nslookup nas2.xxx.yyy.com 192.168.89.1
Server:         192.168.89.1
Address:        192.168.89.1#53

Name:   nas2.xxx.yyy.com
Address: 192.168.89.38

$ ping nas2.xxx.yyy.com
ping: nas2.xxx.yyy.com: Name or service not known

[mariusSincovici]

Thanks, I've registered an issue on our side.

Until then, there might be a hackish "workaround"(at least it worked for me), but this needs to be run every time DNS fails(because sometimes NordVPN app reconfigures the DNS in the background automatically). After you're connected to the VPN configure the DNS on the tunnel interface and restart systemd-resolver, e.g.: sudo resolvectl domain nordlynx "" sudo systemctl restart systemd-resolved.service and check afterwards.

[jkrasinger]

@mariusSincovici Thank you for your help and that you filed an issue.

I tested your workaround and it's working.

I just made another test: I downloaded an OpenVPN and a Wireguard config for the NetworkManager. When i activate the VPN with NetworkManager all seems to work without a problem, access to local LANs and also the local DNS is working. I checked with DNS leak checker in the Browser and also on the command line and could not find a leak. Maybe that could be my Solution for the Problem (without kill switch).

Regards Jonny