Tunel DNS is used for all apps even if allowed apps is selected

[artemdanielov]

If i input allowed apps so only they will go via VPN it works fine, the other app dont use tunel, but they do use DNS from the tunel.

To Reproduce Steps to reproduce the behavior:

1. Create tunel with specific DNS
2. Input chrome as allowed apps
3. Check in chrome IP adress and DNS (via DNS leak test) - everything is ok
4. Check in edge IP and DNS - IP is ok, DNS is same as in chrome.
5. Turn tunel off, DNS is changed to default.

Expected behavior As i understud only Allowed apps shoud go via VPN tunel and use it DNS (if its entered).

[wiresock]

There is an issue here because DNS queries from Chrome on Windows are handled by the DNSCACHE process, making it challenging to separate them. One possible solution is to remove the DNS settings from the Wireguard configuration and enable DNS over HTTPS in Chrome. By doing this, Chrome's DNS requests will be resolved through an HTTPS connection, which will be encapsulated within the Wireguard tunnel.

It's worth noting that on Windows, the DNSCACHE process is responsible for handling DNS queries. Therefore, configuring Chrome to use DNS over HTTPS ensures that its DNS resolution occurs separately, while standard queries made through DNSCACHE will still be directed to the DNS server specified in the system.

[artemdanielov]

Thak you for the quick repply! So no matter what apps i select in Allowed list, all other apps will still use DNS setting from the Wireguard configuration? If i leave DNS field empty and just use private DNS servers list (like quad9, cloudflare, etc) on my router with DoT setting, will it have any negative impact on VPN performanse or general security?

[wiresock]

Yes, your understanding is correct. The apps you don't include in the WireGuard Allowed Apps list will use the DNS settings specified in your WireGuard configuration.

As for leaving the DNS field empty in WireGuard and instead using a private DNS server like Quad9 or Cloudflare with DNS over TLS (DoT) on your router, it generally should not have an impact on VPN performance or your overall security. DNS over TLS adds an encryption layer to your DNS queries which enhances security, and most modern routers and DNS services handle this efficiently enough to avoid any noticeable performance hit.

[artemdanielov]

Ok, this sounds strange, but after i removed DNS settings from Wireguard config (for testing) and returned them back, it looks like thant now VPN tunnel does not use DNS settings from Wireguard config at all. So no matter what DNS i set (original one from VPN provider or any other), dns leak test just shows my default DNS settings from router. I did delete vpn profile and imported it again fresh, nothing changed. Same results with native wg client (which config i did not change in any way and was using it beffor this app). Interesting

[brendanosborne]

@bigartemka007 sorry I'm not really following. Is this resolved and can be closed or are you still experiencing the issue?

[artemdanielov]

@brendanosborne hi! Yeah, it still acts the same. After I deleted DNS settings from the config and set them again later it seams like they are not being used anymore. Dns test shows my router configured DNS settings. Strange.