search

tailscale / tailscale

The easiest, most secure way to use WireGuard and 2FA.
https://tailscale.com
BSD 3-Clause "New" or "Revised" License
18.57k stars 1.43k forks source link

Ubiquiti EdgeRouter Exit Node DNS leak #12998

Open Summit48 opened 1 month ago

Summit48 commented 1 month ago

What is the issue?

I have two EdgeRouters configured as Exit Nodes on two seperate ISP WAN IP addresses.

ER-X Linux 4.14.54-UBNT, Tailscale mipsle v1.70.0 ER-4 Linux 4.9.79-UBNT, Tailscale Debian Stretch v1.70.0

I have a MacBook Pro(Intel) with App Store variant v1.70.0 and iPhone with v1.70.0

Using https://www.dnsleaktest.com/ on both a MacBook Pro and iPhone it confirms that Cloudflare 1.1.1.1 as my DNS Server configured on both EdgeRouters.

However if enable Tailscale VPN on the MacBook Pro or iPhone with either the ER-X or ER-4 as an Exit Node, then run https://www.dnsleaktest.com/ I get a DNS leak to my ISP DNS servers.

Steps to reproduce

See above

Are there any recent changes that introduced the issue?

No response

OS

Other

OS version

Linux 4.9.79-UBNT, Linux 4.14.54-UBNT, macOS 12.7.6, iOS

Tailscale version

1.70.0

Other software

No response

Bug report

ubnt@ER-X:~$ tailscale bugreport BUG-79d37279b8d5e0f6191903ba5694f3c7d3aaed79a391d537a021d9b816e1214f-20240802015954Z-3cad8f08d4d34e9f

Summit48 commented 1 month ago

I factory reset and reconfigured the ER-X, hence I have a new bug report.

ubnt@ER-X:~$ tailscale bugreport
BUG-095daa26fc21be6d9953142f19411d860a1a020eacfa553781389834baa06856-20240804034003Z-f0ac44cc106c9705
ubnt@ER-X:~$
mkevinstever commented 1 month ago

Screenshot from 2024-08-06 17-00-53

Hello: Have you checked your DNS settings in console? And make sure this feature to ON?

Summit48 commented 1 month ago

The help for the Override local DNS states;

The EdgeRouter is configured for DNS forwarding with dnsmasq enabled. It works as expected when devices are not connected to the VPN and hence not using the Exit Node feature to access the Internet.

My question is why does the EdgeRouter Exit Node not obeyed local DNS settings to access the Internet when the Override local DNS option is disabled?

wingcomm commented 1 month ago

@Summit48 I have found that Tailscale on several linux distros ignore that override local DNS setting.