Docker-transmission-openvpn: DNS Is Leaking! Uses ISP DNS instead of VPN DNS!

Any suggestion for a fix? Using Google DNS is widely communicated as a recommended setup, but there should probably be something we can do with OpenVPN here?

Another question. Is is using the DNS servers that it gets from the router. Which means that it is inherited from the host? The DNS packets themselves go through the VPN and then to the ISP DNS server?

This may fix the issue. https://community.openvpn.net/openvpn/wiki/Pushing-DNS-to-clients

I would also suggest adding a dnsleak test option to your build to inform users there is no dns leak. You can use the referenced dnsleak test I pointed to above. I would be nice to get that output when the container and vpn startup.

Normally Server will push the DNS config to the client. Not much can be done on the client-side unless there is some config issue that overwrites or ignored the push.
Something like
PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 10.160.0.1,comp-lzo no,route 10.160.0.1,topology net30,ping 10,ping-restart 60,ifconfig 10.160.0.150 10.160.0.149,peer-id 42,cipher AES-256-GCM'
Can you check the docker log?

A while back, I stumbled on someone mentioning DNS leaks on here so I modified my docker file from the Google DNS to the PIA DNS. This seemed to work well at the time.

After reading this post today, it looks like it's not working as well as it used to and I assume it's because of the updates which PIA are making to their environment around DNS:
https://www.privateinternetaccess.com/helpdesk/kb/articles/next-generation-dns-custom-configuration

As a test, I modified the docker config to use Google DNS instead of the original PIA DNS which I was using. The docker image starts up and everything seems to work correctly without any resolve errors. Running the DNS leak test script I can see DNS leaks occurring whilst connecting to the VPN.

_Note: According to the PIA article, the next gen DNS servers only work once you're connected to the VPN - I confirmed this is correct...using the new next gen servers in the config file (instead of Google's) doesn't work because it cannot resolve the VPN provider._

As a test, I decided to try modify the DNS IP of the docker server whilst I was connected to the VPN.
I downloaded and installed nano, then modified the DNS entry from Google to PIA in the following file:
/etc/resolv.conf

I ran the DNS leak test script again and now I don't have any DNS leaks - it's using the PIA server.

I hope this helps - Hopefully someone who understands this better than I do can come up with an easier way to implement this but the workaround seems to work. My knowledge of docker and linux is basic!

@naythan90, I had the same issue as you. Thanks for the help.
To automate things, I added transmission-post-start.sh to the scripts folder described here: https://haugene.github.io/docker-transmission-openvpn/custom-scripts/
It was a simple 2-line script

#!/bin/bash
echo nameserver 10.0.0.242 > /etc/resolv.conf

So when I restart/update the docker container, I don't always have to go into the container to update resolv.conf.

@mochman, Thanks for your help with the script - I've added it to my config and it seems to work perfectly... no more DNS leaks and no need to mess around after restarting or updating the container!

This works for PIA but doesn't solve the issue for other VPN providers. I might suggest adding a DNS option for the container that passes the DNS server you want to use in that script once the VPN comes up. Ideally we'd want the DNS configured based on the DHCP DNS options provided when the VPN comes up.

I've dug into this a bit further. I'd suggest just setting DNS to cloudflares DNS or googles DNS by default. Testing may still show your DNS is leaking however if you're not using your ISPs DNS and the VPN is up you should be fine. I'd offer an option for a custom DNS if you don't wish to use the default of cloudflare or google.

@mochman Thanks for the script. Worked perfectly for me as well.

@cookieisland No problem. I'm still using that script for now, but it can cause some issues. If for some reason the VPN drops it's connection, the DNS nameserver will not get reset back to google. This means that openvpn will not be able to resolve someserver.pia.net when it attempts to reconnect. So the container will just be down until you manually reset it.

Some more info on this

VPN DNS servers are pushed out by the OpenVPN server via push reply:

Example from docker compose output:
Fri Dec 18 11:20:49 2020 PUSH: Received control message: 'PUSH_REPLY,**dhcp-option DNS 162.252.172.57,dhcp-option DNS 149.154.159.92**,redirect-gateway def1,sndbuf 524288,rcvbuf 524288,explicit-exit-notify,block-outside-dns,route-gateway 10.7.7.1,topology subnet,ping 60,ping-restart 180,ifconfig 10.7.7.49 255.255.255.0,peer-id 0,cipher AES-256-GCM'

Just seems these aren't populating /etc/resolv.conf

Additionally, OpenVPN documentation included the argument --block-outside-dns which seems to be used, ~but not supported in the docker's version of OpenVPN.~ , but is not supported on non-windows OS.

Fri Dec 18 11:20:49 2020 Options error: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:7: block-outside-dns (2.4.9)
OpenVPN docs excerpt - "This option is considered unknown on non-Windows platforms and unsupported on Windows XP, resulting in fatal error. "

Looking into this a bit further

CONT

https://wiki.archlinux.org/index.php/OpenVPN#DNS

Script provided and maintained by OpenVPN to update resolve.conf with correct values on VPN up and down
https://github.com/OpenVPN/openvpn/blob/master/contrib/pull-resolv-conf/client.up
https://github.com/OpenVPN/openvpn/blob/master/contrib/pull-resolv-conf/client.down

Will work on a pull req to repolve

Fix see #1614 - Uses OpenVPNs includes scripts to dynamically update resolv.conf at VPN launch with VPN providers DNS servers