Windows client DNS leak

[boardlord1]

Describe the problem

I've noticed that the Windows Netbird client suffers from DNS leak. I'm self-hosting Netbird in am Ubuntu Server VM behind nginx, and I also run a cli client on the same machine as a routing peer into my home LAN (and also as an exit peer).

My DNS server, Adguard home listens on my home router at 192.168.7.1:53, with Cloudflare and Quad9 as upstream resolvers.

When I connect with the Android client or from a Linux machine all is well - I only see my upstream resolvers come up on browserleaks.com. However, I connect with the Windows client, I see the resolvers of the network I'm connected to.

Isn't this because to Netbird use netmask 128.0.0.0?

Netbird status log
Peers detail:

 samsung-jetbird.netbird.selfhosted:
  NetBird IP: 100.126.117.117
  Public key: 5ieyO9Z1EjWIgF6gIefM2bZ9mxJjqR9E8IAfEfA7tFk=
  Status: Disconnected
  -- detail --
  Connection type:
  ICE candidate (Local/Remote): -/-
  ICE candidate endpoints (Local/Remote): -/-
  Relay server address:
  Last connection update: -
  Last WireGuard handshake: -
  Transfer status (received/sent) 0 B/0 B
  Quantum resistance: false
  Routes: -
  Networks: -
  Latency: 0s

 openwrt-ligetter.netbird.selfhosted:
  NetBird IP: 100.126.129.15
  Public key: bvIh3WRnvEz/gQNMz8FQQc8DgT2ypXSr/HxAZyMZnwo=
  Status: Connected
  -- detail --
  Connection type: P2P
  ICE candidate (Local/Remote): host/srflx
  ICE candidate endpoints (Local/Remote): 192.168.47.1:51825/198.51.100.0:51820
  Relay server address: rels://nb.anon-XMJBI.domain:443
  Last connection update: 5 seconds ago
  Last WireGuard handshake: -
  Transfer status (received/sent) 148 B/388 B
  Quantum resistance: false
  Routes: 192.168.5.0/24
  Networks: 192.168.5.0/24
  Latency: 11.9858ms

 samsung-netbird.netbird.selfhosted:
  NetBird IP: 100.126.169.113
  Public key: 2UO/tW8YZcQIp6VKDNdftRb+ZS3YqVadjrGv1pKxFQQ=
  Status: Disconnected
  -- detail --
  Connection type:
  ICE candidate (Local/Remote): -/-
  ICE candidate endpoints (Local/Remote): -/-
  Relay server address:
  Last connection update: -
  Last WireGuard handshake: -
  Transfer status (received/sent) 0 B/0 B
  Quantum resistance: false
  Routes: -
  Networks: -
  Latency: 0s

 netbird-vm-cli-client.netbird.selfhosted:
  NetBird IP: 100.126.220.138
  Public key: OaaNsK+ZQA0ninoQS1vWIgpPwgYyr5q23CjM3ozWrVU=
  Status: Connected
  -- detail --
  Connection type: Relayed
  ICE candidate (Local/Remote): -/-
  ICE candidate endpoints (Local/Remote): -/-
  Relay server address: rels://nb.anon-XMJBI.domain:443
  Last connection update: 6 seconds ago
  Last WireGuard handshake: 1 second ago
  Transfer status (received/sent) 3.7 KiB/21.5 KiB
  Quantum resistance: false
  Routes: 0.0.0.0/0, 192.168.7.0/24, 192.168.9.0/24
  Networks: 0.0.0.0/0, 192.168.7.0/24, 192.168.9.0/24
  Latency: 0s

 netbird-vm-docker-node.netbird.selfhosted:
  NetBird IP: 100.126.237.210
  Public key: 5UCfvdijK/2wNW+gwnpNPg+9Ul6+1T8sjG027jyz2wE=
  Status: Disconnected
  -- detail --
  Connection type:
  ICE candidate (Local/Remote): -/-
  ICE candidate endpoints (Local/Remote): -/-
  Relay server address:
  Last connection update: -
  Last WireGuard handshake: -
  Transfer status (received/sent) 0 B/0 B
  Quantum resistance: false
  Routes: -
  Networks: -
  Latency: 0s

OS: windows/amd64
Daemon version: 0.35.2
CLI version: 0.35.2
Management: Connected to https://nb.anon-XMJBI.domain:443
Signal: Connected to https://nb.anon-XMJBI.domain:443
Relays:
  [stun:turn.anon-XMJBI.domain:3478] is Available
  [turn:turn.anon-XMJBI.domain:3478?transport=udp] is Available
  [rels://nb.anon-XMJBI.domain:443] is Available
Nameservers:
  [192.168.7.1:53] for [.] is Available
FQDN: adam-zenbook-1.netbird.selfhosted
NetBird IP: 100.126.31.1/16
Interface type: Userspace
Quantum resistance: false
Routes: -
Networks: -
Peers count: 2/5 Connected

Windows route print

===========================================================================
Interface List
 15...........................WireSock Virtual Adapter
 43...........................WireGuard Tunnel
 14...16 ac 60 56 87 d3 ......Microsoft Wi-Fi Direct Virtual Adapter
 12...16 ac 60 56 97 c3 ......Microsoft Wi-Fi Direct Virtual Adapter #2
 19...14 ac 60 56 a7 f3 ......MediaTek Wi-Fi 6E MT7922 (RZ616) 160MHz PCIe Adapter
  5...00 50 56 c0 00 01 ......VMware Virtual Ethernet Adapter for VMnet1
  4...00 50 56 c0 00 08 ......VMware Virtual Ethernet Adapter for VMnet8
 18...14 ac 60 56 a7 f4 ......Bluetooth Device (Personal Area Network)
  1...........................Software Loopback Interface 1
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0     192.168.68.1   192.168.68.244     30
          0.0.0.0        128.0.0.0         On-link      100.126.31.1      6
      "My WAN IP"  255.255.255.255     192.168.68.1   192.168.68.244     31
      100.126.0.0      255.255.0.0         On-link      100.126.31.1    261
     100.126.31.1  255.255.255.255         On-link      100.126.31.1    261
  100.126.255.255  255.255.255.255         On-link      100.126.31.1    261
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    331
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    331
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    331
  127.255.255.255  255.255.255.255         On-link      100.126.31.1    261
        128.0.0.0        128.0.0.0         On-link      100.126.31.1      6
      192.168.5.0    255.255.255.0         On-link      100.126.31.1      6
    192.168.5.255  255.255.255.255         On-link      100.126.31.1    261
      192.168.7.0    255.255.255.0         On-link      100.126.31.1      6
    192.168.7.255  255.255.255.255         On-link      100.126.31.1    261
      192.168.9.0    255.255.255.0         On-link      100.126.31.1      6
    192.168.9.255  255.255.255.255         On-link      100.126.31.1    261
     192.168.17.0    255.255.255.0         On-link      192.168.17.1    291
     192.168.17.1  255.255.255.255         On-link      192.168.17.1    291
   192.168.17.255  255.255.255.255         On-link      192.168.17.1    291
     192.168.47.0    255.255.255.0         On-link      192.168.47.1    291
     192.168.47.1  255.255.255.255         On-link      192.168.47.1    291
   192.168.47.255  255.255.255.255         On-link      192.168.47.1    291
     192.168.68.0    255.255.255.0         On-link    192.168.68.244    286
   192.168.68.244  255.255.255.255         On-link    192.168.68.244    286
   192.168.68.255  255.255.255.255         On-link    192.168.68.244    286
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    331
        224.0.0.0        240.0.0.0         On-link      192.168.47.1    291
        224.0.0.0        240.0.0.0         On-link      192.168.17.1    291
        224.0.0.0        240.0.0.0         On-link    192.168.68.244    286
        224.0.0.0        240.0.0.0         On-link      100.126.31.1    261
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    331
  255.255.255.255  255.255.255.255         On-link      192.168.47.1    291
  255.255.255.255  255.255.255.255         On-link      192.168.17.1    291
  255.255.255.255  255.255.255.255         On-link    192.168.68.244    286
  255.255.255.255  255.255.255.255         On-link      100.126.31.1    261
===========================================================================
Persistent Routes:
  None

IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination      Gateway
 43      6 ::/1                     On-link
  1    331 ::1/128                  On-link
 43      6 8000::/1                 On-link
  5    291 fe80::/64                On-link
  4    291 fe80::/64                On-link
  4    291 fe80::42b5:e70e:9b90:f630/128
                                    On-link
  5    291 fe80::6f24:5c0c:c019:2a1a/128
                                    On-link
  1    331 ff00::/8                 On-link
  5    291 ff00::/8                 On-link
  4    291 ff00::/8                 On-link
 43    261 ff00::/8                 On-link
===========================================================================
Persistent Routes:
  None

Expected behavior

Just like with Linux and Android, no DNS leaks.

[lixmal]

I believe you suffer from a feature called Smart Multi-homed Name Resolution (SMHNR). You could try disabling it.

How did you arrive at the conclusion that it has something to do with the route?

[boardlord1]

Thanks for getting! Looked at that setting in Group Policy and it was not set (which meant it's off), but for good measure I disabled it, but unfortunately the result was the same.

The reason I thought the issue might be connected to the route is that If I use Wireguard, route two looks like this:

0.0.0.0 0.0.0.0 On-link My-Wireguart-client-IP 6

Whereas with Netbird it's 0.0.0.0 128.0.0.0..... But, there are more routes configured with Netbird in the routing table, so I might be mistaken :) I just know that with plain Wireguard only the correct resolvers are used. What's also pointing to a Windows client issue is that on my Android phone there is no DNS leak when connected to my Netbird network with the official client.

[lixmal]

There's another part to complete the 0.0.0.0/0

128.0.0.0 128.0.0.0 On-link 100.126.31.1 6

I just know that with plain Wireguard only the correct resolvers are used. What's also pointing to a Windows client issue is that on my Android phone there is no DNS leak when connected to my Netbird network with the official client.

Vanilla wireguard firewalls off the other DNS servers, but only if there's only a single peer and it has a /0 route. We currently don't do this.

https://github.com/WireGuard/wireguard-windows/blob/master/docs/netquirk.md

[boardlord1]

Oh, thanks lixmal for the explanation! In this case, what can I do? I don't want to risk having my DNS queries going through a resolver of a random network I'm connected to.

EDIT: reading this article, the VPN client has to explicitly deal with this (like OpenVPN, explained in the article).
https://medium.com/@ValdikSS/beware-of-windows-10-dns-resolver-and-dns-leaks-5bc5bfb4e3f1

[boardlord1]

@lixmal would you have a suggestion here on what I could do?

[boardlord1]

I've updated to 0.36.2 today and it seems there's no leak anymore :)

EDIT: false alarm, got the leak again.

[vitormfgoncalves]

I can confirm. It also happens on linux.

In my config, I have only my internal DNS that have many blacklisted domains (for security reasons).
When connected, those blacklisted domains are still avaliable but shouldn't.

It falls back to the system DNS when fails to resolve those domains in my internal DNS.
This do not happen on Android.

I'm on version 0.36.3 (Windows 11 and Linux Debian 12)

[boardlord1]

Any movement on this? Have the devs been able to replicate? This makes it impossible for me to use desktop client...