When sending a single user or entire subnet out wireguard to fictitious “ProNord” wireguard vpn, a DNS IP address is usually provided along with the usual settings.
?Q? → How do we ensure that when browsing the internet, that those forced out the wireguard tunnel (typically using table/route/routing rule) have their DNS queries also go out the tunnel and not the local WAN??
Stated differently —> Ensure no DNS leakage to local WAN… as the reason often is to avoid local scrutiny.
a. is it enough to do nothing?
b. simply put in the DNS-server=Wireguard gateway IP in dhcp server network dns settings?
c. should we create an ip route for that dns IP
/ip route
add dst-address=ProNord-DNS-IP gateway=wireguard1 routing-table=main
d. Is the route above enough, OR should we add dstnat rules to force users to the DNS IP???
/ip firewall nat
add chain=dstnat action=dst-nat source-address=local-subnet dst-port=53 protocol=udp/tcp to-address=ProNord-DNS-IP
e. other??