How to prevent DNS leak?

[philotux]

Hi,

I have configured my VPN via network manager by means of .ovpn files from NordVPN. But unfortunately, no matter what server I choose to connect to, my DNS seems to be leaking. I have run the extended test at https://www.dnsleaktest.com/ and all the servers that show up belong to my actual ISP. None of the NordVPN's server is among them. I have tried both Chromium and Firefox to run the test with the same result. Only when I use the NordVPN's browser extension for Chrome/Chromium and Firefox I can stop the leak. But the extension won't give me much of choice as to which server I want to connect to. I can only choose the country and it will pick up automatically a server for me.

I should add that I use NordVPN on other platform (Android) and other Linux-based OS with no DNS-leakage.

Thanks in advance for your help and suggestions!
philotux

[redlined]

hi philotux!

Using NordVPN client should automate this, including a "kill switch" effect which can be real handy. however, if manually importing VPN provider .ovpn configs then some other manual labors are required to ensure DNS resolve through VPN. Other such 'branded' OpenVPN clients may work as well (Eddie ovpn client, from AirVPN can manage connections with other providers and there is a new one I've come across called qomui, a qt5 dev that I'm looking at giving a try)

otherwise, to force, and enforce, DNS works only thru VPN really amounts to UFW/IPtables rules to block everything, excepting the port/protocol/IP address of VPN server (eg. see: very bottom of ovpn manpage

FIREWALLS
OpenVPN's usage of a single UDP port makes it fairly firewall-friendly. You should add an entry to your firewall rules to allow incoming OpenVPN packets. On Linux 2.4+:
iptables -A INPUT -p udp -s 1.2.3.4 --dport 1194 -j ACCEPT
This will allow incoming packets on UDP port 1194 (OpenVPN's default UDP port) from an OpenVPN peer at 1.2.3.4.
<snip>
You should also add firewall rules to allow incoming IP traffic on TUN or TAP devices such as:
iptables -A INPUT -i tun+ -j ACCEPT to allow input packets from tun devices,
and
iptables -A FORWARD -i tun+ -j ACCEPT to allow input packets from tun devices to be forwarded to other hosts on the local network,

and block all else! phd21 and I were working on a script to automate this a while back, it works well and discussion can be found here: [SOLVED] UFW script for VPN drop protection (kill switch)

other manual efforts you can use to ensure, in windows there is an ovpn flag for block-outside-dns which automates the function of removing DNS entries for any adapter except the TUN adapter ovpn creates. This can be replicated easy enough in Linux by setting static DNS address 127.0.0.1 (or leave blank) in Network Manager (NM) for computer on ethernet adapter (and/or wifi if used). This will force/rely on your VPN provider to provide DNS through the TUN adapter as assigned by DHCP Auto (or DHCP Address only and manually point to DNS address you want to use, such as dnscrypt-proxy, bind, unbound, public DNS resolvers, etc).

PS. I disable IPv6 on system 5 different ways because I do not want it nor trust it, especially in VPN scenarios. To ensure IPv6 security make sure you know if/how your VPN provider supports it and make appropriate changes to ensure it is setup correct (i.e. in firewall rules, in NM settings for eth/wifi adapter and TUN adapter made by ovpn.

another option may be to setup (all) system resolves as local using bind9, unbound or even better: dnscrypt-proxy (which you can setup to resolve only over DoH (DNS over HTTPS) protocol and use cloudflare DoH public servers (other public offers for DoH are goggle and some OpenNIC ones I've come across but not yet tried). This will keep all DNS type interference by ISP out of the picture and in the case of dnscrypt-proxy ensure that no one anywhere can see or tamper with DNS requests at all since it is all over the HTTPS transport protocol and is only known to you and remote DNS server.

This is what I do, regardless I use VPN (or not) provided from PIA, AirVPN or Cotse (for now I simply use AirVPN client: Eddie, which is stable and reliable and gives me more visual feedback and finer grain of tweaking, simple server switching and a 'kill switch'). Basically I don't rely on DNS from my VPN provider at all, they just give me the secure tunnel to keep my ISP out of my online busyness and dnscrypt-proxy ensures any DNS request, leaked around VPN connection or not, is encrypted- hence out of the prying eyes of ISP and other.

Some links about most of the above, and other ideas:
a few good options discussed in this thread

more, local, discussion.

catweazel may have sorted the right trick for that block-outside-dns flag to be used in Linux but I suspect it is more due to the rest of that edit (script-security 2, up /etc/openvpn/update-resolv-conf, down /etc/openvpn/update-resolv-conf, down-pre) that is doing something related. He is also setting NordVPN DNS at the router which does not say if system leaks DNS or not as the router (DHCP server) is simply giving NordVPN DNS to any computer on network that asks for it, on whichever adapter is making the DHCP request

if that is indeed the case,as I suspect, then much better option would be serve your own DNS and dnscrypt-proxy for system to fully encrypt all DNS requests, regardless if VPN is up/down interests you and you'd like an example of the config I have for it then give me a shout and I'll get it to you in PM, email or tox chat. Although it is pretty easy to setup and run, taking care to do so by author's notes for both linux in general and/or debian/ubuntu based distros for simpler method. (I setup via linux general, before finding the buried ubuntu notes)

edit to add: some more links, nothing like TMI!

[trytip]

did you change any dns settings on your system or did you just install the vpn? nslookup yahoo.com

[philotux]

hi philotux!

Using NordVPN client should automate this, including a "kill switch" effect which can be real handy. however, if manually importing VPN provider .ovpn configs then some other manual labors are required to ensure DNS resolve through VPN.

....

Hi redlined,

Wow, what a post packed with info! Thank you so much! I have to admit that my knowledge about ins and outs of VPN is almost non-existing, so I guess I have a lot of reading and homework to do. I am determined to make this work and learn more about this so I am grateful for all the pointers and suggestions.

did you change any dns settings on your system or did you just install the vpn? nslookup yahoo.com

Hi trytip,
Thanks for the reply!
No, I didn't change any settings. I just installed the vpn and used the .ovpn files to configure the connections via Network Manager.
(right-click on the icon on the panel: Network Settings --> + , import from file...)

Code: Select all

$ nslookup yahoo.com
Server:		127.0.0.53
Address:	127.0.0.53#53

Non-authoritative answer:
Name:	yahoo.com
Address: 98.137.246.7
Name:	yahoo.com
Address: 72.30.35.10
Name:	yahoo.com
Address: 72.30.35.9
Name:	yahoo.com
Address: 98.138.219.232
Name:	yahoo.com
Address: 98.138.219.231
Name:	yahoo.com
Address: 98.137.246.8
Name:	yahoo.com
Address: 2001:4998:58:1836::10
Name:	yahoo.com
Address: 2001:4998:58:1836::11
Name:	yahoo.com
Address: 2001:4998:44:41d::4
Name:	yahoo.com
Address: 2001:4998:44:41d::3
Name:	yahoo.com
Address: 2001:4998:c:1023::4
Name:	yahoo.com
Address: 2001:4998:c:1023::5

[trytip]

i change dns the same way in multiple desktops and distros



or

[redlined]

hey philotux, yah, I tend to get even more wordy when topic is on such subjects I really enjoy

trytip has posted screenshots from NM for setting DNS on the wifi connection (same as settings for ethernet and VPN that NM manages) Just be advised, if there is a valid DNS address in wifi or ethernet your system will leak DNS requests outside of VPN unless you otherwise block it and that could be done using the "UFW kill switch" script me and phd21 sorted out in thread mentioned about it.

Those leaks, e.g. to OpenDNS.com servers in trytip's screenshots, will be readable by anyone/thing between computer and DNS server (e.g. ISP and TLA's;) so if this is not a concern then all is cool. The same would happen with any of the public/open DNS offers out there. Exception being DNS servers which allow DoH, which when done correctly encrypts the entire request and response as it flies thru the internets, both going out and coming back.

leading to my own decision, due to changes in VPN up and down requirements locally, to just simply encrypt my DNS so nobody gets to see it but me and DNS server, regardless of VPN state. This is what dnscrypt-proxy does and even if I leak DNS requests nothing is learned from the packets captured. as for trusting cloudflare as a 'no log/no filter' DNS provider I figure even if they were logging there would be some measure of being hidden amongst the masses;)
https://developers.cloudflare.com/1.1.1.1/
https://1.1.1.1/

ps, of all the DNS open/public I've tried over the years nothing came close to google's public (at 8.8.8.8/8.8.4.4) until cloudflare (1.1.1.1/1.0.0.1) came along and now I rarely see greater than 12-20ms rtt with google coming in upward of 50-60ms as normal.

Funny thing with DNS leak tests when you use any cloud DNS resolver service (openDNS, cloudflare, google, quad9, etc) you are likely to get 10-20 DNS servers listed if connection is not tunneled through the VPN (but all will be cloud service DNS addresses, not ISP)....
or you'll likely get just one, maybe two, DNS address if properly tunneled through VPN (e.g. no DNS leaks, and in my case only the one cloudflare response closest to the VPN exit point). For me it's Dallas with AirVPN and Denver for my others VPN providers, with Denver (my hometown) exits everything is smokin esp DNS as a cloudflare data center is here

[philotux]

hey philotux, yah, I tend to get even more wordy when topic is on such subjects I really enjoy

...

Yes, I understand that. It's a fascinating subject. And thank you once again for your post and sorry for the late reply. I guess I need some time to take in and digest all the info and hopefully be able to put it in practice. I'll get back to this thread if/when I encounter any obstacle along the road.

regards,
philotux

[redlined]

no hurries, no worries my friend! There are many VPN subscribers in the forums, for sure, and if a wall pops up for you don't hesitate to shout it out! because it is a complex topic, meshing networking in with encrypted transports and tunnels- easy to get lost in them woods early on and not end up with the protection expected and assumed if not mindful of the nuances in protocols.

[phd21]

Hi philotux,

I just read your post and the good replies to it. Here are my thoughts on this as well.

As long as you change your local ISP connection's default DNS server IP addresses, which everyone should be doing anyway, even if your VPN connection leaks DNS information, it will only be from the DNS Provider not yours, so you are still anonymous and safe.

Previous post:
[SOLVED]How to fix dns leaks? - Linux Mint Forums
viewtopic.php?f=157&t=270477&hilit=resolvconf


Hope this helps ...

[philotux]

Hi philotux,

I just read your post and the good replies to it. Here are my thoughts on this as well.

As long as you change your local ISP connection's default DNS server IP addresses, which everyone should be doing anyway, even if your VPN connection leaks DNS information, it will only be from the DNS Provider not yours, so you are still anonymous and safe.

Previous post:
[SOLVED]How to fix dns leaks? - Linux Mint Forums
viewtopic.php?f=157&t=270477&hilit=resolvconf


Hope this helps ...

Hi phd21,

Thanks so much for your reply. I will surely be looking into the other thread and the other links provided there. That's great!

regards,
philotux

[redlined]

Previous post:
[SOLVED]How to fix dns leaks? - Linux Mint Forums
viewtopic.php?f=157&t=270477&hilit=resolvconf

didn't get past 1st page before the inner mythbuster took charge of my keyboarding..

ref: https://community.openvpn.net/openvpn/w ... n24ManPage (3/4 of the way down, is same statement in 23manpage for that command)

--block-outside-dns
Block DNS servers on other network adapters to prevent DNS leaks. This option prevents any application from accessing TCP or UDP port 53 except one inside the tunnel. It uses Windows Filtering Platform (WFP) and works on Windows Vista or later.

This option is considered unknown on non-Windows platforms and unsupported on Windows XP, resulting in fatal error. You may want to use --setenv opt or --ignore-unknown-option (not suitable for Windows XP) to ignore said error. Note that pushing unknown options from server does not trigger fatal errors.

(ps, also on topic of dispelling myths. unencrypted DNS is readable by anyone between computer and DNS server, including ISP (and very blockable if ISP filters and wants to be in users busyness, regardless if using public/open DNS servers outside of ISP control).
even DNSSEC does not protect/encrypt (another myth), it merely ensures validity of response.

dnscrypt-proxy and similar tools like that can actually encrypt DNS queries and responses so that no one but computer and DNS server know exactly what was requested and what was responded and DNS over HTTPS (DoH) is really the only way to Not be concerned if your VPN'd system leaks DNS requests or not if that is a concern at all, because even if it does leak it is not possible to read (e.g. it is encrypted, entire packet, full stop!;)..

The "one twue way" to ensure no DNS leaks is to set manual and blank/empty or point it to dmz, or localhost or such as the DNS addresses on all adapters except the one OpenVPN created VPN adapter (TUN/TAP)

and/or ensure 100% block of all internet in/out on everything except VPN adapter by setting correct UFW/IPtables

[phd21]

Hi philotux,

You are welcome from all of us that replied...