linux DNS LEAK?

Questions about Wi-Fi and other network devices, file sharing, firewalls, connection sharing etc
Forum rules
Before you post read how to get help. Topics in this forum are automatically closed 6 months after creation.
Locked
computerfunguy

linux DNS LEAK?

Post by computerfunguy »

Hi! I recently got trust zone/open vpn for linux mint. I installed and everything is working fine HOWEVER, it does NOT pass a dns leak test! What can i do to fix this? thanks
Last edited by LockBot on Wed Dec 28, 2022 7:16 am, edited 1 time in total.
Reason: Topic automatically closed 6 months after creation. New replies are no longer allowed.
redlined

Re: linux DNS LEAK?

Post by redlined »

set DNS in Network Manager (NM) to manual, and leave it blank, for your (ethernet or wifi) adapter used. This will also kill internet, well more specifically DNS resolves, without an active VPN connection (IP address direct connections should not be affected, and any resolves cached may also still connect.

If your VPN is openvpn client based then you will have DNS through VPN as pushed from vpn provider or otherwise configured in ovpn settings (or TUN adapter in NM).

There are tons of options available to fix DNS leaks, the above is the simple/quick fix method. Firefox has some good recent dev (64+) using DNS over HTTPS (DoH) and eSNI set in about:config related to trusted recursive resolvers.

You can also serve your own DNS resolves, via bind or unbound or similar project, as well you could use something like dnscrypt-proxy to DoH encrypt all resolves for entire system, regardless it is running VPN or not.

(dnscrypt-proxy is a real handy way to ensure even if DNS packets are collected they will be entirely encrypted so no info can be gleaned by any 3rd party snooper, including ISP (which is internet provider but outsider to you/r system and your DNS resolver) about the resolve at all.

edit to add: dnscrypt-proxy link
jondoe

Re: linux DNS LEAK?

Post by jondoe »

You could use dns over tls

Also many dns options out there

Such as opendns
redlined

Re: linux DNS LEAK?

Post by redlined »

jondoe wrote: Wed Feb 20, 2019 3:20 pm You could use dns over tls

Also many dns options out there

Such as opendns
DoT/DoH = protocols to encrypt DNS requests

OpenDNS, Quad9, Googl's 8s, CLoudflare's 1s, etc = public/free DNS providers

but neither DoT&DoH nor any public DNS provider will stop/fix DNS leak concerns when using VPN (or tor, or proxy this/that, etc). I have not found a way, in Linux, to reliably deny system DNS access outside VPN other than set DNS to manual and leave it blank for all adapters except VPN created TUN adapter.

and this can quickly become a burden for those not requiring/desiring such DNS controls for system as it would require manual edit to primary used internet adapter every time VPN is started, and again when stopped. This is where I encourage looking at dnscrypt-proxy as everything in system will be encrypted and unknown to any beside computer and DNS resolver, regardless it is going through VPN or leaks outside the boundaries of it.

There is also network.trr and eSNI settings in FF64+ that, in effect and when coupled with HTTPS served addresses, make a "poor man's vpn" which forces DNS resolves for the biggest leak offender (the browser) through a full encrypted HTTPS tunnel, start to finish (and no DNS leaks, so to speak, but if used to surf non-HTTPS sites then an exercise in futility anyway)
jondoe

Re: linux DNS LEAK?

Post by jondoe »

The poster was not using TOR so I don't think hiding from 5eyes.

Dnscrypt solves a man in middle but my experiance
Is it is not the catch all solution.

However if the user uses your suggestion
And assume he has control of his own router I would
Blank Dns default setting in router as well.
This might be his leak all along.

Also note I am not picking on your tried and true ways.

In my view privacy and security are not one in the same
redlined

Re: linux DNS LEAK?

Post by redlined »

jondoe wrote: Wed Feb 20, 2019 5:09 pm The poster was not using TOR so I don't think hiding from 5eyes.

Dnscrypt solves a man in middle but my experiance
Is it is not the catch all solution.

However if the user uses your suggestion
And assume he has control of his own router I would
Blank Dns default setting in router as well.
This might be his leak all along.

Also note I am not picking on your tried and true ways.

In my view privacy and security are not one in the same
lol, I do suppose that sounded pretty "one twue wayism" above, my apologies - I'm not that knowledgeable, nor arrogant enough, to propose such.

and regardless how many eyes look, or not, and regardless VPN, TOR, or any Proxy, DNS is common to leak and there is few ways to prevent it. (other option is to enforce a "kill switch" effect, which is same as those VPN providers that feature add their own openVPN client GUI, and really all it amounts to is UFW/iptables used to block/drop DNS packets when VPN goes down- this can also be simplified using scripts for up/down manually)

anyway, OP shared concern as being new VPN on Linux mint and how to stop DNS leaks. and really blanking adapter DNS is the way to do it (or iptables, which can be complicated). Blanking it at router will prevent router from assigning DNS to computer during DHCP exchange but unless there is an something in system to point to router as DNS resolver then I don't see how that would help prevent DNS leaks for browser or system.

dnscrypt-proxy removes any concern over DNS leaks, regardless you need TOR for anonymity, or VPN for privacy (TLAstuff, as well ISP throttling and packet shaping) or general country level geoblock circumvention... when it is configured to force DoT/DoH then it doesn't matter what leaks, nor from where because it is all encrypted, from top of packet to bottom, nothing to hint what is actually going on.

While I could argue the security benefits of it, I don't think I brought anything directly security related in this thread, because to me the basic concern about VPN leaking DNS requests is all privacy focused.
jondoe

Re: linux DNS LEAK?

Post by jondoe »

I happen to be at work.... So I will wait till later to deeply respond.... Hopefully in the interim the original poster will respond with more info.

I'm wondering if it's his choice of VPN causing all the havoc. I have not used or heard of his VPN so I am unsure at this point. If it is a free one maybe that is the culprit. If indeed a free one I think I will try your solution see what happens. I have used several and not had issues when at least not use my isp as a dns.
phd21
Level 20
Level 20
Posts: 10103
Joined: Thu Jan 09, 2014 9:42 pm
Location: Florida

Re: linux DNS LEAK?

Post by phd21 »

Hi computerfunguy,

Welcome to the wonderful world of Linux Mint and its excellent forum!

I just read your post and the good replies to it. Here are my thoughts on this as well.

It would help to know more about your system setup. If you run "inxi -Fxzd" and "lsusb" from the console terminal prompt, highlight the results, copy and paste them back here, that should provide enough information.

If you simply change your local ISP connection's DNS servers to those from a secure and anonymous DNS provider like those mentioned (cloudflare, dns.watch, openDNS, opennic, etc..) and logout and back in or restart computer, then even if the VPN connection does leak DNS it will be from the DNS provider not your local ISP, so you will still be secure and anonymous. You can change the DNS server IP addresses from your computer desktops, hardware routers, even smartphones, see Setup Guide link below (you can use any DNS provider's servers). You can even encrypt your DNS activity using various options, see links below and other replies.

Setup Guide | OpenDNS
- In the link below, click computers and laptops then Linux Mint for desktop instructions.
https://www.opendns.com/setupguide/

There are various options to stop DNS leaks from the computer desktop, but they require a little more effort.
[SOLVED]How to fix dns leaks?
viewtopic.php?f=157&t=270477&hilit=openresolv

Encrypting DNS
My router now has an option for DNS over TLS using Cloudflare DNS and if you also check force all clients then everything connected to the router has secure encrypted DNS.

* How to Protect Your DNS Privacy on Ubuntu 18.04 with DNS over TLS
https://www.linuxbabe.com/ubuntu/ubuntu ... s-over-tls

How to use DNS over TLS on Ubuntu Linux - TechRepublic
https://www.techrepublic.com/article/ho ... ntu-linux/

Running a DNS over HTTPS Client - Cloudflare Resolver
https://developers.cloudflare.com/1.1.1 ... red-proxy/

Verify DNS encryption - Cloudflare ESNI Checker
https://www.cloudflare.com/ssl/encrypted-sni/

Hope this helps ...
.
router_dns_setup.jpg
Last edited by phd21 on Thu Feb 21, 2019 2:39 pm, edited 4 times in total.
Phd21: Mint 20 Cinnamon & xKDE (Mint Xfce + Kubuntu KDE) & KDE Neon 64-bit (new based on Ubuntu 20.04) Awesome OS's, Dell Inspiron I5 7000 (7573) 2 in 1 touch screen, Dell OptiPlex 780 Core2Duo E8400 3GHz,4gb Ram, Intel 4 Graphics.
jondoe

Re: linux DNS LEAK?

Post by jondoe »

If you could also let us know the type of leak ?

What browser do you use ?

Presumably you went to a leak test site to find out.

Assuming you are finding this out from say a home ISP internet connection.
Assuming you have a Router .

I would change the DNS in your router as has been suggested multiple times.
You can also change DNS on your network interface card.

** Some Leak types :**

Leak Type: DNS WebRTC leak = in it's simpliest form, this is a browser leak.

WebRTC Dns Leak = is a modern browser-based technology for realtime communication - voice calling, video chats and file sharing directly in a browser.

WebRTC implements STUN (Session Traversal Utilities for Nat), a protocol that allows to discover the public IP address sometimes.

To Solve this problem If you use Firefox :

1. type "about:config" in the address bar of firefox ( no quotes)
2. scroll down to " media.peerconnection.enabled "
3. if it says = True then double click to change it to False.
4. close firefox , you may reboot as well to be sure.
5. Retest.

To Solve this problem if you use Chrome Browser:
Install Google official extension WebRTC Network Limiter, go to extension settings and switch to Use only my default public IP address.

DNS Leak : DNS leaks are possible when you have DNS servers of your ISP set in your Internet connection settings or in your modem/router.


If you like you may use any of the DNS suggestions already posted in above posts

i.e. OpenDns , or even your vpn --> Trust.Zone DNS: 109.236.87.2, 144.217.75.55 or even

Google DNS Over TLS :

Traditional DNS queries and responses are sent over UDP or TCP without encryption. This is vulnerable to eavesdropping and spoofing (including DNS-based Internet filtering). Responses from recursive resolvers to clients are the most vulnerable to undesired or malicious changes, while communications between recursive resolvers and authoritative name servers often incorporate additional protection.

To address these problems, Google Public DNS offers DNS resolution over TLS-encrypted TCP connections as specified by RFC 7858. DNS-over-TLS improves privacy and security between clients and resolvers. This complements DNSSEC and protects DNSSEC-validated results from modification or spoofing on the way to the client.

Link provided below for more info.

https://developers.google.com/speed/pub ... s-over-tls
User avatar
catweazel
Level 19
Level 19
Posts: 9763
Joined: Fri Oct 12, 2012 9:44 pm
Location: Australian Antarctic Territory

Re: linux DNS LEAK?

Post by catweazel »

computerfunguy wrote: Tue Feb 19, 2019 1:40 pm Hi! I recently got trust zone/open vpn for linux mint. I installed and everything is working fine HOWEVER, it does NOT pass a dns leak test! What can i do to fix this? thanks
block-outside-dns

If you use openvpn.ovpn files downloaded from your VPN provider then adding that line to the config file before importing it will go a long way to preventing leaks.
"There is, ultimately, only one truth -- cogito, ergo sum -- everything else is an assumption." - Me, my swansong.
User avatar
Pippin
Level 4
Level 4
Posts: 441
Joined: Wed Dec 13, 2017 11:14 am
Location: The Shire

Re: linux DNS LEAK?

Post by Pippin »

block-outside-dns for Windows only :wink:
I gloomily came to the ironic conclusion that if you take a highly intelligent person and give them the best possible, elite education, then you will most likely wind up with an academic who is completely impervious to reality.
Halton Arp
redlined

Re: linux DNS LEAK?

Post by redlined »

reference block-outside-dns
https://community.openvpn.net/openvpn/w ... nPage#lbAO
Windows-Specific Options:
</>
--block-outside-dns
Block DNS servers on other network adapters to prevent DNS leaks. This option prevents any application from accessing TCP or UDP port 53 except one inside the tunnel. It uses Windows Filtering Platform (WFP) and works on Windows Vista or later.

This option is considered unknown on non-Windows platforms and unsupported on Windows XP, resulting in fatal error. You may want to use --setenv opt or --ignore-unknown-option (not suitable for Windows XP) to ignore said error. Note that pushing unknown options from server does not trigger fatal errors.
it doesn't work unless client is Windows (Vista+)

it can be replicated using scripts in Linux though, as all it really does is tighten up Windows firewall (WFP) a bit. If up/down scripts could be called to do this. As well is a "feature add" for forcing DNS rules on client machine by mod UFW/iptables, also "kill switch" or other similar named effect added by many VPN providers who push their own branded ovpn client/frontend.

This talks of some options: https://askubuntu.com/questions/1065568 ... untu-18-04
I'm a dnscrypt-proxy fan so will echo that, when configured appropriately any DNS leaks at all fail to generate concern because resolves are all inside HTTPS packets, indistinguishable from other https packets..
as well I have tried (and cried :cry: attempting to get dnsmasq worked into my setup, very frustrating with resolveconf updates that come from 4 sources on system and have been looking to jump to openresolv to sort this better.
computerfunguy

Re: linux DNS LEAK?

Post by computerfunguy »

THANK YOU to everyone. I will be trying all of your recommendations today. Will keep you updated. PS, im using firefox browser.
User avatar
Pepi
Level 6
Level 6
Posts: 1308
Joined: Wed Nov 18, 2009 7:47 pm

Re: linux DNS LEAK?

Post by Pepi »

https://www.cloudflare.com/ssl/encrypted-sni/

Out of Firefox, Waterfox, Chrome and Tor .... Chrome is the best and TOR the worst
User avatar
trytip
Level 14
Level 14
Posts: 5371
Joined: Tue Jul 05, 2016 1:20 pm

Re: linux DNS LEAK?

Post by trytip »

Pepi wrote: Thu Feb 28, 2019 9:16 am https://www.cloudflare.com/ssl/encrypted-sni/

Out of Firefox, Waterfox, Chrome and Tor .... Chrome is the best and TOR the worst
these tests are very inconclusive and wouldn't depend on them
f I pass all four tests, am I secure no matter which site I browse?
Not necessarily. Even if you pass all four tests, the domain you are visiting also needs to support these technologies. If the domain you visit doesn't support DNSSEC, TLS 1.3, and Encrypted SNI, you are still potentially vulnerable, even if your browser supports these technologies.
Image
redlined

Re: linux DNS LEAK?

Post by redlined »

Pepi wrote: Thu Feb 28, 2019 9:16 am https://www.cloudflare.com/ssl/encrypted-sni/

Out of Firefox, Waterfox, Chrome and Tor .... Chrome is the best and TOR the worst
for Firefox (and waterfox, if FF64+ base, is not available in IceCat nor Tor browser which are FF60ESR base) this is how to get eSNI&trr set:
https://wiki.mozilla.org/Trusted_Recursive_Resolver

as trytip pointed:
If the domain you visit doesn't support DNSSEC, TLS 1.3, and Encrypted SNI, you are still potentially vulnerable, even if your browser supports these technologies.
However, using DNS that supports the above will keep DNS resolves via TRR good, but again for browser only (everything else resolves direct with DNS setting for network adapter, hence need for lock down DNS via iptables and/or use dnscrypt-proxy (or similar) to have all DNS from system resolve using DoH transport protocol.
https://tools.ietf.org/html/rfc8484
User avatar
Pepi
Level 6
Level 6
Posts: 1308
Joined: Wed Nov 18, 2009 7:47 pm

Re: linux DNS LEAK?

Post by Pepi »

trytip wrote: Thu Feb 28, 2019 10:41 am
Pepi wrote: Thu Feb 28, 2019 9:16 am https://www.cloudflare.com/ssl/encrypted-sni/

Out of Firefox, Waterfox, Chrome and Tor .... Chrome is the best and TOR the worst
these tests are very inconclusive and wouldn't depend on them
f I pass all four tests, am I secure no matter which site I browse?
Not necessarily. Even if you pass all four tests, the domain you are visiting also needs to support these technologies. If the domain you visit doesn't support DNSSEC, TLS 1.3, and Encrypted SNI, you are still potentially vulnerable, even if your browser supports these technologies.
Yes ... no trust from me. You can test your browser and get different answers each time :lol:
kb2qqm

Re: linux DNS LEAK?

Post by kb2qqm »

I remember this when I was setting up NordVpn. I remember installing WebRTC. https://addons.mozilla.org/en-US/firefo ... le-webrtc/


I also turned off/hide my IPv6 address on my Router.
Last edited by kb2qqm on Fri Mar 01, 2019 12:16 pm, edited 1 time in total.
kb2qqm

Re: linux DNS LEAK?

Post by kb2qqm »

Brave browser https://www.addictivetips.com/ubuntu-li ... -on-linux/

I started using this after numerous Firefox crashes.
Locked

Return to “Networking”