OpenVPN with NordVPN has DNS leak

[Yetanotherusername]

Hi,

I am new to Linux which I have installed alongside my windows 10.

How do I solve a DNS leak with OpenVPN?

I have Linux Mint 18.3 Cinnamon and I use OpenVPN to connect to my NordVPN subscription using these instructions.
On this website I noticed I have a DNS leak. I do not have a leak using NordVPN in windows 10!
I googled for solutions and tried the following:
http://www.ubuntubuzz.com/2015/09/how-t ... linux.html
block-outside-dns
But I'm not even sure I did it correctly since I'm a noob and not familiar with all this techno jumbo lingo. For a start, it took me ages to find out how to be able to edit the nl126.nordvpn.com.udp.ovpn file with root privileges.

I hope there's an easy solution. I would love to move to Linux but my experience till now is that Windows is for the general (ignorant) public and linux is for the intelligent programmers.

Thanks in advance for the help.

[sammiev]

I have been installing "bind9" like so.

Code: Select all

sudo apt-get install bind9

Edit your network connections and change IPv6 to Ignore.

Edit IPv4 to "Automatic DHCP Address only" and in DNS Servers: type in 127.0.0.1 and select save.

Code: Select all

sudo /etc/init.d/bind9 restart

Edit the configuration file:

Code: Select all

sudo nano /etc/NetworkManager/NetworkManager.conf

Find the line:

Code: Select all

dns=dnsmasq

Replace it with:

Code: Select all

#dns=dnsmasq

Save & close the file with Ctrl+O, Enter, Ctrl+X.

Reboot computer or restart NetworkManager

Restart NetworkManager:

Code: Select all

sudo systemctl restart NetworkManager

Go here to test for leaks with and without your VPN.

https://ipleak.net/

You should have no leaks with and without your VPN.

Been do this for years and 127.0.0.1 is your best friend.

and if you see "Your IP addresses - WebRTC detection"

goto the bottom of the page and it will show you how to fix that as well.

Edit: added a few lines about NetworkManager from my later post.

[majpooper]

dnscrypt is another way to eliminate dns leak and is in the LM repositories
dnscrypt also works well with OpenDNS although you can pick any number of resolvers.
I learned about in this thread
viewtopic.php?t=107096
which led me here and has be updated for LM 18.x
http://www.webupd8.org/2014/08/encrypt- ... -with.html

[sammiev]

Dnscrypt is a wonderful utility but it will not fix a DNS leak. It's more for man in the middle attack.

DNSCrypt turns regular DNS traffic into encrypted DNS traffic that is secure from eavesdropping and man-in-the-middle attacks.

Non leaking VPN services do much the same.

Either way, a leaking DNS is just bad.

[Yetanotherusername]

This seemed to have worked except if I turn off my VPN (you said I will have no DNS leaks with and without vpn), webpages do not load.

[sammiev]

This seemed to have worked except if I turn off my VPN (you said I will have no DNS leaks with and without vpn), webpages do not load.

Very easy fix,

Code: Select all

sudo nano /etc/NetworkManager/NetworkManager.conf

# dns=dnsmasq

add the # sign in front of dns=dnsmasq

Save and reboot or restart NetworkManager

[GaryD]

I've used NordVPN to stream geo restricted videos. My simple workaround was to modify manually my DNS setting. I set to Google DNS and kaboom! DNS Leak gone.

[phd21]

Hi "Yetanotherusername",

I just read your post and the good replies to it. Here are my thoughts on this as well.

Very interesting approach "sammiev" to resolve the DNS leaks.

Another option eluded by "GaryD", which I recommend everyone do anyway, is to just change your Local ISP's default DNS servers in your Network Manager to those provided by a neutral, secure, and anonymous DNS provider like "dns.watch", "opennic", "openDNS", "freenom world", etc... Google also has public DNS servers, but I prefer to use a more anonymous DNS provider. This way may not prevent a VPN DNS leak, but it hides your actual location among many other benefits, whether you connect to a VPN server or not... Even if your VPN leaks DNS information, it will show the DNS provider's servers not your local ISP ones, so you are still safe, secure, and anonymous. Some VPN providers also provide their own DNS servers to use.

Hope this helps ...

[Pippin]

Hi,

First check if you have resolvconf installed, if not install it.
Then you can add following lines to your OpenVPN config file:

Code: Select all

setenv PATH /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf
down-pre

and

Code: Select all

dhcp-option DNS put.dns.server.here

You can add multiple DNS server lines.

P.S.
block-outside-dns is for Windows only.

[sammiev]

Very interesting approach "sammiev" to resolve the DNS leaks.

Years a go a wise man who takes care of servers around the world showed me this method to use with paid vpn servers as an extra layer of protection.

It has severed me very well over the years of travel and living out of hotel rooms.

[Dragon_Chaser]

dnscrypt is another way to eliminate dns leak and is in the LM repositories
dnscrypt also works well with OpenDNS although you can pick any number of resolvers.
I learned about in this thread
viewtopic.php?t=107096
which led me here and has be updated for LM 18.x
http://www.webupd8.org/2014/08/encrypt- ... -with.html

Thanks. That DNS leak issue has been bugging me for a while. Using dnscrypt and adding the 127.0.0.2 entry has worked like a charm.

[majpooper]

Can someone help me understand this a little better - I am really confused at this point.
My configuration is :
VPN (Private Tunnel)
openvpn
dnscrypt using OpenDNS (CISCO) dns servers

Test results:
1.) Without the VPN and dnscrypt-proxy turned off - local ip and ISP DNS server ip
2.) VPN with dnscrypt-proxy turned off - VPN ip and VPN DNS server ip
3.) VPN with dnscrypt-proxy turned on - VPN ip and OpenDNS server ip
Questions:
2.) dnsleaktest.com indicates the VPN DNS servers - so no dns leak - correct?
3.) dnsleaktest.com indicates OpenDNS DNS servers from dnscrypt - dnsleak ?????

[sammiev]

3) Your using your VPN to connect to dnscrypt-proxy.

2) VPN from your computer to the VPN service.

1) Local IP to your ISP DNS server.

[Yetanotherusername]

Very easy fix,

Code: Select all

sudo nano /etc/NetworkManager/NetworkManager.conf

# dns=dnsmasq

add the # sign in front of dns=dnsmasq

Save and reboot or restart NetworkManager

OK sorry, I must have missed that hash in your first post. I am following instructions without knowing what I'm doing. For example:
When I "sudo systemctl restart NetworkManager" a new network connection appears (eno1 screenshot) and it connects to it automatically without vpn. eno1 has ipv4 set to automatic dhcp and contains several dns servers. It also has ipv6 set to automatic with some additional dns servers. Connection works fine but there is 3 things that I do not understand:
- why does the NordVPN server still appear on the ipleaks.net page even though VPN is checked off in the system tray (screenshots). Does this mean I do not need a NordVPN service and I am anonymous?
- on the ipleaks.net screenshot I circled a server in red that was not there yet yesterday (before adding # in front of dns=dnsmasq). When I click the ipv6 box that I circled in red, I can see my home town appear on that page. So I'm not protected then (dns leak)? After reboot I get connected to the default "wired connection 1" again with openvpn turned ON and eno1 is not there. When I then visit ipleaks.net I get the same as in screenshot with the circled ipv6 box. This box only disappears when deleting the # in front of dns=dnsmasq.
- do I need to reboot when I want to connect to "wired connection 1" + VPN again? Because when I click on this network and enable vpn, I cannot surf the web and need to reboot.

I am soooo tooootally lost in oblivion! Not a nice feeling at all. I don't drink but I need a beer now.

[sammiev]

I see your main connection is eno1, that is the connection you need to edit.

IPv4 - Method - Automatic (DHCP) address only
- DNS Server: 127.0.0.1

IPv6 - Method - Ignore

Save

Code: Select all

sudo systemctl restart NetworkManager

or stop your Internet connection and restart.

then test https://ipleak.net/

[Yetanotherusername]

I see your main connection is eno1, that is the connection you need to edit.

IPv4 - Method - Automatic (DHCP) address only
- DNS Server: 127.0.0.1

IPv6 - Method - Ignore

Save

Code: Select all

sudo systemctl restart NetworkManager

or stop your Internet connection and restart.

then test https://ipleak.net/

OK and in "sudo nano /etc/NetworkManager/NetworkManager.conf" do I leave this so that it reads "#dns=dnsmasq" as you said by adding the #? Because when I visit ipleak.net I get 2 possibilities:
1. with #dns=dnsmasq : on the ipleak.net page I can see an IPv6 box (screenshot previous post) that leads to my home town which does not look anonymous to me?
2. with dns=dnsmasq : on the ipleak.net page the IPv6 box is no longer present and only my VPN's IPv4 address and DNS address show. Which is what you're supposed to see if you want to be anonymous with no DNS leak, am I correct?

[sammiev]

#dns=dnsmasq is correct in /etc/NetworkManager/NetworkManager.conf

on the ipleak.net page the IPv6 box is no longer present and only my VPN's IPv4 address and DNS address show --> correct

Your IP address and DNS address should all be one of the same which means - No DNS Leak

Now check for leaks with/without the VPN -- You will have No DNS Leaks both ways.

Enjoy

[Rubin_Farr]

There has been an outstanding bug with Ubuntu that will cause DNS leaks. Bug report

I don't know if this is why you are getting leaks. To work around this particular bug, if you have it, you have to install an older network-manager and resolvconf and and hold it from getting updated. Ubuntu/Canonical has been freakishly slow addressing this bug.

Code: Select all

sudo apt-get install resolvconf=1.78ubuntu2

sudo apt install network-manager/xenial-security


sudo apt-mark hold network-manager  (or unhold)
sudo apt-mark hold resolvconf

[Yetanotherusername]

There has been an outstanding bug with Ubuntu that will cause DNS leaks. Bug report

I don't know if this is why you are getting leaks. To work around this particular bug, if you have it, you have to install an older network-manager and resolvconf and and hold it from getting updated. Ubuntu/Canonical has been freakishly slow addressing this bug.

Code: Select all

sudo apt-get install resolvconf=1.78ubuntu2

sudo apt install network-manager/xenial-security


sudo apt-mark hold network-manager  (or unhold)
sudo apt-mark hold resolvconf

Wow, finally a solution that works. I almost gave up linux since I have other pending problems to be solved. I entered your 4 lines in the terminal and reboot. Then I went to https://www.dnsleaktest.com/ and https://ipleak.net/ to test. I also reverted "sudo nano /etc/NetworkManager/NetworkManager.conf" to default settings reading dns=dnsmasq instead of #dns=dnsmasq. I left all the rest as posted in sammiev's instructions. So to summarise the solution for those that may face the same issue:

Code: Select all

sudo apt-get install bind9

Bottom right - Network connection icon - edit your connection: change IPv6 to Ignore
Edit IPv4 to "Automatic DHCP Address only" and in DNS Servers: type in 127.0.0.1 and select save

Code: Select all

sudo /etc/init.d/bind9 restart

Older network drivers:

Code: Select all

sudo apt-get install resolvconf=1.78ubuntu2
sudo apt install network-manager/xenial-security
sudo apt-mark hold network-manager  /**(or unhold)**/
sudo apt-mark hold resolvconf

Reboot
Test DNS leak at:
https://www.dnsleaktest.com/
https://ipleak.net/

Network connection IPv4.png

Network connection IPv6.png

IPleak.png

[Pat D]

Excellent.
Thank you sammiev.

I no longer have a DNS leak.