[SOLVED]How to fix dns leaks?

[Mintuser998]

This one says NY and NJ

[phd21]

Hi Mintuser998,

Those are DNS server IP addresses. As long as those do not reflect your current ISP or your current location, you should be alright. I noticed that when going to "ipleak.net" or other test websites, that DNS server IP addresses can be from all over the place, and there can be many of them or just one or a few. Theoretically, once you connect to a VPN provider's server, your system should inherit and reflect that location, but I noticed with some VPN providers (regardless of possible DNS leaks), they might use DNS servers from various places, even different countries.

.

VPNbook_US2_Server.jpg

[Mintuser998]

Thanks. What do those lines added to the ovpn config do?

[phd21]

Hi Mintuser998

You are welcome...

Those lines are to help prevent VPN DNS leaks by adding them to the ".ovpn" configuration files.

But, as I stated before not all VPN providers servers leak DNS information, and even if they did, as long as you have changed your local ISP connection's default DNS server IP addresses to a DNS provider's server IP addresses it will not matter, it won't be your local ISP DNS servers, and so you are still secure and anonymous. I am currently in Florida, USA. I did not add those lines to my vpngate server configuration file and yet no DNS leaks, ProtonVPN already had them in their configuration files and no leaks, and I did add them to vpnbook servers which did help.

Here some screenshots of various VPN providers and their server locations along with the results from "ipleqak.net" for each one, and my real (public / wan) IP address is not displayed, nor are my ISP's default DNS server IP addresses. And, as you can see the DNS servers can vary a lot. I am using the "cloudflare" DNS secure server IP addresses.

.

VPNbook_US2_Server.jpg

.

ProtonVPN_US2_Server.jpg

.

vpngate_US_server1.jpg

[Mintuser998]

Do you know of a way to STOP dns leaks? Regardless of whether it matters or not. And is it showing the dns connected to prior connecting to the vpn, or is it showing the one after connecting to the vpn?

[phd21]

Hi Mintuser998

I already gave you all the information and links to various options regarding DNS Leaks in this post and its replies.

My screenshots are showing DNS servers after connecting to the various VPN providers.

[Mintuser998]

You're right. I missed it. Can you tell me what this line of code does in a .ovpn file? I can't read terminal code very well.

Code: Select all

setenv PATH /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

[trytip]

You're right. I missed it. Can you tell me what this line of code does in a .ovpn file? I can't read terminal code very well.

Code: Select all

setenv PATH /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

me neither, all i see is the woman in the red dress
this just means that usr/bin has all these aliases. when you open a terminal and type a command for a program like gedit for example the terminal will look in these directories for a program called gedit in theory you can place an executable file in any of these folders and the terminal will find it

[Mintuser998]

Then why did this say to use it?
viewtopic.php?f=90&t=260970&p=1410738&s ... 4#p1410148

[rbsudo]

Just saw this thread. I use VPN Gate (Open VPN). I searched a long time for a way to stop my vpn from leaking.
I found this and it has worked for me.

1.Open a terminal and enter:
sudo apt-get install openresolv nscd unbound

2. Restart the pc.

3. Activate the VPN.

4. Check for leaks on https://ipleak.net/

[Mintuser998]

Then I would have to remove resolvconf.

[Mintuser998]

Doesn't any dns showing up mean I have a leak? If so, then the links you've given me won't work to fix it.

[phd21]

Hi Mintuser998,

After doing some more research on this, and I came across more articles and some posts from "ProtonVPN", here are some more comments.

I just assumed that all Linux Mint editions and versions already have "resolvconf" installed which would help with DNS when using VPN connections.

Code: Select all

sudo apt install resolvconf

But as member "rbsudo" just mentioned and new information I located state that using "openresolve" may work better. I am going to install "openresolve" and experiment with that which will remove "resolvconf", so restart afterward. I am not sure about installing the "nscd" and "unbound" packages because I have not researched those (yet).

Code: Select all

sudo apt install openresolv

openresolv - Roy's Place
* Reasons for using openresolv
https://roy.marples.name/projects/openresolv

FYI-1: Regarding "vpngate" servers: Using the excellent application "vpngate with proxy" I have never had DNS leaks.


Domain name resolution - ArchWiki
https://wiki.archlinux.org/index.php/Do ... resolution


Update on DNS leak with Linux? : ProtonVPN
https://www.reddit.com/r/ProtonVPN/comm ... ith_linux/

FYI-2: ProtonVPN: For Linux users using the superb ProtonVPN provider, they also have a new Linux Client script.
ProtonVPN client tool for Linux - ProtonVPN Support
https://protonvpn.com/support/linux-vpn-tool/

ProtonVPN/protonvpn-cli: protonvpn-cli: ProtonVPN Command-Line Tool for Linux and macOS.
https://github.com/ProtonVPN/protonvpn-cli



Hope this helps ...

[rbsudo]

phd21, I don't have any idea what the packages nscd and unbound do. I found the suggestion, saw where a couple of people confirmed it worked for them, and tried it. It worked for me too.

I just did a search on those two packages and found this.

https://linux.die.net/man/8/nscd

https://www.unbound.net/

If that helps, let us know...... it's outside my "pay range."

Thanks!

[phd21]

Hi rbsudo & everyone else,

After exhaustive testing, I think I found out how to stop DNS leaks, at least on my systems with VPN's added (imported) into the Network Manager. This worked with various VPN provider's OpenVPN configuration files (somewhere.ovpn) whether they were TCP or UDP, they recommend UDP.

Steps 1-3 only need to be done once, step 4 editing your VPN provider's VPN configuration files may need to be done for each VPN server location you want to use.

1.) Update your "openvpn" software using their repository.

This link has instructions for updating openVPN software. Linux Mint 19.x already has the updated OpenVPN software.
Is it possible to install the latest openvpn without breaking everything[SOLVED]
viewtopic.php?f=157&t=242583&hilit=openvpn

2.) Install "resolvconf" or "openresolv" (I used the openresolv), make sure you have the "network-manager-openvpn" installed (usually is), install "unbound" ("nscd" did not seem necessary). Recommend openresolv vs resolvconf.

Install all of these with this one console terminal command

Code: Select all

sudo apt install openresolv easy-rsa network-manager-openvpn bind9 unbound 

or

Code: Select all

sudo apt install openresolv easy-rsa network-manager-openvpn

Updated info 02-23-2019: I do not seem to need to install "unbound" or "bind9" packages to stop VPN DNS leaks in Linux Mint 19.x (Ubuntu 18.04+), although I think it is still a good idea to do so. I do need the "bind9-host" because of dependencies with other applications and this is usually installed already anyway. I still need to make sure the OpenVPN server configuration files have the lines below in them per step4.

3.) Then check to make sure the NetworkManager Configuration file has "dnsmasq" disabled with a # in front of that line, save the change, exit the text editor. If there is not a "dnsmasq" entry, do not worry about it, there is nothing to change, go to next step. You can also use your file manager to browse to the file and right-click open as root to edit these files and make changes.

To edit this file in Cinnamon, Mate, Xfce, use the command below. "xed" is the text editor.

Code: Select all

sudo -i xed /etc/NetworkManager/NetworkManager.conf

To edit this file in KDE use the gedit text editor or xed in command below.
Install gedit and xed text editors

Code: Select all

sudo apt install gedit gedit-plugins xed

Edit Network Manager configuration file.

Code: Select all

sudo -i gedit  /etc/NetworkManager/NetworkManager.conf

[main]
plugins=ifupdown,keyfile,ofono
#dns=dnsmasq

[ifupdown]
managed=false

4.) Check your VPN Providers openVPN configuration files (somewhere.ovpn) to see if these lines are in them before the start of the certificate line <ca>. You can usually right-click a "somewhere.ovpn" file and "open with" any text editor to view or edit them, save it if you make changes. You can click "select all" below and right-click copy to copy this code and then paste into any of your ".ovpn" files, save changes, exit the text editor.

Code: Select all

# To prevent DNS Leaks
block-outside-dns
script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf
down-pre

Here is an example of a "vpnbook" provider's US server (vpnbook-us1-tcp80.ovpn) file with the changes

Code: Select all

client
dev tun3
proto tcp
remote 198.7.62.204 80
remote us1.vpnbook.com 80
resolv-retry infinite
nobind
persist-key
persist-tun
auth-user-pass
comp-lzo
verb 3
cipher AES-128-CBC
fast-io
pull
route-delay 2
redirect-gateway
# To prevent DNS Leaks
block-outside-dns
script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf
down-pre

<ca>
-----BEGIN CERTIFICATE-----
MIIDyzCCAzSgAwIBAgIJAKRtpjsIvek1MA0GCSqGSIb3DQEBBQUAMIGgMQswCQYD
VQQGEwJDSDEPMA0GA1UECBMGWnVyaWNoMQ8wDQYDVQQHEwZadXJpY2gxFDASBgNV
BAoTC3ZwbmJvb2suY29tMQswCQYDVQQLEwJJVDEUMBIGA1UEAxMLdnBuYm9vay5j
b20xFDASBgNVBCkTC3ZwbmJvb2suY29tMSAwHgYJKoZIhvcNAQkBFhFhZG1pbkB2
cG5ib29rLmNvbTAeFw0xMzA0MjQwNDA3NDhaFw0yMzA0MjIwNDA3NDhaMIGgMQsw
CQYDVQQGEwJDSDEPMA0GA1UECBMGWnVyaWNoMQ8wDQYDVQQHEwZadXJpY2gxFDAS
BgNVBAoTC3ZwbmJvb2suY29tMQswCQYDVQQLEwJJVDEUMBIGA1UEAxMLdnBuYm9v
ay5jb20xFDASBgNVBCkTC3ZwbmJvb2suY29tMSAwHgYJKoZIhvcNAQkBFhFhZG1p
bkB2cG5ib29rLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAyNwZEYs6
WN+j1zXYLEwiQMShc1mHmY9f9cx18hF/rENG+TBgaS5RVx9zU+7a9X1P3r2OyLXi
WzqvEMmZIEhij8MtCxbZGEEUHktkbZqLAryIo8ubUigqke25+QyVLDIBuqIXjpw3
hJQMXIgMic1u7TGsvgEUahU/5qbLIGPNDlUCAwEAAaOCAQkwggEFMB0GA1UdDgQW
BBRZ4KGhnll1W+K/KJVFl/C2+KM+JjCB1QYDVR0jBIHNMIHKgBRZ4KGhnll1W+K/
KJVFl/C2+KM+JqGBpqSBozCBoDELMAkGA1UEBhMCQ0gxDzANBgNVBAgTBlp1cmlj
aDEPMA0GA1UEBxMGWnVyaWNoMRQwEgYDVQQKEwt2cG5ib29rLmNvbTELMAkGA1UE
CxMCSVQxFDASBgNVBAMTC3ZwbmJvb2suY29tMRQwEgYDVQQpEwt2cG5ib29rLmNv
bTEgMB4GCSqGSIb3DQEJARYRYWRtaW5AdnBuYm9vay5jb22CCQCkbaY7CL3pNTAM
BgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBAKaoCEWk2pitKjbhChjl1rLj
6FwAZ74bcX/YwXM4X4st6k2+Fgve3xzwUWTXinBIyz/WDapQmX8DHk1N3Y5FuRkv
wOgathAN44PrxLAI8kkxkngxby1xrG7LtMmpATxY7fYLOQ9yHge7RRZKDieJcX3j
+ogTneOl2w6P0xP6lyI6
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
MIID6DCCA1GgAwIBAgIBATANBgkqhkiG9w0BAQUFADCBoDELMAkGA1UEBhMCQ0gx
DzANBgNVBAgTBlp1cmljaDEPMA0GA1UEBxMGWnVyaWNoMRQwEgYDVQQKEwt2cG5i
b29rLmNvbTELMAkGA1UECxMCSVQxFDASBgNVBAMTC3ZwbmJvb2suY29tMRQwEgYD
VQQpEwt2cG5ib29rLmNvbTEgMB4GCSqGSIb3DQEJARYRYWRtaW5AdnBuYm9vay5j
b20wHhcNMTMwNTA2MDMyMTIxWhcNMjMwNTA0MDMyMTIxWjB4MQswCQYDVQQGEwJD
SDEPMA0GA1UECBMGWnVyaWNoMQ8wDQYDVQQHEwZadXJpY2gxFDASBgNVBAoTC3Zw
bmJvb2suY29tMQ8wDQYDVQQDEwZjbGllbnQxIDAeBgkqhkiG9w0BCQEWEWFkbWlu
QHZwbmJvb2suY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCkTM/8E+JH
CjskqMIwgYDrNCBTWZLa+qKkJjZ/rliJomTfVYwKwv1AHYYU6RHpCxS1qFp3BEKL
vQlASuzycSv1FGnNiLmg94fqzzWdmjs1XWosnLqbOwxx2Ye/1WoakSHia0pItoZk
xK7/fllm42+Qujri/ERGga5Cb/TfiP6pUQIDAQABo4IBVzCCAVMwCQYDVR0TBAIw
ADAtBglghkgBhvhCAQ0EIBYeRWFzeS1SU0EgR2VuZXJhdGVkIENlcnRpZmljYXRl
MB0GA1UdDgQWBBTDr4BCNSdOEh+Lx6+4RRK11x8XcDCB1QYDVR0jBIHNMIHKgBRZ
4KGhnll1W+K/KJVFl/C2+KM+JqGBpqSBozCBoDELMAkGA1UEBhMCQ0gxDzANBgNV
BAgTBlp1cmljaDEPMA0GA1UEBxMGWnVyaWNoMRQwEgYDVQQKEwt2cG5ib29rLmNv
bTELMAkGA1UECxMCSVQxFDASBgNVBAMTC3ZwbmJvb2suY29tMRQwEgYDVQQpEwt2
cG5ib29rLmNvbTEgMB4GCSqGSIb3DQEJARYRYWRtaW5AdnBuYm9vay5jb22CCQCk
baY7CL3pNTATBgNVHSUEDDAKBggrBgEFBQcDAjALBgNVHQ8EBAMCB4AwDQYJKoZI
hvcNAQEFBQADgYEAoDgD8mpVPnHUh7RhQziwhp8APC8K3jToZ0Dv4MYXQnzyXziH
QbewJZABCcOKYS0VRB/6zYX/9dIBogA/ieLgLrXESIeOp1SfP3xt+gGXSiJaohyA
/NLsTi/Am8OP211IFLyDLvPqZuqlh/+/GOLcMCeCrMj4RYxWstNxtguGQFc=
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN RSA PRIVATE KEY-----
MIICXAIBAAKBgQCkTM/8E+JHCjskqMIwgYDrNCBTWZLa+qKkJjZ/rliJomTfVYwK
wv1AHYYU6RHpCxS1qFp3BEKLvQlASuzycSv1FGnNiLmg94fqzzWdmjs1XWosnLqb
Owxx2Ye/1WoakSHia0pItoZkxK7/fllm42+Qujri/ERGga5Cb/TfiP6pUQIDAQAB
AoGANX508WQf9nVUUFlJ8LUZnnr4U2sEr5uPPNbcQ7ImTZm8MiMOV6qo/ikesMw5
8qCS+5p26e1PJWRFENPUVhOW9c07z+nRMyHBQzFnNAFD7TiayjNk1gz1oIXarceR
edNGFDdWCwXh+nJJ6whbQn9ioyTg9aqScrcATmHQxTit0GECQQDR5FmwC7g0eGwZ
VHgSc/bZzo0q3VjNGakrA2zSXWUWrE0ybBm2wJNBYKAeskzWxoc6/gJa8mKEU+Vv
ugGb+J/tAkEAyGSEmWROUf4WX5DLl6nkjShdyv4LAQpByhiwLjmiZL7F4/irY4fo
ct2Ii5uMzwERRvHjJ7yzJJic8gkEca2adQJABxjZj4JV8DBCN3kLtlQFfMfnLhPd
9NFxTusGuvY9fM7GrXXKSMuqLwO9ZkxRHNIJsIz2N20Kt76+e1CmzUdS4QJAVvbQ
WKUgHBMRcI2s3PecuOmQspxG+D+UR3kpVBYs9F2aEZIEBuCfLuIW9Mcfd2I2NjyY
4NDSSYp1adAh/pdhVQJBANDrlnodYDu6A+a4YO9otjd+296/T8JpePI/KNxk7N0A
gm7SAhk379I6hr5NXdBbvTedlb1ULrhWV8lpwZ9HW2k=
-----END RSA PRIVATE KEY-----
</key>

5.) Restart, try connecting to your VPN server(s), or import new VPN server(s) and try it. Verify the VPN is working and check the DNS entries by going to a website like "www.ipleak.net".

* 02-23-2019 * I now also recommend using "DNS over TLS"
How to Protect Your DNS Privacy on Ubuntu 18.04 with DNS over TLS
https://www.linuxbabe.com/ubuntu/ubuntu ... s-over-tls


Hope this helps ...

[rbsudo]

Lots of good info on this thread. Should it be pinned for ease of future reference?

[majpooper]

Or just install dnscrypt from the Mint repositories

[Mintuser998]

My gosh. It worked, thank you so much. But what does easy-rsa and unbound do? Also what exactly does this do? I'm not sure if I asked this before, but if I did, I didn't get an answer.

Code: Select all

block-outside-dns
script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf
down-pre

[Johnsmith001]

There are many google organic results show some VPN provider's websites tools which are misleading user's highly recommended if you can use https://www.vpninsights.com/ip-leak-test this one

[Laugh2]

A year or two ago I looked at many VPNs in their default configuration and found that only few protected from DNS leaks. The sites I looked at are listed in viewtopic.php?f=90&t=242032&start=40. At the time I chose PIA as they do protect against DNS links in their default configuration. Things may have changed since then, of course, but I was happy with them at the time.