AIR only DNS, and dropped connection protection for 14.04 - How to!!!!

[iwih2gk 94]

EDITED - solution this post

 

This post shows a simple ufw verbose that will completely protect you by HALTing all internet activity if your connection drops.  Nothing can leave the tunnel so only Air's DNS will ever get out in the wild.  Its rock solid and simple.  Tested for a couple of days now on many testing sites.

 

Just connect using the Air linux client (Eddie) and then enable ufw and your solid no matter what happens!!  When you are finished disconnect the client and disable ufw so you can connect again the next time.  Simple.

 

YOU CANNOT CONNECT THE CLIENT WITH UFW ENABLED FIRST.  Enable ufw after the client connects.

 

 

XXXXXXXXXXXX:~$ sudo ufw status verbose
[sudo] password for XXXXXXXX:
Status: active
Logging: off
Default: deny (incoming), deny (outgoing), disabled (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
Anywhere                   ALLOW OUT   Anywhere on tun0
Anywhere (v6)              ALLOW OUT   Anywhere (v6) on tun0

[Staff 10014]

Hello!

 

DNS leaks are impossible on Linux. Your system is explicitly configured to send DNS queries to your ISP DNS servers, and that's not a DNS leak: Linux just does what it is ordered to do.

 

In order to use VPN DNS with OpenVPN (resolvconf required): https://airvpn.org/topic/9608-how-to-accept-dns-push-on-linux-systems-with-resolvconf

 

Alternatively, run Eddie 2.1beta (resolvconf required again): https://airvpn.org/linux_ex

 

As another option, in case you don't want resolvconf, just set yourself the appropriate nameservers in /etc/resolv.conf

 

Kind regards

[iwih2gk 94]

Solved  --------- > for 14.04, and confirmed working PERMANENTLY not current session only!!  I was having issues where I would change the dns but everytime I booted 14.04 the changes would be overwritten.  I found some great links but I am going to paste the how to and a copy of the "head" file so you can see how easy this is.  14.04 was a little challenging because it is "unique".  LOL!!

 

Using this method (without help from the Air Linux client) you can make sure that ONLY Air DNS will be used by your computer.  I have this machine dedicated to Air only and that is what I wanted so no mistakes are allowed to happen.  This also works perfectly with UFW completely locking down the machine to Air Entry IP's and tun0.  The combination of these two leaves a locked down safe system.

 

AirVPN is only my first hop and subsequent hops are not affected at all by this discussion.

 

If you are using 14.04 without Air's client then you may want to make sure your DNS is "in check".  I was amazed to find mine was NOT before I did this simple procedure.  The tunnel was secure, but my ISP was still getting their DNS called to.  BaDDDDDD!!

 

Here is how to permemantly change to Air DNS if you are using 14.04:

 

1. (using terminal run) sudo gedit /etc/resolvconf/resolv.conf.d/head

 

2. on the file that comes up (paste below) just add this line:

nameserver 10.4.0.1

 

#comment -that is Air's DNS

 

3.  save the file and close it

 

4. (in terminal run) sudo resolvconf -u

 

# this command tells resolvconf to regenerate the resolve file

 

5. restart your system and you are ready to go!!!

 

 

 

 

Below is a paste from my 14.04 head file.  I added the final nameserver line and saved it.  Easy stuff and works.

 

 

# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
#     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
nameserver 10.4.0.1

[iwih2gk 94]

Staff,

 

Should I edit my post above this and ADD any additional nameserver addresses?  I didn't know if AIR has any others to use in case 10.4.0.1 ever goes down.

 

Please advise since several 14.04 Air members may perform this simple procedure.

 

Just trying to help out here because this was a pain when 14.04 kept changing back at re-boot.  We got it licked though!!!

[iwih2gk 94]

Spoke too soon.  Darn it!!  I notice that about once every 20 times when I go to dnsleak test I see my ISP's dns.  I know that Linux is only following instructions.  When I designated the nameserver as mentioned in the posts above this I thought I beat this thing!!

 

Can anyone inform me of how to configure 14.04 where ONLY 10.4.0.1 can be used?  I would love it if my machine would just sit "stuck in the mud" until it used Air's dns without exception.  This was an easy thing to do with windows firewall rules.  14.04 is tough to change on a permanant basis.  It loves to keep fixing itself!!

 

At this point my confidence is shattered and its an uneasy feeling when you cannot rely upon the privacy of your connection.  I wonder if I should go back to the Linux client, but then I am sitting WIDE OPEN if my connection drops.  I know its going to be fixed but I can't surf with "going to be" at the current time.

 

I would seriously love it if someone would instruct me on how to 100% control dns with 14.04.  The thing that should make it easy is the fact that I don't need ANY flexibility where I will run this machine outside of AIR as my first hop in the circuit.  Just one dns without exception.  Doesn't seem that tough, but for me its kickin my rear.  Any help?

[Staff 10014]

Can anyone inform me of how to configure 14.04 where ONLY 10.4.0.1 can be used?  I would love it if my machine would just sit "stuck in the mud" until it used Air's dns without exception.  This was an easy thing to do with windows firewall rules.  14.04 is tough to change on a permanant basis.  It loves to keep fixing

 

Hello!

 

Do you have resolvconf installed? If so, there are several ways to force Ubuntu to use one and only one (or two, three...) nameserver, regardless of DHCP and anything else, and without having to uninstall resolvconf, have a look here: http://askubuntu.com/a/310407

 

Ignore other messages in the thread marked with bad ratings (0, -1, -2), they offer incorrect solutions.

 

Kind regards

[blknit 0]

Maybe i'm wrong but i think that you are facing the following bug :

https://bugs.launchpad.net/linuxmint/+bug/1248834

 

I noticed the same behaviour on Ubuntu Trusty after the os upgrade.

When I connect to the vpn ( cli and resolvconf configured in openvpn directives) the airvpn dns is written in resolv.conf just before my isp dns.

If i remember well in the past i had only Airvpn dns in resolv.conf after the vpn connection was established.

 

If i do an online test ( eg. http://check2ip.com/ ) i can see that both Airvpn and isp dns are queried.

 

I had no time to investigate deeper this issue, for now my workaround is to use the firewall to limit dns queries when i'm connected.

 

For example with ufw :

 

$ sudo ufw allow out on tun0 from any to 10.4.0.1 port 53   # Allow connections to Airvpn dns 443/udp connections (see https://airvpn.org/specs/ )

 

$ sudo ufw allow out on tun0 from any to 10.5.0.1 port 53   # Allow connections to Airvpn dns 443/tcp connections  (see https://airvpn.org/specs/ )
$ sudo ufw deny out from any to any port 53                        # Block other dns requests

 

This is a subset of my firewall rules :

 

$ sudo ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), deny (outgoing), disabled (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
ww.xxx.yyy.zzz 443/udp     ALLOW OUT   Anywhere # allow connections to airvpn server ww.xxx.yyy.zzz
10.4.0.1 53/udp            ALLOW OUT   Anywhere on tun0
10.5.0.1 53/udp            ALLOW OUT   Anywhere on tun0
53                         DENY OUT    Anywhere
Anywhere                   ALLOW OUT   Anywhere on tun0
53 (v6)                    DENY OUT    Anywhere (v6)
Anywhere (v6)              ALLOW OUT   Anywhere (v6) on tun0

This is only a workaround

 

 

Best regards

[iwih2gk 94]

 

Can anyone inform me of how to configure 14.04 where ONLY 10.4.0.1 can be used?  I would love it if my machine would just sit "stuck in the mud" until it used Air's dns without exception.  This was an easy thing to do with windows firewall rules.  14.04 is tough to change on a permanant basis.  It loves to keep fixing

 

Hello!

 

Do you have resolvconf installed? If so, there are several ways to force Ubuntu to use one and only one (or two, three...) nameserver, regardless of DHCP and anything else, and without having to uninstall resolvconf, have a look here: http://askubuntu.com/a/310407

 

Ignore other messages in the thread marked with bad ratings (0, -1, -2), they offer incorrect solutions.

 

Kind regards

 

Staff,

 

I tried using the 3 steps in your link.  It did NOT work.  14.04 already comes with resolvconf but just to be sure I did:  sudo apt-get install resolvconf and it came up and said current version is already there!  I performed those steps and removed my edits from the upper part of this thread.  Wow, my ISP dns showed up everywhere.  I reversed these changes and put back my nameserver edit to the head file as above.  It is only showing Air dns again.  I don't know why but rarely my ISP sneaks one past, and that is almost never!  Still it is not never and that is the issue.

 

I may elect to use UFW additions to try and control this until the newer client comes out.  I don't ever remember this dns issue when I was on 13.10 and using the import VPN config file.  Was there something in the imported file that kept the dns on AIR, or is it just 14.04 is being a pain???

[iwih2gk 94]

Interesting observation.  I cannot under any circumstances cause a DNS problem while I am on a VM (linux 14.04 VM), which is also NAT'd to my 14.04 host OS.  Hmmmmmm??

 

I don't think it affects anything but a few days ago I edited the VM's "head" file the same as for my host.  The VM is NAT'd to the host.  I guess I don't understand why but my linux VM's, and I do use several of them, only show Air dns regardless of which tests I run.

 

Even check2ip running a deep scan finds only Air on these VM's, even though they find my ISP's dns when I am on the host OS (and Air tunneled for traffic) with the same networking config.  Just strange thats all!

[blknit 0]

Workaround #2 :

 

Edit the file /etc/resolvconf/update.d/libc

 

Go to line #105

 

Change the line

[ "$N" = 3 ] && return 0

in

[ "$N" = 1 ] && return 0

 

Restart the vpn connection and check the resolv.conf

 

Now you should find inside the file only the Airvpn dns

[iwih2gk 94]

 

Workaround #2 :

 

Edit the file /etc/resolvconf/update.d/libc

 

Go to line #105

 

Change the line

[ "$N" = 3 ] && return 0

in

[ "$N" = 1 ] && return 0

 

Restart the vpn connection and check the resolv.conf

 

Now you should find inside the file only the Airvpn dns

Did you also; (in terminal run) sudo resolvconf -u     ---->  in order to rebuild the resolvconf file?

 

Would you recommend removing my edit of the "head" file where I placed the 10.4.0.1 dns instruction?

 

 

Have you researched what exactly are you commanding 14.04 to do by changing the number from =3 to =1 ?

 

 

I may be able to give this a go shortly but it would be nice to know what my edited instructions are doing!

[blknit 0]

Did you also; (in terminal run) sudo resolvconf -u     ---->  in order to rebuild the resolvconf file?

 

No, I didn't

 

Would you recommend removing my edit of the "head" file where I placed the 10.4.0.1 dns instruction?

 

Yes, you can remove it

 

Have you researched what exactly are you commanding 14.04 to do by changing the number from =3 to =1 ?

 

 

I may be able to give this a go shortly but it would be nice to know what my edited instructions are doing!

 

sure, man 8 resolvconf :

   libc

   The most important software package that subscribes to the notification service is the GNU C Library resolver(3).  This library is used by  many  applications  that need  to  resolve domain names.  When nameserver information is updated, the script /etc/resolvconf/update.d/libc generates a new version of the resolver configuration file, /run/resolvconf/resolv.conf, as described below.  If the new version of the file differs from the previously generated one then the hook scripts found in /etc/resolvconf/update-libc.d/ are executed.

 

So, when I connect and the vpn pushes his dns, the script rebuild the resolv.conf file write into it only the first dns of the list (Airvpn dns).

When I disconnect the dns is replaced with the dnsmasq dns.

If I don't modify the script i have BOTH Airvpn and dnsmasq dns in my resolv.conf

 

Maybe the simplest solution if you configured your pc with a static ip and you start the vpn connection at computer startup ( look at /etc/default/openvpn file ) is to configure the Airvpn dns in the dns configuration of the Network Manager so you can avoid the libc script modification

[iwih2gk 94]

* I know AirVPN is working through Eddie but for 14.04 the client needs more tweaking. *

 

 

I am happy with my final outcome -- BUT -- I had to manually control the DNS while protecting against a sudden connection loss.  Eddie is not doing the job for me on 14.04.  I disabled ufw and then connected using Eddie linux version.  I had "ticked" the expert box and all the dns, tunnel related options in the advanced menu for linux.  I immediately went to check2ip dot com and my ISP's dns was all over the place.  Also on dnsleaktest dot com.  Again, this is client alone and no firewall UP.

 

I decided to simplify things so that I can use all the servers without having to key in 50 + entry IP's.  My decision is to connect using the client (where I can pick any server I want) and then simply enable ufw immediately afterwards.  Very simple two step process.  I manually protect for a broken connection and plug any and all dns other than two of Air's (see below).  I can add more rules for additional air dns if additional ports are needed.  So its all closed except for these two and the tun0!!

 

Seems to be working perfectly on this end.

 

 

Anyone see anything wrong with these rules.  Any holes I missed??

 

 

 

 

XXXXXXXXXXXX:~$ sudo ufw status verbose
[sudo] password for XXXXXXXX:
Status: active
Logging: off
Default: deny (incoming), deny (outgoing), disabled (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
Anywhere                   ALLOW OUT   Anywhere on tun0
Anywhere (v6)              ALLOW OUT   Anywhere (v6) on tun0

[iwih2gk 94]

Workaround #2 :

 

Edit the file /etc/resolvconf/update.d/libc

 

Go to line #105

 

Change the line

[ "$N" = 3 ] && return 0

in

[ "$N" = 1 ] && return 0

 

Restart the vpn connection and check the resolv.conf

 

Now you should find inside the file only the Airvpn dns

 

 

BTW -

 

I tried everything on this and no go here.  I can sleep really well at night by using ufw as described above.  I cannot afford a dropped connection burning me and dns stuff bugs me to no end.  Now its all gone from any test I do.

 

It only takes a couple of seconds to enable and disable ufw as needed.

 

Thanks for your input.

 

 

ps - I never had any of these until I went to 14.04!!

[iwih2gk 94]

This post shows a simple ufw verbose that will completely protect you by HALTing all internet activity if your connection drops.  Nothing can leave the tunnel so only Air's DNS will ever get out in the wild.  Its rock solid and simple.  Tested for a couple of days now on many testing sites.

 

Just connect using the Air linux client (Eddie) and then enable ufw and your solid no matter what happens!!  When you are finished disconnect the client and disable ufw so you can connect again the next time.  Simple.

 

YOU CANNOT CONNECT THE CLIENT WITH UFW ENABLED FIRST.  Enable ufw after the client connects.

 

 

XXXXXXXXXXXX:~$ sudo ufw status verbose
[sudo] password for XXXXXXXX:
Status: active
Logging: off
Default: deny (incoming), deny (outgoing), disabled (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
Anywhere                   ALLOW OUT   Anywhere on tun0
Anywhere (v6)              ALLOW OUT   Anywhere (v6) on tun0