Jump to content
Not connected, Your IP: 3.144.245.175
AirVPN
Sign in to follow this  
Followers 0
spookygoy

ANSWERED Can't get rid of DNS leaks

By spookygoy, ... in Troubleshooting and Problems

Recommended Posts

spookygoy    7

spookygoy
Posted ...

Spare me the "DNS leaks on linux are impossible"   I sat there and ran DNS leak tests multiple times on an off the VPN.   I get varying results between 3 - 7 servers,  and almost all of them are always IP addresses registered to my ISP.

 

 

Here is my eddie log.   This is a fresh install of Kubuntu  17.04

I installed eddie from the apt repo and have not touched any of the default options except I chose to connect over SSH.

 

I 2017.05.01 23:39:29 - Eddie client version: 2.12.4 / linux_x64, System: Linux, Name: Ubuntu 17.04 \n \l, Mono/.Net Framework: v4.0.30319
. 2017.05.01 23:39:29 - Reading options from /home/blink/.airvpn/AirVPN.xml
. 2017.05.01 23:39:29 - Data path: /home/blink/.airvpn
. 2017.05.01 23:39:29 - Application path: /usr/lib/AirVPN
. 2017.05.01 23:39:29 - Executable path: /usr/lib/AirVPN/AirVPN.exe
. 2017.05.01 23:39:29 - Command line arguments (1): path="/home/blink/.airvpn"
. 2017.05.01 23:39:29 - Operating System: Unix 4.10.0.20 - Linux blink-kubuntu 4.10.0-20-generic #22-Ubuntu SMP Thu Apr 20 09:22:42 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
I 2017.05.01 23:39:29 - OpenVPN Driver - Found, /dev/net/tun
I 2017.05.01 23:39:29 - OpenVPN - Version: 2.4.0 - OpenSSL 1.0.2g  1 Mar 2016, LZO 2.08 (/usr/sbin/openvpn)
I 2017.05.01 23:39:29 - SSH - Version: OpenSSH_7.4p1 Ubuntu-10, OpenSSL 1.0.2g  1 Mar 2016 (/usr/bin/ssh)
I 2017.05.01 23:39:29 - SSL - Version: stunnel 5.39 (/usr/bin/stunnel4)
I 2017.05.01 23:39:29 - curl - Version: 7.52.1 (/usr/bin/curl)
I 2017.05.01 23:39:29 - Certification Authorities: /usr/share/AirVPN/cacert.pem
! 2017.05.01 23:39:29 - Ready
. 2017.05.01 23:39:29 - Updating systems & servers data ...
. 2017.05.01 23:39:30 - Systems & servers data update completed
I 2017.05.01 23:39:32 - Session starting.
. 2017.05.01 23:39:33 - Unable to understand if IPv6 is active.
I 2017.05.01 23:39:33 - Checking authorization ...
! 2017.05.01 23:39:33 - Connecting to Pavonis (United States, Chicago, Illinois)
. 2017.05.01 23:39:33 - SSH > OpenSSH_7.4p1 Ubuntu-10, OpenSSL 1.0.2g  1 Mar 2016
. 2017.05.01 23:39:33 - SSH > debug1: Reading configuration data /etc/ssh/ssh_config
. 2017.05.01 23:39:33 - SSH > debug1: /etc/ssh/ssh_config line 19: Applying options for *
. 2017.05.01 23:39:33 - SSH > debug1: Connecting to 149.255.33.156 [149.255.33.156] port 53.
. 2017.05.01 23:39:33 - SSH > debug1: Connection established.
. 2017.05.01 23:39:33 - SSH > debug1: permanently_set_uid: 0/0
. 2017.05.01 23:39:33 - SSH > debug1: key_load_public: No such file or directory
. 2017.05.01 23:39:33 - SSH > debug1: identity file /home/blink/.airvpn/f82968f906834600737aaba08bd99f06e83fec087def57f0ebf7818fc50d8466.tmp.key type -1
. 2017.05.01 23:39:33 - SSH > debug1: key_load_public: No such file or directory
. 2017.05.01 23:39:33 - SSH > debug1: identity file /home/blink/.airvpn/f82968f906834600737aaba08bd99f06e83fec087def57f0ebf7818fc50d8466.tmp.key-cert type -1
. 2017.05.01 23:39:33 - SSH > debug1: Enabling compatibility mode for protocol 2.0
. 2017.05.01 23:39:33 - SSH > debug1: Local version string SSH-2.0-OpenSSH_7.4p1 Ubuntu-10
. 2017.05.01 23:39:33 - SSH > debug1: Remote protocol version 2.0, remote software version OpenSSH_6.7p1 Debian-5+deb8u3
. 2017.05.01 23:39:33 - SSH > debug1: match: OpenSSH_6.7p1 Debian-5+deb8u3 pat OpenSSH* compat 0x04000000
. 2017.05.01 23:39:33 - SSH > debug1: Authenticating to 149.255.33.156:53 as 'sshtunnel'
. 2017.05.01 23:39:33 - SSH > debug1: SSH2_MSG_KEXINIT sent
. 2017.05.01 23:39:33 - SSH > debug1: SSH2_MSG_KEXINIT received
. 2017.05.01 23:39:33 - SSH > debug1: kex: algorithm: curve25519-sha256@libssh.org
. 2017.05.01 23:39:33 - SSH > debug1: kex: host key algorithm: ssh-rsa
. 2017.05.01 23:39:33 - SSH > debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
. 2017.05.01 23:39:33 - SSH > debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
. 2017.05.01 23:39:33 - SSH > debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
. 2017.05.01 23:39:33 - SSH > debug1: Server host key: ssh-rsa SHA256:aiSlC5+sLs9d/zSDVXIKeDdXYRF1pnq1Y79BbmKqbMM
. 2017.05.01 23:39:33 - SSH > debug1: checking without port identifier
. 2017.05.01 23:39:33 - SSH > Warning: Permanently added '[149.255.33.156]:53' (RSA) to the list of known hosts.
. 2017.05.01 23:39:33 - SSH > debug1: rekey after 134217728 blocks
. 2017.05.01 23:39:33 - SSH > debug1: SSH2_MSG_NEWKEYS sent
. 2017.05.01 23:39:33 - SSH > debug1: expecting SSH2_MSG_NEWKEYS
. 2017.05.01 23:39:33 - SSH > debug1: SSH2_MSG_NEWKEYS received
. 2017.05.01 23:39:33 - SSH > debug1: rekey after 134217728 blocks
. 2017.05.01 23:39:33 - SSH > debug1: SSH2_MSG_SERVICE_ACCEPT received
. 2017.05.01 23:39:33 - SSH > debug1: Authentications that can continue: publickey,password
. 2017.05.01 23:39:33 - SSH > debug1: Next authentication method: publickey
. 2017.05.01 23:39:33 - SSH > debug1: Trying private key: /home/blink/.airvpn/f82968f906834600737aaba08bd99f06e83fec087def57f0ebf7818fc50d8466.tmp.key
. 2017.05.01 23:39:33 - SSH > debug1: Authentication succeeded (publickey).
. 2017.05.01 23:39:33 - SSH > Authenticated to 149.255.33.156 ([149.255.33.156]:53).
. 2017.05.01 23:39:33 - SSH > debug1: Local connections to LOCALHOST:32524 forwarded to remote address 127.0.0.1:2018
. 2017.05.01 23:39:33 - SSH > debug1: Local forwarding listening on ::1 port 32524.
. 2017.05.01 23:39:33 - SSH > debug1: channel 0: new [port listener]
. 2017.05.01 23:39:33 - SSH > debug1: Local forwarding listening on 127.0.0.1 port 32524.
. 2017.05.01 23:39:33 - SSH > debug1: channel 1: new [port listener]
. 2017.05.01 23:39:33 - SSH > debug1: Requesting no-more-sessions@openssh.com
. 2017.05.01 23:39:33 - OpenVPN > OpenVPN 2.4.0 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Feb 10 2017
. 2017.05.01 23:39:33 - SSH > debug1: Entering interactive session.
. 2017.05.01 23:39:33 - OpenVPN > library versions: OpenSSL 1.0.2g  1 Mar 2016, LZO 2.08
. 2017.05.01 23:39:33 - SSH > debug1: pledge: network
. 2017.05.01 23:39:33 - OpenVPN > MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:3100
. 2017.05.01 23:39:33 - SSH > debug1: Connection to port 32524 forwarding to 127.0.0.1 port 2018 requested.
. 2017.05.01 23:39:33 - OpenVPN > Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
. 2017.05.01 23:39:33 - SSH > debug1: channel 2: new [direct-tcpip]
. 2017.05.01 23:39:33 - OpenVPN > Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
. 2017.05.01 23:39:33 - OpenVPN > TCP/UDP: Preserving recently used remote address: [AF_INET]127.0.0.1:32524
. 2017.05.01 23:39:33 - SSH > debug1: Remote: Pty allocation disabled.
. 2017.05.01 23:39:33 - SSH > debug1: Remote: X11 forwarding disabled.
. 2017.05.01 23:39:33 - OpenVPN > Socket Buffers: R=[87380->87380] S=[16384->16384]
. 2017.05.01 23:39:33 - SSH > debug1: Remote: Forced command.
. 2017.05.01 23:39:33 - OpenVPN > Attempting to establish TCP connection with [AF_INET]127.0.0.1:32524 [nonblock]
. 2017.05.01 23:39:33 - OpenVPN > TCP connection established with [AF_INET]127.0.0.1:32524
. 2017.05.01 23:39:33 - OpenVPN > TCP_CLIENT link local: (not bound)
. 2017.05.01 23:39:33 - OpenVPN > TCP_CLIENT link remote: [AF_INET]127.0.0.1:32524
. 2017.05.01 23:39:34 - OpenVPN > TLS: Initial packet from [AF_INET]127.0.0.1:32524, sid=e5a28272 c082a92e
. 2017.05.01 23:39:34 - OpenVPN > VERIFY OK: depth=1, C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=airvpn.org CA, emailAddress=info@airvpn.org
. 2017.05.01 23:39:34 - OpenVPN > Validating certificate key usage
. 2017.05.01 23:39:34 - OpenVPN > ++ Certificate has key usage  00a0, expects 00a0
. 2017.05.01 23:39:34 - OpenVPN > VERIFY KU OK
. 2017.05.01 23:39:34 - OpenVPN > Validating certificate extended key usage
. 2017.05.01 23:39:34 - OpenVPN > ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
. 2017.05.01 23:39:34 - OpenVPN > VERIFY EKU OK
. 2017.05.01 23:39:34 - OpenVPN > VERIFY OK: depth=0, C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=server, emailAddress=info@airvpn.org
. 2017.05.01 23:39:34 - OpenVPN > Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
. 2017.05.01 23:39:34 - OpenVPN > [server] Peer Connection Initiated with [AF_INET]127.0.0.1:32524
. 2017.05.01 23:39:35 - OpenVPN > SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
. 2017.05.01 23:39:35 - OpenVPN > PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 10.50.0.1,comp-lzo no,route-gateway 10.50.0.1,topology subnet,ping 10,ping-restart 60,ifconfig 10.50.2.70 255.255.0.0'
. 2017.05.01 23:39:35 - OpenVPN > OPTIONS IMPORT: timers and/or timeouts modified
. 2017.05.01 23:39:35 - OpenVPN > OPTIONS IMPORT: compression parms modified
. 2017.05.01 23:39:35 - OpenVPN > OPTIONS IMPORT: --ifconfig/up options modified
. 2017.05.01 23:39:35 - OpenVPN > OPTIONS IMPORT: route options modified
. 2017.05.01 23:39:35 - OpenVPN > OPTIONS IMPORT: route-related options modified
. 2017.05.01 23:39:35 - OpenVPN > OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
. 2017.05.01 23:39:35 - OpenVPN > Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
. 2017.05.01 23:39:35 - OpenVPN > Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
. 2017.05.01 23:39:35 - OpenVPN > Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
. 2017.05.01 23:39:35 - OpenVPN > Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
. 2017.05.01 23:39:35 - OpenVPN > ROUTE_GATEWAY 192.168.1.1/255.255.255.0 IFACE=eno1 HWADDR=70:4d:7b:2a:05:45
. 2017.05.01 23:39:35 - OpenVPN > TUN/TAP device tun0 opened
. 2017.05.01 23:39:35 - OpenVPN > TUN/TAP TX queue length set to 100
. 2017.05.01 23:39:35 - OpenVPN > do_ifconfig, tt->did_ifconfig_ipv6_setup=0
. 2017.05.01 23:39:35 - OpenVPN > /sbin/ip link set dev tun0 up mtu 1500
. 2017.05.01 23:39:35 - OpenVPN > /sbin/ip addr add dev tun0 10.50.2.70/16 broadcast 10.50.255.255
. 2017.05.01 23:39:40 - OpenVPN > /sbin/ip route add 127.0.0.1/32 via 192.168.1.1
. 2017.05.01 23:39:40 - OpenVPN > /sbin/ip route add 0.0.0.0/1 via 10.50.0.1
. 2017.05.01 23:39:40 - OpenVPN > /sbin/ip route add 128.0.0.0/1 via 10.50.0.1
. 2017.05.01 23:39:40 - OpenVPN > /sbin/ip route add 149.255.33.156/32 via 192.168.1.1
. 2017.05.01 23:39:40 - Starting Management Interface
. 2017.05.01 23:39:40 - OpenVPN > Initialization Sequence Completed
. 2017.05.01 23:39:40 - /etc/resolv.conf moved to /etc/resolv.conf.eddie as backup
. 2017.05.01 23:39:40 - DNS of the system updated to VPN DNS (Rename method: /etc/resolv.conf generated)
I 2017.05.01 23:39:40 - Checking route
I 2017.05.01 23:39:40 - Checking DNS
! 2017.05.01 23:39:40 - Connected.
. 2017.05.01 23:39:40 - OpenVPN > MANAGEMENT: Client connected from [AF_INET]127.0.0.1:3100
. 2017.05.01 23:39:41 - OpenVpn Management > >INFO:OpenVPN Management Interface Version 1 -- type 'help' for more info

vlzeme.png

 

I get those Charter DNS server results even when I'm not connected to the VPN so I know they don't belong there.

Share this post

Link to post

Staff    9780

Staff
Posted ...

Spare me the "DNS leaks on linux are impossible"

 

DNS leaks on GNU/Linux are impossible because they do not exist. :D

 

A DNS leak is a DNS query sent in clear text (not in the tunnel) against the custom settings of the machine. It is a definition specifically created for Windows, which does not have a DNS implementation (it lacks the concept of global DNS so it sends out DNS queries to any DNS server of any network interface, even in random order in latest Windows 10 "Creator") and it makes no sense to extend it on systems with a proper DNS implementation and which respect settings.

 

That said, we see that you already found a possible reason for the issue (which is quite a different thing than a DNS leak). Please update this thread at your convenience to report whether it solved the problem or not.

 

Kind regards

Share this post

Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
  • Security Check
    Play CAPTCHA Audio
    Refresh Image
Sign in to follow this  
Followers 0
Go To Topic Listing
×
×
  • Create New...