Jump to content
Not connected, Your IP: 18.221.192.248
inradius

How To Stop DNS Leaks in Linux Network Manager

Recommended Posts

How To Mitigate DNS Leaks in Linux Network Manager

 

READ ME: For average users with basic knowledge of network manager configurations.

If an AirVPN user wants to be protected from DNS leaks, the easiest and most effective method is to use Air’s connection client EDDIE.

Some users, for their own reasons, want to delegate the handling of VPN protocols over to the net manager without running unknown scripts and that’s fine if they protect against configuration errors that cause the resolver leaks.

Linux network manager does not leak DNS.

AirVPN does not leak DNS.

In fact, Linux net manager does exactly what it’s supposed to do. It all comes down to user configuration. In the following I’ll explain how to easily remedy this situation, directions to legit websites to test for DNS leaks, a brief touch on third party DNS servers and some privacy tips. I hope this helps.

Tested on Linux Mint 18x and Ubuntu 16 default configurations. If a user has applied custom configs/scripts then this likely won’t work unless restored to default.

+ log off any internet browsers that may be open and close

+ open network manager drop down menu - click on the applet in the panel

- select edit connections

- select the default ethernet or wi-fi connection

- select Edit

- select IPv4 Settings

+ in the Method selection field it will read Automatic (DHCP)

- change that to Automatic (DHCP) addresses only

- in the IPv6 method selection field change it to the same or Ignore

- leave all other settings unchanged

+ save and exit

 

+ for the settings to take effect: open a terminal session and enter the following command:

- sudo service NetworkManager restart

+ the network manager restarts and confirms a connection.

+ ensure the VPN has started (lock indicator on applet)

READ ME: The majority of these types of tests can be run using a Terminal session but for some users Terminal is not their favorite method and that’s just fine.

Using leak testing, querying, resolver websites is good for gathering intel on the users system but be aware that the information gathered may or may not be treated with respect by websites. Some sites may not work properly as some addons or browser configurations interfere. Some of these kinds of sites also store this data for whatever purpose. Remember to clear the browser cache, history, cookies, etc and only visit these sites for testing purposes. The websites used here for this test are reputable and safe as far as I know.

+ open a browser window

- navigate to: ipx.ac

- IP Geo Location page displays the users info

- select the tab near the bottom of the page: Test for Leaks and Footprints

+ here the user will have access to a lot of information but continue to scroll down the page to the DNS header. The readout should be no information available. That means the settings applied are working and DNS is not leaking or cannot be detected. If a user is still not convinced:

+ navigate to: ipleak.net

- scroll down once the page loads and supplies information

- notice the first header Your IP addresses will read the IP from Air’s server

- the next displays WebRTC leak detection but that’s for another article

- the remaining header will reveal the DNS Addresses: they also should display the DNS servers from AirVPN.

If the user has the ISP’s assigned servers displayed in this test then ensure the VPN is connected and has not dropped, re-check the connections setting to ensure the settings have applied and did not reset to default. If after doing this the user still leaks DNS then use EDDIE.

I have not experienced any resolver leak issues using this configuration. The default connection may disconnect or fail (I tested this scenario on purpose) if the VPN drops but that’s a good thing.

Third Party DNS Servers

To very briefly touch on third party DNS servers, there are many to choose from, some good, some not. If a user is still concerned about possible DNS leaks even after following the above guidelines then one possible solution is to configure OpenDNS.

OpenDNS is one example of third party DNS servers. Simply follow the easy to configure steps on their website and perform the above leak tests again. Observe the results.

Privacy Considerations:

+ *When connected through a VPN and your ISP’s DNS server addresses are displayed, it means that DNS queries are leaking

+ *If connected through a VPN, it is not necessary for the DNS resolver to be on the same IP as your VPN public IP address

+ *Using DNS resolvers/servers in different countries than your own or the VPN gateway is not a problem but a good privacy practice

 

*Credit: ipx.ac

 

 

Share this post


Link to post

TL;DR:

There are no DNS leaks on Linux.

There are some leaks with various "NetworkManager" DNS, which are solved with Eddie.

 

This is probably the issue you are facing:

https://bugs.launchpad.net/ubuntu/+source/network-manager-openvpn/+bug/1520771

 

Unfortunately some Ubuntu, aka I don't know how to configure Debian distros still suffer

from such issues. You can "thank" the SystemD project for it.

The latest version of Eddie client solves it.


Occasional moderator, sometimes BOFH. Opinions are my own, except when my wife disagrees.

Share this post


Link to post

While Linux might not have DNS leaks, it does seem that there is a genuine issue with Network Manager configuring DNS incorrectly these days. This seems to be caused by some mix of issue with NetworkManager, systemd-resolved and dnsmasq.

 

Here is what happens for me, on Ubuntu 16.04:

  1. Connect to airvpn via NetworkManager using an .ovpn file downloaded from airvpn
  2. ipleak.net shows my ISP's DNS server
  3. Check /etc/resolv.conf : it lists 
    nameserver 127.0.1.1
    search <myroutername>
  4. If I then restart dnsmasq by running 
    sudo kill $(pidof dnsmasq)
    

    then /etc/resolv.conf lists 

    nameserver 10.4.0.1
    nameserver 192.168.1.1
    search <myroutername>
  5. This is better; 10.4.0.1 is the VPN gateway. But ipleak.net still finds my ISP's DNS server.
  6. If I comment out the last two lines above, then sometimes ipleak.net only finds airvpn's DNS servers. It might help if I run 

    sudo systemctl restart systemd-resolved
    

     

All this seems quite ridiculous, however. Is there a way to only use airvpn's DNS servers without running Eddie? I don't mind running a few commands; I don't want a whole application. The above routine doesn't seem quite foolproof unfortunately - I haven't been able to figure out exactly what is helping to prevent the ISP DNS server from appearing. 

 

Perhaps the Eddie developer can point me to some relevant pieces of code in Eddie's source, if Eddie has to work around the same kind of issues?

 

Thanks!

Share this post


Link to post

While Linux might not have DNS leaks, it does seem that there is a genuine issue with Network Manager configuring DNS incorrectly these days. This seems to be caused by some mix of issue with NetworkManager, systemd-resolved and dnsmasq.

 

Here is what happens for me, on Ubuntu 16.04:

  1. Connect to airvpn via NetworkManager using an .ovpn file downloaded from airvpn
  2. ipleak.net shows my ISP's DNS server
  3. Check /etc/resolv.conf : it lists 
    nameserver 127.0.1.1
    search <myroutername>
  4. If I then restart dnsmasq by running 
    sudo kill $(pidof dnsmasq)
    

    then /etc/resolv.conf lists 

    nameserver 10.4.0.1
    nameserver 192.168.1.1
    search <myroutername>
  5. This is better; 10.4.0.1 is the VPN gateway. But ipleak.net still finds my ISP's DNS server.
  6. If I comment out the last two lines above, then sometimes ipleak.net only finds airvpn's DNS servers. It might help if I run 

    sudo systemctl restart systemd-resolved
    

     

All this seems quite ridiculous, however. Is there a way to only use airvpn's DNS servers without running Eddie? I don't mind running a few commands; I don't want a whole application. The above routine doesn't seem quite foolproof unfortunately - I haven't been able to figure out exactly what is helping to prevent the ISP DNS server from appearing. 

 

Perhaps the Eddie developer can point me to some relevant pieces of code in Eddie's source, if Eddie has to work around the same kind of issues?

 

Thanks!

Hello!

 

It's for those kinds of reasons that Network Manager isn't recommended.

 

Would Eddie CLI Edition be of interest?

 

Or running Air through your router perhaps?

 

Or OpenVPN directly.


Moderators do not speak on behalf of AirVPN. Only the Official Staff account does. Please also do not run Tor Exit Servers behind AirVPN, thank you.
Did you make a guide or how-to for something? Then contact me to get it listed in my new user guide's Guides Section, so that the community can find it more easily.

Share this post


Link to post

I use Network Manager's chosen resolver and outsourced my DNS leak protection to net filter.  Then Network Manager can try to resolve with what IPs it may without leaks.

In iptables, block UDP port 53 (and any other DNS ports) but allow it for 10/8 IP range.  Nothing can get through unless it's sent to a private network.  This will work so long as you aren't by default already using a 10/8 IP range.  If you are already on a 10/8 range, restrict it to a subset of the range that only AirVPN uses.  If AirVPN uses the same DNS IPs for all locations, then just use those specific IPs.

My solution is wrapped into a custom firewall script that i can switch to vpn mode, but it can be just a few lines with those rules.  Depending on your needs, you can set up a vpn zone in firewalld and add them there because Network Manager performs a zone switch if it's configured to and you get to choose what zone you want.  This would be good if you prefer to use your own DNS solution outside of VPN.  There are free DNS encrypted, no-log servers you can use in place of your ISP's default ones.  It helps, but this would not be a leak-free solution.  I haven't figured out how to add custom iptables rules per zone in firewalld, but my script has worked well as it is zone-independent so that when VPN disconnects, I am still protected as no website gets resolved and i effectively can't get to sites.  I never get DNS leaks on any site that performs the test, including the 2 that airvpn links to.  This is because when DNS is performed on a server outside of the 10/8 IP range, netfilter will block the request, and upon receiving no reply, it will use the next DNS server in the list, which should be an AirVPN one.  To watch the blocks occur, add a log rule preceding the block rule and tail the logs.  You can also add the log rule regardless to watch ports 53, 853 (and any other DNS ports) and you can grep it later for dns leak attempts over time.

The reason i prefer a kernel level DNS lock solution instead of application-based ones is because applications can't protect the computer during boot between the times netfilter starts and when EDDIE or other apps start.  This is not an AirVPN issue, or any other VPN provider issue, but is just a gap that exists regardless of computer, operating system, or vpn solution.  Custom iptables rules apply at the time netfilter starts which I believe is early in the boot process when the rest of the network functionality starts.  Need a systems administrator to confirm exactly when network functionality begins and when iptables rules apply, but for security reasons i would assume the firewall would apply first.  Applying the protection during boot it is a better solution than waiting for an application to own this task.

An application-based DNS lock is still desirable and most VPN providers offer their own solution, certainly AirVPN, but for the above reasons I decided to use something else.

A quick note:  Adding another DNS server in the list as primary while keeping ISP DNS at the bottom is asking for leaks.  It doesn't matter if Network Manager, or anything else, is used, because the system will check the first one, and due to the nature of UDP protocol and the internet's ever-present packet loss, some queries will get lost and time out, and by design the system will check the next one in the list.  Your ISP DNS should not be in the list, but if it has to be, get your firewall to block the requests.  In situations where paranoia is warranted, use OpenDNS or other no-log DNS as your manual, non-DHCP configured DNS servers so your ISP DNS is not in the list of DNS servers, then block it anyway with your firewall.  Additionally, you can run your own DNS server locally to require encryption to these preconfigured DNS servers so your ISP or anyone else can't read them enroute as well.  This way if for any reason you have to lower your firewall or you must disconnect from VPN, you won't subject yourself to a situation where you have to use your ISP DNS or unencrypted DNS.  Technically, AirVPN DNS is not encrypted either as that may require a local, forwarding DNS server to do, but it's generally more trusted than ISP.  Still, connecting to OpenDNS for your DNS queries through VPN may still be desirable if your situation warrants.

- Sanc

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...