Which DNS server is better/more secure?

[No One 0]

When I set my NIC to obtain DNS server automatically and then I run DNS Leaktest I always get Google servers that show up leaking (usually 3 servers). If I use DNSCrypt or just set NIC to use the following DNS servers and set to OpenDNS servers I only get 1 server showing that its leaking and its the OpenDNS server. So which one is the best / more secure way to go? Any help is appreciated.

Thanks-

P.S. Even though I am connecting to Air server in Netherlands the google servers can be located in USA, Germany, or Netherlands.

[Staff 9771]

Hello!

Securing your connection against leaks in case of accidental disconnection will also fix Windows DNS leak:

https://airvpn.org/index.php?option=com_kunena&func=view&catid=3&id=1713&Itemid=142

In order to only fix DNS leaks with Windows please see here:

http://www.dnsleaktest.com/how-to-fix-a-dns-leak.php

Kind regards

[Skittles77@tormail.org 0]

Does anyone know how these online leak tests work? They show leaks for me as well, but when monitoring my traffic I see that all DNS requests go through my encrypted channel, not straight through my unencrypted adapter.

[MrConducter 11]

I just changed my DNS settings on my router and adapter to Comodo secure DNS servers. So far it is fast and they are all that show up on the leak tests.

[worric 12]

As long as DNS queries are done through the VPN tunnel (TUN/TAP virtual adapter), there are no leaks. The DNS servers (or whoever is listening in) will only see the AirVPN exit IP performing the DNS query.

Therefore, the DNS servers listed in dnsleaktest.com are not leaks as such; they only show which DNS servers were queried.

The leaking problem becomes real because Windows has 2 sets of DNS servers available when you're connected to the VPN: The VPN DNS's AND the network adapter's DNS servers (typically obtained through DHCP from a home router).

Now, when dnsleaktest tests for leaks, it does so trying to provoke Windows to access the non-VPN set of DNS servers (dont ask me how), and if it succeeds, they will be listed on the dnsleaktest site.

I had a DNS leak and dnsleaktest found it. Alongside my VPN DNS servers were also listed my ISP's DNS servers: Windows used my network adapter's DHCP-obtained DNS servers to contact another site, OUTSIDE of the tunnel, making the origin of my query my ISP assigned WAN IP. Not good.

The solution?

I used Comodo firewall to create a rule that blocked all communication FROM my network adapter (192.168.1.0/24) to anywhere that is NOT my home network (again, 192.168.1.0/24)

That results in that when Windows tries to access the non-VPN set of DNS servers configure for my network adapter, it will do so outside of the tunnel (FROM 192.168.1.50 TO DNS servers), which would bypass the VPN completely - but COMODO bloks it, plugging the leak!

This little side track was just to show that the dnsleaktest doesn't show bad entries as such, but also that if you haven't hardened your security with a firewall, or with the instructions on dnsleaktest, Windows WILL leak DNS servers, exposing your ISP address, at some point.

The COMODO DNS servers (primary: 8.26.56.26, secondary: 8.20.247.20) are probably your best bet. I use them now, and I have no complaints. They've blocked a couple of malicious places for me already, so they're also adding some security that way

And it appears that AirVPN ARE indeed just routing DNS queries to Google DNS servers when using their DNS (10.x.0.1). Totally legitimate, no leaks there.

Now, on the other hand, if you were using Google's DNS servers on your network adapter and connected to AirVPN, and did the dnsleaktest test, you'd see Google's DNS servers, but you wouldn't know if you had a leak! (You would have a leak if you hadn't actively tried to stop them, but it's just to show that appearances can indeed be deceiving).

Regarding DNS security and spoofability, not related to leaks, here's a good source https://www.grc.com/dns/dns.htm

[Staff 9771]

And it appears that AirVPN ARE indeed just routing DNS queries to Google DNS servers when using their DNS (10.x.0.1). Totally legitimate, no leaks there.

Hello!

First of all, thank you for your really excellent message.

Just a side note / clarification: befored sending queries to Google DNS, a first resolution attempt is performed in order to bypass DOJ / ICE censorship https://airvpn.org/index.php?option=com_kunena&func=view&catid=3&id=852&Itemid=142#852

Kind regards

[jessez 3]

Anyone wanting more secure, and very fast DNS can use these:

The German Privacy Foundation currently operates the following services:

DNS server (uncensored)

87,118,100,175 (ports: 53, 110)

94.75.228.29 (port: 53, 110, DNSSEC)

The Swiss Privacy Foundation operates the following uncensored DNS servers:

87,118,104,203 (ports: 53, 110, DNSSEC)

62.141.58.13 (Port: 53, 110, HTTPS, DNS, DNSSEC)

87.118.109.2 (ports: 53, 110, DNSSEC)

They also have some tor exit nodes.

Source: http://www.privacyfoundation.de/service/serveruebersicht/

Best regards,

jz

[No One 0]

OK last question. If I use opendns server and dns leaktest show that server is it going there and then to airvpn or airvpn then opendns?

Thanks-

[Staff 9771]

OK last question. If I use opendns server and dns leaktest show that server is it going there and then to airvpn or airvpn then opendns?

Thanks-

Hello!

If you use Windows, those queries may go unencrypted outside the tunnel. This happens because Windows allows different DNS for each card. When you set a particular DNS, Windows will set that DNS for your physical card, while the virtual tun/tap adapter will be pushed with another DNS from our servers.

Monitor the process svchost.exe (with Comodo or Wireshark) to see what really happens. svchost.exe sends out DNS queries (amongst many other things) on every Windows OS.

Kind regards

[No One 0]

Not sure what happened you can delete the post above with the I. Anyway I'm using iPhone. Some routers I will see the ISP dns leaking using Guizmovpn but if I use guizmodns with dnscrypt enabled I see opendns server. I'm trying to find out if that is the better of the 2. Thanks.