gfdgfdgfd454asaakhj 0 Posted ... Since i've had a dns leak for quite a while, i would like to get more clarity on what are the dangers of it. My understanding is that my dns provider (which in my case is my ISP i suppose) would be able to see which sites i've visited, but if they are https that's about it? Right? What about other services like mail, messengers, tors and so on? What is exposed from them? Quote Share this post Link to post
zhang888 1066 Posted ... Depends on how much you trust your ISP and which country you are located in.For 99.9% of users a DNS leak would not be an issue, if you haven't done anything illegal in your country. Assuming visiting google.com is illegal in your country, and you had a DNS leak while doing it, your ISP willhave it logged, and on some occasions may hand this data to the local law enforcement. Of course, most of the DNS leak "dangers" are not applicable to most users, who use their ISP without VPN thesame way they use it with it, except for some P2P of geo-blocking circumvention. Quote Hide zhang888's signature Hide all signatures Occasional moderator, sometimes BOFH. Opinions are my own, except when my wife disagrees. Share this post Link to post
wintermute1912 6 Posted ... I think any kind of DNS leak should be avoided at all costs. People don't realize what a vulnerable protocol DNS is (stateless UDP) and how an inadvertent resolution to the DNS server of your ISP while connected to your VPN completely compromises your security. I am so paranoid about DNS I ONLY use ovpn files with an IP address. I don't even want the DNS server of my ISP knowing which AirVPN server I am connecting to. To completely avoid DNS leaks you'll have to use Linux. Windows and macOS have services constantly running that will leak your DNS like a sieve. Generate and only use ovpn files with resolved hostnames (i.e. there should be an IP address for the server not a hostname). You'll also need to modify the ovpn files to include the following: script-security 2up /etc/openvpn/update-resolv-confdown /etc/openvpn/update-resolv-conf This ensures that while the VPN is connected only the AirVPN DNS server is used. You can verify this with dig: dig www.ubuntu.com You'll find when the VPN is connected dig will reliably only use the AirVPN DNS server. You can take it a step further and really lock down the firewall with ufw. e.g. once the VPN is connected: sudo ufw deny in from 127.0.0.1 to any port 53 proto udp (actually your default should be deny in but anyway)sudo ufw allow in from <AirVPN DNS server address> to <AirVPN assign publlc IP address> port 53 proto udp but this can be a bit of a hassle as when the VPN disconnects you'll need to reverse the above and each time of course the AirVPN DNS server will be different (unless you always use the same server which is reckless) and the assigned public IP address will also be different (unless you're using TLS servers only - I get repeat IP addresses way too often I think because not enough people are using the TLS servers) Make no mistake DNS leaks are dangerous. You mention you are using Tor browser so I can only assume you want 100% certainty about your privacy. Well this is how you get it. Quote Hide wintermute1912's signature Hide all signatures Share this post Link to post
wintermute1912 6 Posted ... Depends on how much you trust your ISP and which country you are located in.For 99.9% of users a DNS leak would not be an issue, if you haven't done anything illegal in your country. Assuming visiting google.com is illegal in your country, and you had a DNS leak while doing it, your ISP willhave it logged, and on some occasions may hand this data to the local law enforcement. Of course, most of the DNS leak "dangers" are not applicable to most users, who use their ISP without VPN thesame way they use it with it, except for some P2P of geo-blocking circumvention. I think using quotes to refer to DNS leak "dangers" is bit disingenuous for a forum moderator of a VPN service. Your users are paying you assuming they're getting complete privacy and DNS leaks seriously compromise that privacy. Quote Hide wintermute1912's signature Hide all signatures Share this post Link to post
gfdgfdgfd454asaakhj 0 Posted ... I think any kind of DNS leak should be avoided at all costs. People don't realize what a vulnerable protocol DNS is (stateless UDP) and how an inadvertent resolution to the DNS server of your ISP while connected to your VPN completely compromises your security. I am so paranoid about DNS I ONLY use ovpn files with an IP address. I don't even want the DNS server of my ISP knowing which AirVPN server I am connecting to. To completely avoid DNS leaks you'll have to use Linux. Windows and macOS have services constantly running that will leak your DNS like a sieve. Generate and only use ovpn files with resolved hostnames (i.e. there should be an IP address for the server not a hostname). You'll also need to modify the ovpn files to include the following: script-security 2up /etc/openvpn/update-resolv-confdown /etc/openvpn/update-resolv-conf This ensures that while the VPN is connected only the AirVPN DNS server is used. You can verify this with dig: dig www.ubuntu.com You'll find when the VPN is connected dig will reliably only use the AirVPN DNS server. You can take it a step further and really lock down the firewall with ufw. e.g. once the VPN is connected: sudo ufw deny in from 127.0.0.1 to any port 53 proto udp (actually your default should be deny in but anyway)sudo ufw allow in from <AirVPN DNS server address> to <AirVPN assign publlc IP address> port 53 proto udp but this can be a bit of a hassle as when the VPN disconnects you'll need to reverse the above and each time of course the AirVPN DNS server will be different (unless you always use the same server which is reckless) and the assigned public IP address will also be different (unless you're using TLS servers only - I get repeat IP addresses way too often I think because not enough people are using the TLS servers) Make no mistake DNS leaks are dangerous. You mention you are using Tor browser so I can only assume you want 100% certainty about your privacy. Well this is how you get it.I switched to Eddie (used the default openvpn before) and im on linux, that is enough to be 100% sure there are no dns leaks right? By the way, Im pretty sure my UFW was enabled, but when checked now it was disabledwhen reenabled it those ports were allowed1714:1764/udp ALLOW Anywhere 1714:1764/tcp ALLOW Anywhere before that everything incoming was denied Could Eddi ahve done that becase im using the built-in network lock? Quote Share this post Link to post
wintermute1912 6 Posted ... I think any kind of DNS leak should be avoided at all costs. People don't realize what a vulnerable protocol DNS is (stateless UDP) and how an inadvertent resolution to the DNS server of your ISP while connected to your VPN completely compromises your security. I am so paranoid about DNS I ONLY use ovpn files with an IP address. I don't even want the DNS server of my ISP knowing which AirVPN server I am connecting to. To completely avoid DNS leaks you'll have to use Linux. Windows and macOS have services constantly running that will leak your DNS like a sieve. Generate and only use ovpn files with resolved hostnames (i.e. there should be an IP address for the server not a hostname). You'll also need to modify the ovpn files to include the following: script-security 2up /etc/openvpn/update-resolv-confdown /etc/openvpn/update-resolv-conf This ensures that while the VPN is connected only the AirVPN DNS server is used. You can verify this with dig: dig www.ubuntu.com You'll find when the VPN is connected dig will reliably only use the AirVPN DNS server. You can take it a step further and really lock down the firewall with ufw. e.g. once the VPN is connected: sudo ufw deny in from 127.0.0.1 to any port 53 proto udp (actually your default should be deny in but anyway)sudo ufw allow in from <AirVPN DNS server address> to <AirVPN assign publlc IP address> port 53 proto udp but this can be a bit of a hassle as when the VPN disconnects you'll need to reverse the above and each time of course the AirVPN DNS server will be different (unless you always use the same server which is reckless) and the assigned public IP address will also be different (unless you're using TLS servers only - I get repeat IP addresses way too often I think because not enough people are using the TLS servers) Make no mistake DNS leaks are dangerous. You mention you are using Tor browser so I can only assume you want 100% certainty about your privacy. Well this is how you get it.I switched to Eddie (used the default openvpn before) and im on linux, that is enough to be 100% sure there are no dns leaks right? By the way, Im pretty sure my UFW was enabled, but when checked now it was disabledwhen reenabled it those ports were allowed1714:1764/udp ALLOW Anywhere 1714:1764/tcp ALLOW Anywhere before that everything incoming was denied Could Eddi ahve done that becase im using the built-in network lock?Sorry perhaps I should have been clearer: if you want to be 100% certain don't use Eddie. Use openvpn 2.4 (https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos)with modified ovpn files generated at the Client Config control panel here a the AirVPN site. Be sure to tick "Advanced", "Separate keys etc." and most importantly "resolved hosts". I don't know why you're messing with port 1714 - all you need if you have ufw in default deny incoming mode is 53/udp (DNS) and 67,68/udp (DHCP). You don't even need 80,443/tcp open as ufw will recognize a server response and correlate to your initial outgoing request and allow it though. I recommend reading up on ufw: https://help.ubuntu.com/community/UFW If you find the content I have provided overwhelming then it may be best to stick to Eddie. In a terminal windows you can always run: netstat -auntc and check you only see connections between your external AirVPN public address and other servers. And as mentioned use dig to test DNS Hope this helps Quote Hide wintermute1912's signature Hide all signatures Share this post Link to post