Jump to content
Not connected, Your IP: 54.144.95.36

Recommended Posts

Since i've had a dns leak for quite a while, i would like to get more clarity on what are the dangers of it.

 

My understanding is that my dns provider (which in my case is my ISP i suppose) would be able to see which sites i've visited, but if they are https that's about it? Right?

 

What about other services like mail, messengers, tors and so on? What is exposed from them?

Share this post


Link to post

Depends on how much you trust your ISP and which country you are located in.

For 99.9% of users a DNS leak would not be an issue, if you haven't done anything illegal in your country.

 

Assuming visiting google.com is illegal in your country, and you had a DNS leak while doing it, your ISP will

have it logged, and on some occasions may hand this data to the local law enforcement.

 

Of course, most of the DNS leak "dangers" are not applicable to most users, who use their ISP without VPN the

same way they use it with it, except for some P2P of geo-blocking circumvention.


Occasional moderator, sometimes BOFH. Opinions are my own, except when my wife disagrees.

Share this post


Link to post

I think any kind of DNS leak should be avoided at all costs. People don't realize what a vulnerable protocol DNS is (stateless UDP) and how an inadvertent resolution to the DNS server of your ISP while connected to your VPN completely compromises your security.

 

I am so paranoid about DNS I ONLY use ovpn files with an IP address. I don't even want the DNS server of my ISP knowing which AirVPN server I am connecting to.

 

To completely avoid DNS leaks you'll have to use Linux. Windows and macOS have services constantly running that will leak your DNS like a sieve.

 

Generate and only use ovpn files with resolved hostnames (i.e. there should be an IP address for the server not a hostname). You'll also need to modify the ovpn files to include the following:

 

script-security 2

up /etc/openvpn/update-resolv-conf

down /etc/openvpn/update-resolv-conf

 

This ensures that while the VPN is connected  only the AirVPN DNS server is used. You can verify this with dig:

 

dig www.ubuntu.com

 

You'll find when the VPN is connected dig will reliably only use the AirVPN DNS server.

 

You can take it a step further and really lock down the firewall with ufw. e.g. once the VPN is connected:

 

sudo ufw deny in from 127.0.0.1 to any port 53 proto udp (actually your default should be deny in but anyway)

sudo ufw allow in from <AirVPN DNS server address> to <AirVPN assign publlc IP address> port 53 proto udp

 

but this can be a bit of a hassle as when the VPN disconnects you'll need to reverse the above and each time of course the AirVPN DNS server will be different (unless you always use the same server which is reckless) and the assigned public IP address will also be different (unless you're using TLS servers only - I get repeat IP addresses way too often I think because not enough people are using the TLS servers)

 

Make no mistake DNS leaks are dangerous. You mention you are using Tor browser so I can only assume you want 100% certainty about your privacy. Well this is how you get it.

Share this post


Link to post

 

Depends on how much you trust your ISP and which country you are located in.

For 99.9% of users a DNS leak would not be an issue, if you haven't done anything illegal in your country.

 

Assuming visiting google.com is illegal in your country, and you had a DNS leak while doing it, your ISP will

have it logged, and on some occasions may hand this data to the local law enforcement.

 

Of course, most of the DNS leak "dangers" are not applicable to most users, who use their ISP without VPN the

same way they use it with it, except for some P2P of geo-blocking circumvention.

 

I think using quotes to refer to DNS leak "dangers" is bit disingenuous for a forum moderator of a VPN service. Your users are paying you assuming they're getting complete privacy and DNS leaks seriously compromise that privacy.

Share this post


Link to post

I think any kind of DNS leak should be avoided at all costs. People don't realize what a vulnerable protocol DNS is (stateless UDP) and how an inadvertent resolution to the DNS server of your ISP while connected to your VPN completely compromises your security.

 

I am so paranoid about DNS I ONLY use ovpn files with an IP address. I don't even want the DNS server of my ISP knowing which AirVPN server I am connecting to.

 

To completely avoid DNS leaks you'll have to use Linux. Windows and macOS have services constantly running that will leak your DNS like a sieve.

 

Generate and only use ovpn files with resolved hostnames (i.e. there should be an IP address for the server not a hostname). You'll also need to modify the ovpn files to include the following:

 

script-security 2

up /etc/openvpn/update-resolv-conf

down /etc/openvpn/update-resolv-conf

 

This ensures that while the VPN is connected  only the AirVPN DNS server is used. You can verify this with dig:

 

dig www.ubuntu.com

 

You'll find when the VPN is connected dig will reliably only use the AirVPN DNS server.

 

You can take it a step further and really lock down the firewall with ufw. e.g. once the VPN is connected:

 

sudo ufw deny in from 127.0.0.1 to any port 53 proto udp (actually your default should be deny in but anyway)

sudo ufw allow in from <AirVPN DNS server address> to <AirVPN assign publlc IP address> port 53 proto udp

 

but this can be a bit of a hassle as when the VPN disconnects you'll need to reverse the above and each time of course the AirVPN DNS server will be different (unless you always use the same server which is reckless) and the assigned public IP address will also be different (unless you're using TLS servers only - I get repeat IP addresses way too often I think because not enough people are using the TLS servers)

 

Make no mistake DNS leaks are dangerous. You mention you are using Tor browser so I can only assume you want 100% certainty about your privacy. Well this is how you get it.

I switched to Eddie (used the default openvpn before) and im on linux, that is enough to be 100% sure there are no dns leaks right?

 

By the way, Im pretty sure my UFW was enabled, but when checked now it was disabled

when reenabled it those ports were allowed

1714:1764/udp              ALLOW       Anywhere                  

1714:1764/tcp              ALLOW       Anywhere 

 

before that everything incoming was denied

 

Could Eddi ahve done that becase im using the built-in network lock?

Share this post


Link to post

 

I think any kind of DNS leak should be avoided at all costs. People don't realize what a vulnerable protocol DNS is (stateless UDP) and how an inadvertent resolution to the DNS server of your ISP while connected to your VPN completely compromises your security.

 

I am so paranoid about DNS I ONLY use ovpn files with an IP address. I don't even want the DNS server of my ISP knowing which AirVPN server I am connecting to.

 

To completely avoid DNS leaks you'll have to use Linux. Windows and macOS have services constantly running that will leak your DNS like a sieve.

 

Generate and only use ovpn files with resolved hostnames (i.e. there should be an IP address for the server not a hostname). You'll also need to modify the ovpn files to include the following:

 

script-security 2

up /etc/openvpn/update-resolv-conf

down /etc/openvpn/update-resolv-conf

 

This ensures that while the VPN is connected  only the AirVPN DNS server is used. You can verify this with dig:

 

dig www.ubuntu.com

 

You'll find when the VPN is connected dig will reliably only use the AirVPN DNS server.

 

You can take it a step further and really lock down the firewall with ufw. e.g. once the VPN is connected:

 

sudo ufw deny in from 127.0.0.1 to any port 53 proto udp (actually your default should be deny in but anyway)

sudo ufw allow in from <AirVPN DNS server address> to <AirVPN assign publlc IP address> port 53 proto udp

 

but this can be a bit of a hassle as when the VPN disconnects you'll need to reverse the above and each time of course the AirVPN DNS server will be different (unless you always use the same server which is reckless) and the assigned public IP address will also be different (unless you're using TLS servers only - I get repeat IP addresses way too often I think because not enough people are using the TLS servers)

 

Make no mistake DNS leaks are dangerous. You mention you are using Tor browser so I can only assume you want 100% certainty about your privacy. Well this is how you get it.

I switched to Eddie (used the default openvpn before) and im on linux, that is enough to be 100% sure there are no dns leaks right?

 

By the way, Im pretty sure my UFW was enabled, but when checked now it was disabled

when reenabled it those ports were allowed

1714:1764/udp              ALLOW       Anywhere                  

1714:1764/tcp              ALLOW       Anywhere 

 

before that everything incoming was denied

 

Could Eddi ahve done that becase im using the built-in network lock?

Sorry perhaps I should have been clearer: if you want to be 100% certain don't use Eddie. Use openvpn 2.4 (https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos)

with modified ovpn files generated at the Client Config control panel here a the AirVPN site. Be sure to tick "Advanced", "Separate keys etc." and most importantly "resolved hosts".

 

I don't know why you're messing with port 1714 - all you need if you have ufw in default deny incoming mode is 53/udp (DNS) and 67,68/udp (DHCP). You don't even need 80,443/tcp open as ufw will recognize a server response and correlate to your initial outgoing request and allow it though.

 

I recommend reading up on ufw: https://help.ubuntu.com/community/UFW

 

If you find the content I have provided overwhelming then it may be best to stick to Eddie.

 

In a terminal windows you can always run: netstat -auntc and check you only see connections between your external AirVPN public address and other servers.

 

And as mentioned use dig to test DNS

 

Hope this helps

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...