Jump to content
Not connected, Your IP: 54.211.203.45

Recommended Posts

I have my airvpn *.ovpn configuration running on my router, and when connecting to ipleak.net from a machine on my LAN no DNS leaks are detected. However, if on that machine I change my Firefox Network Setting "Enable DNS over HTTPS" -> "User Provider: Cloudflare (Default)" then ipleak.net shows a Cloudflare DNS server (I'm running Firefox on an Ubuntu machine).

I've tried adding:
 

-A FORWARD -p tcp -d 1.1.1.1 --dport 443 -j DROP
-A FORWARD -p udp -d 1.1.1.1 --dport 443 -j DROP
to netfilter/iptables on my router, but this doesn't stop the leak appearing. Does anybody know how I can stop this DNS leak other than by manually checking all the Firefox settings on all the machines on my LAN?
 

Share this post


Link to post

Let me more specific - what I'm not sure of is whether ipleak.net is giving me a false positive or not. The blocks I've put in netfilter, i.e.

-A INPUT -p tcp -d 1.1.1.1 --dport 443 -j DROP_INPUT_443
-A INPUT -p udp -d 1.1.1.1 --dport 443 -j DROP_INPUT_443
do work - when I run the following from a machine on my LAN:
 
$ dig @1.1.1.1 -p 443 google.com
I can see netfilter dropping this packet in the syslog of my router:
Oct 13 11:27:37 profrouter kernel: [45806.752665] Dropped_Forward_443: IN=enp3s0 OUT=tun0 MAC=00:0e:c4:ce:e9:84:44:6d:57:6b:99:cb:08:00 SRC=10.0.0.105 DST=1.1.1.1 LEN=79 TOS=0x00 PREC=0x00 TTL=63 ID=52104 PROTO=UDP SPT=56310 DPT=443 LEN=59 
This being so, why does ipleak.net report a DNS leak when I activate DNS over HTTPS in Firefox? I would expect the DoH calls made by Firefox to also be dropped by netfilter and not appear as a leak on ipleak.net.

Share this post


Link to post

I think you can't. You are querying a DNS server over the tunnel, since HTTPS is tunneled just like everything else. If you are on a VPN, it's safer if you don't use DoH since your queries are encrypted and then mixed with queries of all other users.


NOT AN AIRVPN TEAM MEMBER. USE TICKETS FOR PROFESSIONAL SUPPORT.

LZ1's New User Guide to AirVPN « Plenty of stuff for advanced users, too!

Want to contact me directly? All relevant methods are on my About me page.

Share this post


Link to post
2 minutes ago, giganerd said:

I think you can't. You are querying a DNS server over the tunnel, since HTTPS is tunneled just like everything else. If you are on a VPN, it's safer if you don't use DoH since your queries are encrypted and then mixed with queries of all other users.


I agree that there is no need whatsoever for a machine on my LAN to use DoH in Firefox, given that all traffic from my LAN is tunnelled on TUN, including all DNS traffic. What I'm trying to do is to block the apparent leak that activating DoH in Firefox seems to generate - what I don't understand is how Firefox's DoH is apparently able to jump across the netfilter of my router.

Share this post


Link to post
20 hours ago, dr_kristau said:
what I don't understand is how Firefox's DoH is apparently able to jump across the netfilter of my router.

Thanks to this post I understand it now, for posterity.

Share this post


Link to post
Guest
This topic is now closed to further replies.

×
×
  • Create New...