Jump to content
Not connected, Your IP: 54.236.59.154
NaDre

Mulvad intercepts DNS packets

Recommended Posts

I recently decided to try out Mulvad.

I run my own DNS server - Unbound. So my Unbound instance will make direct queries to root name servers. When I have the VPN running, these queries will go over the VPN.

Well, they go over the VPN to the root server when I use AirVPN. They do not when I use Mulvad. They get redirected to a Mulvad DNS server.

If you have Mulvad, you can easily check this yourself. First here is a list of the root name servers for .com:
 

$ dig com ns

; <<>> DiG 9.11.9 <<>> com ns
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61487
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;com.                           IN      NS

;; ANSWER SECTION:
com.                    86400   IN      NS      d.gtld-servers.net.
com.                    86400   IN      NS      c.gtld-servers.net.
com.                    86400   IN      NS      e.gtld-servers.net.
com.                    86400   IN      NS      i.gtld-servers.net.
com.                    86400   IN      NS      b.gtld-servers.net.
com.                    86400   IN      NS      l.gtld-servers.net.
com.                    86400   IN      NS      h.gtld-servers.net.
com.                    86400   IN      NS      k.gtld-servers.net.
com.                    86400   IN      NS      g.gtld-servers.net.
com.                    86400   IN      NS      f.gtld-servers.net.
com.                    86400   IN      NS      j.gtld-servers.net.
com.                    86400   IN      NS      m.gtld-servers.net.
com.                    86400   IN      NS      a.gtld-servers.net.

;; Query time: 137 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Jul 29 10:10:00 MDT 2020
;; MSG SIZE  rcvd: 256

Then with the VPN off you can do this:
 
$ dig @d.gtld-servers.net google.com

; <<>> DiG 9.11.9 <<>> @d.gtld-servers.net google.com
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19136
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 9
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;google.com.                    IN      A

;; AUTHORITY SECTION:
google.com.             172800  IN      NS      ns2.google.com.
google.com.             172800  IN      NS      ns1.google.com.
google.com.             172800  IN      NS      ns3.google.com.
google.com.             172800  IN      NS      ns4.google.com.

;; ADDITIONAL SECTION:
ns2.google.com.         172800  IN      AAAA    2001:4860:4802:34::a
ns2.google.com.         172800  IN      A       216.239.34.10
ns1.google.com.         172800  IN      AAAA    2001:4860:4802:32::a
ns1.google.com.         172800  IN      A       216.239.32.10
ns3.google.com.         172800  IN      AAAA    2001:4860:4802:36::a
ns3.google.com.         172800  IN      A       216.239.36.10
ns4.google.com.         172800  IN      AAAA    2001:4860:4802:38::a
ns4.google.com.         172800  IN      A       216.239.38.10

;; Query time: 87 msec
;; SERVER: 2001:500:856e::30#53(2001:500:856e::30)
;; WHEN: Wed Jul 29 10:11:20 MDT 2020
;; MSG SIZE  rcvd: 287

Note the line about "recursion requested but not available" and that it does not give an address for google.co. Just information about its name servers. with their addresses.

Now with Mulvad on:
 
$ dig @d.gtld-servers.net google.com

; <<>> DiG 9.11.9 <<>> @d.gtld-servers.net google.com
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40207
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: a5a686d10c9e59acb0c5581f5f219fe13f06ab16ec7c293d (good)
;; QUESTION SECTION:
;google.com.                    IN      A

;; ANSWER SECTION:
google.com.             159     IN      A       172.217.168.238

;; AUTHORITY SECTION:
google.com.             42500   IN      NS      ns1.google.com.
google.com.             42500   IN      NS      ns4.google.com.
google.com.             42500   IN      NS      ns2.google.com.
google.com.             42500   IN      NS      ns3.google.com.

;; Query time: 149 msec
;; SERVER: 192.31.80.30#53(192.31.80.30)
;; WHEN: Wed Jul 29 10:12:13 MDT 2020
;; MSG SIZE  rcvd: 155

It has done the recursion and provided the address for google.com. No "additional" section with glue information for name servers.

This last response was not from a root name server.

Others have also encountered this:

https://www.reddit.com/r/WireGuard/comments/f15g5i/mullvad_prevents_using_custom_dns

https://news.ycombinator.com/item?id=17095618

I would say this is extremely poor judgement. Even if it is not being done for malicious reasons. This is a "DNS man in the middle".

EDIT:

You can do this test on Windows too. With the VPN off:
 
C:\???>nslookup google.com d.gtld-servers.net
(root)  nameserver = h.root-servers.net
(root)  nameserver = i.root-servers.net
(root)  nameserver = j.root-servers.net
(root)  nameserver = k.root-servers.net
(root)  nameserver = l.root-servers.net
(root)  nameserver = m.root-servers.net
(root)  nameserver = a.root-servers.net
(root)  nameserver = b.root-servers.net
(root)  nameserver = c.root-servers.net
(root)  nameserver = d.root-servers.net
(root)  nameserver = e.root-servers.net
(root)  nameserver = f.root-servers.net
(root)  nameserver = g.root-servers.net
Server:  UnKnown
Address:  2001:500:856e::30

Name:    google.com
Served by:
- ns2.google.com
          2001:4860:4802:34::a
          216.239.34.10
          google.com
- ns1.google.com
          2001:4860:4802:32::a
          216.239.32.10
          google.com
- ns3.google.com
          2001:4860:4802:36::a
          216.239.36.10
          google.com
- ns4.google.com
          2001:4860:4802:38::a
          216.239.38.10
          google.com

With Mulvad on:
 
C:\???>nslookup google.com d.gtld-servers.net
Server:  d.gtld-servers.net
Address:  192.31.80.30

Non-authoritative answer:
Name:    google.com
Addresses:  2a00:1450:400e:80d::200e
          172.217.168.238




 

Share this post


Link to post

Just AirVPN.

I am not unhappy with AirVPN. I was just curious how Mulvad had set up Wireguard. Tried to do my normal stuff and hit this.

If they had malicious intent, they could have made the response from their DNS server look like a root server. So I chalk this up to "the road to hell is paved with good intentions".
 

Share this post


Link to post

They mention this themselves, so this shouldn't be news if any of these ladies/gentlemen in the links you quoted actually RTFM.
 

Quote
It's worth noting that all our VPN servers hijack calls to our public DNS server and that the DNS requests are processed on a local non-logging DNS server installed on that VPN server. This is done to process requests faster and to leak less information to the internet.

I tried their app for Linux and you can enter your own DNS servers there, or choose to not alter them at all, and that worked. So I can't reproduce Reddit poster's findings. But to be fair, I tried v2020.05 and he/she was on an older version. Things could've changed.
Only nuisance was that right after launch the app connected itself and set Mullvad's DNS servers without asking.

» I am not an AirVPN team member. All opinions are my own and are not to be considered official. Only the AirVPN Staff account should be viewed as such.

» The forums is a place where you can ask questions to the community. You are not entitled to guaranteed answer times. Answer quality may vary, too. If you need professional support, please create tickets.

» If you're new, take some time to read LZ1's New User Guide to AirVPN. On questions, use the search function first. On errors, search for the error message instead.

» If you choose to create a new thread, keep in mind that we don't know your setup. Give info about it. Never forget the OpenVPN logs or, for Eddie, the support file (Logs > lifebelt icon).

» The community kindly asks you to not set up Tor exit relays when connected to AirVPN. Their IP addresses are subject to restrictions and these are relayed to all users of the affected servers.

 

» Furthermore, I propose that your paranoia is to be destroyed. If you overdo privacy, chances are you will be unique amond the mass again.

Share this post


Link to post

 

42 minutes ago, giganerd said:

They mention this themselves, ..


Perhaps they should explain some of the limitations this will cause, and put this notice in a much more prominent location?

I say this because this is not "net neutrality". Should that not be the default starting point?

If your ISP did this (to "protect" you) would that be reasonable? Or would that be "ISP spying"?

I did not attempt to read every page on their site before I tried using it. I doubt that many people would. Also, when did they add that single paragraph in an obscure location? After they received several complaints? I would say that this was not an adequate response.
 

Share this post


Link to post
5 minutes ago, NaDre said:

Perhaps they should explain some of the limitations this will cause, and put this notice in a much more prominent location?


And what are the limitations in your eyes? As long as DNS requests are resolved correctly and not poisoned, it's okay. It'd create a giant backlash on the internet if they started playing with the results.
 
8 minutes ago, NaDre said:

I say this because this is not "net neutrality". Should that not be the default starting point?


I fail to see how this is an argument against net neutrality. There is a certain potential, I agree, but your link does not talk about potential. So I'd say, innocent until proven otherwise.
 
13 minutes ago, NaDre said:

I did not attempt to read every page on their site before I tried using it. I doubt that many people would. Also, when did they add that single paragraph in an obscure location? After they received several complaints? I would say that this was not an adequate response.


Why don't we ask some web archives? It was there as early as October 2019. So while the Hacker News thread was indeed in 2018, the Reddit user posted the "news" while the paragraph was indeed there. Those "several complaints" must have happened between May 2018 and mid-2019, if at all.

I'm not trying to discredit you. If you feel it's unfair what they're doing, don't use or recommend them, but you know this. I guess, you may proof with a 1000 good deeds that you're worth something, but it still only takes one mistake to proof you're not.

» I am not an AirVPN team member. All opinions are my own and are not to be considered official. Only the AirVPN Staff account should be viewed as such.

» The forums is a place where you can ask questions to the community. You are not entitled to guaranteed answer times. Answer quality may vary, too. If you need professional support, please create tickets.

» If you're new, take some time to read LZ1's New User Guide to AirVPN. On questions, use the search function first. On errors, search for the error message instead.

» If you choose to create a new thread, keep in mind that we don't know your setup. Give info about it. Never forget the OpenVPN logs or, for Eddie, the support file (Logs > lifebelt icon).

» The community kindly asks you to not set up Tor exit relays when connected to AirVPN. Their IP addresses are subject to restrictions and these are relayed to all users of the affected servers.

 

» Furthermore, I propose that your paranoia is to be destroyed. If you overdo privacy, chances are you will be unique amond the mass again.

Share this post


Link to post
1 hour ago, giganerd said:

... As long as DNS requests are resolved correctly and not poisoned, ...

My query to a root DNS server did not return what that root server would have returned. My DNS request was not resolved.

I could not use custom DNS with SQUID over the VPN. That is the limitation I hit. I don't let the VPN be my default gateway. That requires too much trust in my VPN provider. Using SQUID bound to the VPN I can browse over the VPN without having the VPN as the default gateway. There are many processes running in Windows that I do not want using the VPN.

One of those links talked about another limitation. You expect me to write an essay?

The wikipedia page I linked says " With net neutrality, ISPs may not intentionally block, ...". My packet was blocked.

The definition of net neutrality is pretty clear. I think many people use VPNs because they think that their ISP is not respecting net neutrality and are interfering with traffic. So wouldn't they want to know if their VPN provider is doing exactly that?

EDIT:

On AirVPN's home page it says "A VPN based on OpenVPN and operated by activists and hacktivists in defence of net neutrality ...", So it seems that AirVPN places some importance on respecting net neutrality.
 

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...