New feature: DNS block lists

[Staff 9972]

Hello!

We're glad to introduce a new feature in AirVPN infrastructure: DNS block lists.

By default, AirVPN DNS remains neutral in accordance with our mission. However, from now on you have the option to enforce block lists which poison our DNS, in order, for example, to block known sources of ads, spam, malware and so on.

You can manage your preferences in your account Client Area ⇨ DNS panel https://airvpn.org/dns/.

We offer only lists released with licenses which grant re-distribution for business purposes too.

The system is very flexible and offers some exclusive features never seen before in other VPN services:

• You can activate or de-activate, anytime, any combination of lists.
• You can add customized exceptions and/or additional blocks.
• Any specified domain which must be blocked includes all of its subdomains too.
• Lists which can return custom A,AAAA,CNAME,TXT records are supported.
• You can define any combination of block lists and/or exceptions and/or additions for your whole account or only for specific certificate/key pairs of your account (Client Area ⇨ Devices ⇨ Details ⇨ DNS)
• Different matching methods are available for your additions and exceptions: Exact (exact FQDN), Domain (domain and its subdomains), Wildcard (with * and ? as wildcards), Contain, Start with, End with.
• An API to fetch every and each list in different formats (see Client Area ⇨ API ⇨ dns_lists service) is active
• Any change in your selected list(s), any added exception and any added block is enforced very quickly, within few tens of seconds. You don't need to disconnect and re-connect your account.
• You can define your own lists and discuss lists and anything related in the community forum here

Essential requisite to enjoy the service is, of course, querying AirVPN DNS while your system is connected to some VPN server, which is by the way a default setup if you run any of our software.

Kind regards & datalove
AirVPN Staff

[zsam288 36]

I cant find the per device dns setting on the devices details page?

[Staff 9972]

1 minute ago, zsam288 said:

I cant find the per device dns setting on the devices details page?

Hello!

In the Devices page click the "Details" button pertaining to the "device" you wish to modify, then click the "DNS" button. You will be directed to the DNS page. Configure your favorite blocks in the block list page. The settings you define will be reserved to that "device" (i.e. to that certificate/key pair).

Kind regards
 

[zsam288 36]

4 minutes ago, Staff said:

Hello!

In the Devices page click the "Details" button pertaining to the "device" you wish to modify, then click the "DNS" button. You will be directed to the DNS page. Configure your favorite blocks in the block list page. The settings you define will be reserved to that "device" (i.e. to that certificate/key pair).

Kind regards
 

Sorry is it this screen? I don't see the button

[Staff 9972]

@zsam288

Hello!

Please try again now.

Kind regards
 

[zsam288 36]

Is it possible the DNS blocking does not work when using wireguard?
Trying it out and websites are blocked on openVPN but not wireguard

[User of AirVPN 46]

This is great, love this!
Keep up the great work Air team

[Clodo 176]

43 minutes ago, zsam288 said:

Is it possible the DNS blocking does not work when using wireguard?
Trying it out and websites are blocked on openVPN but not wireguard

Just tested on Ubuntu + Eddie + WireGuard and works as expected

[Staff 9972]

@zsam288

Hi,

since the feature is strictly AirVPN DNS related, check your system DNS settings when you use WireGuard and make sure that VPN DNS is queried. What are your Operating System name and version, and which application do you run to connect via WireGuard?

Kind regards
 

[zsam288 36]

26 minutes ago, Staff said:

@zsam288

Hi,

since the feature is strictly AirVPN DNS related, check your system DNS settings when you use WireGuard and make sure that VPN DNS is queried. What are your Operating System name and version, and which application do you run to connect via WireGuard?

Kind regards
 

android + standard wireguard app

dnsleaktest and ipleak both show im using airvpndns

but can still access "forbidden" websites
if i switch for the same profile to openvpn, it blocks it well

same problem on windows using eddie, not blocking on wireguard

edit:
seems to be an issue with dns flushing, blocking works after DNS is flushed

[Staff 9972]

@zsam288

The current version of WireGuard does not support DHCP, so not even DNS push. The server has no way to tell your client which DNS it should set. We do include a directive in the WireGuard configuration file to use the proper DNS, though. Have you generated the configuration file with our Configuration Generator? If so, can you please check the directive starting with "DNS=" ?

Kind regards
 

[zsam288 36]

4 minutes ago, Staff said:

@zsam288

The current version of WireGuard does not support DHCP, so not even DNS push. The server has no way to tell your client which DNS it should set. We do include a directive in the WireGuard configuration file to use the proper DNS, though. Have you generated the configuration file with our Configuration Generator? If so, can you please check the directive starting with "DNS=" ?

Kind regards
 

I used the QR code from the config generator to scan
DNS as per the app is 10.128.0.1
same on Eddie on windows

as i edited above, i think it might be a DNS flush issue maybe

[Staff 9972]

@zsam288

Hello!

Just an additional check: make sure that the "device" (client certificate/key pair) you use in your Android device has the correct DNS block settings. Since you can define different lists (or no lists) for each "device", it's worth a verification.

Kind regards
 

[Clodo 176]

58 minutes ago, zsam288 said:

as i edited above, i think it might be a DNS flush issue maybe

I also tested Wireguard + Android + DNS block list, and works. But i need to force close browser App, because it keep in cache DNS resolution. Nothing we can do.

[yoyall 5]

I don't understand when you would use the "ICANN exceptions" list.

Would you use this to ensure that you don't access domains seized by ICANN? 🤔

I read the post on AirVPN not recognising ICANN but still not clear on when you would use this list.

Thanks for any clarification.

[OpenSourcerer 1435]

I'd extend Mr. yoyall's question by how AirVPN Staff determined these domains. Because I can resolve them all just fine with my ISP's resolvers (save for atdhe.net, which now is atdhes.eu).

[Staff 9972]

@OpenSourcerer
@yoyall

Hello!

You can use the list to bypass illegal seizures by ICANN (for example via ICE orders). This happened in the past, when domain names were seized in infringement of EU court decisions and inaudita altera parte (the right to have a legal defense was canceled and the seizure occurred without any judicial overview), so those seizures were illegal under every point of view. Not real news for USA "justice" (???) system. In the last years we have not heard anymore of illegal seizures, but we guess that the precedents are set so they can happen again potentially.

Therefore, that's the only list which is not a "block list" whatsoever, quite the contrary. We apologize for the ambiguity.

If you have information about seized domains which are not in the list, and the correct IP address they should resolve into, please let us know.

Kind regards
 

[spinmaster 30]

I love this new feature! This is super useful, especially on mobile. With the OpenVPN app, I can now essentially get rid of all trackers and ads with a single click on my iPhone while having an encrypted AirVPN tunnel. 😀 Thanks for adding this. 👍

[blueport26 11]

Hello,

Great feature. I've run a synthetic test (https://d3ward.github.io/toolz/adblock.html) and it shows ad/tracking hosts are blocked.
I have a question and a minor issue to report.
I came across a website that is broken by the default DNS rules (paywall on https://www.newsweek.pl/). I tried to guess which domains should be whitelisted under 'Custom answers' but with no luck. Is there any way to troubleshoot and find which domains should be whitelisted? (DNS request logging is probably not an option for privacy reasons 😁)
Also, each time I change DNS settings the site says it's updating my session but in reality I need to reconnect to VPN for it to take effect. I'm using the global settings ('for all of your devices').

[yoyall 5]

@blueport26
I don't know if there's a quicker way to identify which domains need to be whitelisted, but here's what I did. Using Firefox I right-clicked and "inspected" the page. Then, I clicked network and refreshed the page. You should then see which domains don't resolve. Again, I'm sure there's a better way but that's how I did it. Hope that helps.

I too noticed that changes don't take effect until I disconnect and reconnect Eddie.

@Staff
Well done AirVPN - really like this new feature! 👍🙏

[blueport26 11]

@yoyall Thanks for the tip. I was doing something similar with the page inspector yesterday but I whitelisted wrong/not enough domains. I got it to work today!



I checked which requests originating from 'paywall.js' had no response code and added them to exclusion list on the DNS settings page, that did the trick for me.

[benfitita 39]

Thanks for this great feature! I love it.

Would it be possible to remove Apple macOS and iOS App Stores from Ads blocklist? Or maybe put these to a separate blocklist if these are indeed serious threats?

[spinmaster 30]

15 hours ago, benfitita said:

Would it be possible to remove Apple macOS and iOS App Stores from Ads blocklist?

You can add any relevant domains for you on your allow list under Client area -> DNS -> Custom answers. Though I must say: my home network consists of Apple only clients (Macbook, iPhone & iPad) and even with almost all lists enabled, I have zero issues with macOS, Appstore, Updates or whatsoever Apple related...

[benfitita 39]

I'm pretty sure it twice started working after I turned off ads blocklist. I suppose I can play with forwarding DNS through unbound  to see what queries are failing when I open App Store and then add those to the whitelist. Still I'd prefer to have this sorted out for all users, especially new ones. 

[Staff 9972]

3 hours ago, benfitita said:

I'm pretty sure it twice started working after I turned off ads blocklist. I suppose I can play with forwarding DNS through unbound  to see what queries are failing when I open App Store and then add those to the whitelist. Still I'd prefer to have this sorted out for all users, especially new ones. 

Hello!

This is not an issue, so there's nothing to be sorted out for any user. Various apple.com subdomains, such as advertising.apple.com and banners.itunes.apple.com, are blocked by the "Ads & Trackers block list", which is a merge of public lists not compiled by us. Please remember that we do not add blocks by ourselves whatsoever. The blocks do not seem to affect Apple Store, though, as confirmed by other users at the moment. Please be aware, however, that Apple may block access to Apple Store from VPN and Tor. This happened already in the past, even to ProtonVPN, so we can't rule out that some of our servers are already blocked by the Apple Store.

If you don't think that Apple advertising is advertising or anyway the list disturbs you, you should not enable this anti-ads list, or you can add exceptions. When you click "LIst", all the blocked domains are shown. Quickly search for "apple.com" and you will see immediately which subdomains are blocked. You can also propose some other block list against advertising which does not block advertising by Apple, if you can find one.

Kind regards