absolution 0 Posted ... (edited) Hi everyone, Bit of a strange one. When checking for DNS leaks (using the command line script: https://github.com/macvk/dnsleaktest), I very occasionally see an unexpected DNS server that doesn't seem to be part of the VPN. So, I am connecting to Xuange in CH using wireguard in a docker container (I've tested using linuxserver container and separately using gluetun). I have a QBT container that uses the wireguard container's network service. The host system is running ubuntu server 20.04. I also run pihole in a docker container, with the upstream DNS set to Quad9. I run the DNS leak script every minute inside the QBT container and see roughly 3 instances per day where there is a rogue DNS server. Example output including a rogue DNS: Your IP: 79.142.69.160 [Switzerland, Swiss Confederation AS51430 AltusHost B.V.] You use 2 DNS servers: 2a00:7145:c1:1:ae29:727:2b87:f64 [Switzerland, Swiss Confederation AS51430 AltusHost B.V.] 178.162.194.30 [Germany AS28753 LeaseWeb Deutschland GmbH] Conclusion: DNS may be leaking. Other rogue DNS that have appeared before (trimmed to only include the rogue DNS'es 172.253.9.5 [United States of America AS15169 Google LLC] 2a01:4f8:c17:739a::2 [Germany AS24940 Hetzner Online GmbH] 116.203.32.217 [Germany AS24940 Hetzner Online GmbH] 159.69.114.157 [Germany AS24940 Hetzner Online GmbH] 146.70.198.66 [Canada AS9009 M247 Europe SRL] AirVPN staff have suggested I look into how my server could be learning about these DNS but I am a little stumped... As far as I can tell these DNS are not associated with Quad9 so its not like my host server's DNS is leaking into the container... Here's my docker-compose file (this compose uses the linuxserver Wireguard client). I should add that I use the default wireguard config file provided by AIRVPN: services: wireguardclient: image: lscr.io/linuxserver/wireguard:latest container_name: wireguardclient cap_add: - NET_ADMIN - SYS_MODULE environment: - PUID=1016 - PGID=1020 - TZ=OMITTED - LOG_CONFS=true #optional volumes: - /home/NAME/containers/qbittorrent/wireguardconfig:/config/wg_confs/. - /lib/modules:/lib/modules - /home/NAME/containers/qbittorrent/scripts:/scripts ports: - VPNPORT:VPNPORT/tcp - VPNPORT:VPNPORT/udp - WEBUIPORT:WEBUIPORT sysctls: - net.ipv4.conf.all.src_valid_mark=1 - net.ipv6.conf.all.disable_ipv6=0 restart: unless-stopped qbittorrent: image: linuxserver/qbittorrent:4.5.5 container_name: qbittorrent network_mode: "service:wireguardclient" volumes: - VOLUMES restart: 'unless-stopped' environment: - TZ=OMITTED - WEBUI_PORT=WEBUIPORT - PUID=1003 - PGID=1004 Any help/advice to debug this would be greatly appreciated. Thank you! Edited ... by absolution Quote Share this post Link to post
absolution 0 Posted ... I've swapped back to using gluetun, and using the default DNS for the container (DoT + cloudflare), for testing. I see a similar behaviour there. The majority of the time I see an expected query 162.158.148.72 [Switzerland, Swiss Confederation AS13335 CloudFlare Inc.] However, sometimes I see other DNS servers. Here are the others I've seen 80.255.10.194 [Germany AS201011 Core-Backbone GmbH] 194.110.115.34 [Belgium AS9009 M247 Europe SRL] 142.147.89.225 [United States of America AS6233 xTom] 79.142.69.160 [Switzerland, Swiss Confederation AS51430 AltusHost B.V.] The last one seems to be the AirVPN DNS... Any advice on what to look into? Quote Share this post Link to post
absolution 0 Posted ... Further testing: I setup a http proxy to google chrome to connect to my gluetun container. I've run the ipleak.net test several times and all of my DNS results point to cloudflare in CH (bar a couple that went to cloudflare in the US), which is what I want to see. Looking more into the command line script, it looks like it uses bash.ws under the hood for its dnsleak test. Does anyone know how reliable that test is? Something else I don't quite understand. ipleak.net says the CH cloudflare dns is 162.158.148.106. However, bash.ws says the CH cloudflare dns is 162.158.148.72. Why do they point to different IP addresses? Quote Share this post Link to post
OpenSourcerer 1441 Posted ... 49 minutes ago, absolution said: Why do they point to different IP addresses? CloudFlare is a worldwide CDN, using available servers dynamically to balance the load. The important part is that both addresses appear to be in the same subnet 162.158.148.0/24. Quote Hide OpenSourcerer's signature Hide all signatures NOT AN AIRVPN TEAM MEMBER. USE TICKETS FOR PROFESSIONAL SUPPORT. LZ1's New User Guide to AirVPN « Plenty of stuff for advanced users, too! Want to contact me directly? All relevant methods are on my About me page. Share this post Link to post
absolution 0 Posted ... I see. The two leak tests are consistent with their IPs. Do different leak tests run tests in different ways? Do you have any advice about the occasional rogue DNS servers when using https://github.com/macvk/dnsleaktest ? Quote Share this post Link to post
OpenSourcerer 1441 Posted ... 34 minutes ago, absolution said: Do different leak tests run tests in different ways? They resolve multiple random addresses in quick succession and note down the servers resolving each query, but the processes vary in their execution. 36 minutes ago, absolution said: Do you have any advice about the occasional rogue DNS servers when using https://github.com/macvk/dnsleaktest ? I'd say, they're backup servers, if there really is only one DNS server configured in your system. Quote Hide OpenSourcerer's signature Hide all signatures NOT AN AIRVPN TEAM MEMBER. USE TICKETS FOR PROFESSIONAL SUPPORT. LZ1's New User Guide to AirVPN « Plenty of stuff for advanced users, too! Want to contact me directly? All relevant methods are on my About me page. Share this post Link to post
absolution 0 Posted ... Thank you for the info. Right now I'm using gluetun with a QBT container that's connected to gluetun's network service. My host is running pihole as a dhcp server with quad9 as the upstream. So, my home network uses one DNS and the VPN uses another, but the VPN should be isolated. When using gluetun's default DNS config (unbound with cloudflare as a provider) or using AirVPNs DNS for Xuange, I do see similar results. Roughly 3 times in 24 hours there will be different DNS servers appear in the leak test but they are typically geographically nearby (either the same country or a nearby country...) I think you are right; they are backup servers. Though AirVPN staff said that I should -only- see the Xuange Server DNS when using AirVPN's DNS... Quote Share this post Link to post
OpenSourcerer 1441 Posted ... Can't help you with Gluetun, I'm afraid. :) Quote Hide OpenSourcerer's signature Hide all signatures NOT AN AIRVPN TEAM MEMBER. USE TICKETS FOR PROFESSIONAL SUPPORT. LZ1's New User Guide to AirVPN « Plenty of stuff for advanced users, too! Want to contact me directly? All relevant methods are on my About me page. Share this post Link to post
absolution 0 Posted ... If it helps, I have also tested using the linuxserver wireguard container with the wireguard config provided by AirVPN. The DNS behaves in a similar way. A couple of times every day (when running the DNS leak test every minute) I see unexpected servers. There's actually a lot of overlap between the rogue servers I see when using Cloudflare or AirVPN as DNS (the most common one being "80.255.10.194 [Germany AS201011 Core-Backbone GmbH]"). But, as you said, maybe it is a backup server? My host server's dns is a pihole using quad9 as upstream so I can't really figure out how that could point to the German DNS... The German DNS is geographically close to Switzerland so maybe its just a backup DNS... Quote Share this post Link to post
bulk88 0 Posted ... Do you have any apps, linux, windows, or android, that would embed their own DOH client or hard code well known global DNS server IPs? certificate pinning/(embed the corp public cert forever in the app, bypass ICANN PKI CAs totally) and facebook smartphone app, for example, comes to mind. Some app might be doing wifi portal detection, or 3 letter agency interception detection, by direct UDP port 53 to well known public DNS by hard coded IPs, bypassing the OS. Quote Share this post Link to post
absolution 0 Posted ... I don't think anyone in the house has the Facebook app... We do use dockerised-Caddy as a reverse proxy for a few services... There is also pihole in a docker container. Is there any way I could test for wifi portal detection or 3LA interception detection? If I ran the same dns leak test on the host for a couple of days, but didn't see any of the same servers, then that would be a good sign that its just backup servers? Quote Share this post Link to post
absolution 0 Posted ... I decided to repeatedly run the dns leak script on my host server (which is running pihole pointing to quad9 upstream) to see if I saw the same set of rogue servers. Occasionally there are a different set of rogue servers 212.102.36.145 [Switzerland, Swiss Confederation, AS60068 DataCamp Limited] 194.35.233.172 [United Kingdom, AS62240 Clouvider Limited] Fri 24 Nov 18:28:58 GMT 2023 - 2a03:1b20:4:f011::8888 [Sweden, AS39351 31173 Services AB] 2a01:4f8:13b:3407::face [Germany, AS24940 Hetzner Online GmbH] 2a0d:f302:110:6517::bb4:214 [Austria, AS40994 Hohl IT E.U.] 83.138.55.186 [Austria, AS40994 Hohl IT E.U.] 164.68.121.162 [Germany, AS51167 Contabo GmbH] 185.65.135.123 [Sweden, AS39351 31173 Services AB] 146.70.198.66 [Canada, AS9009 M247 Europe SRL] I think I've seen [Germany, AS24940 Hetzner Online GmbH] and [Canada, AS9009 M247 Europe SRL] but otherwise these look new. So, am I just seeing backup servers? The set of rogue servers I see does seem to depend on where I am connecting to... Quote Share this post Link to post
Staff 10014 Posted ... @absolution Hello! New pieces of information from another thread:Kind regards Quote Share this post Link to post