ANSWERED Very rarely getting rogue DNS servers when checking for DNS leaks

[absolution 0]

Hi everyone,

Bit of a strange one.  
When checking for DNS leaks (using the command line script: https://github.com/macvk/dnsleaktest), I very occasionally see an unexpected DNS server that doesn't seem to be part of the VPN.

So, I am connecting to Xuange in CH using wireguard in a docker container (I've tested using linuxserver container and separately using gluetun).  I have a QBT container that uses the wireguard container's network service.

The host system is running ubuntu server 20.04.  I also run pihole in a docker container, with the upstream DNS set to Quad9.

I run the DNS leak script every minute inside the QBT container and see roughly 3 instances per day where there is a rogue DNS server.

Example output including a rogue DNS:
 

Your IP: 79.142.69.160 [Switzerland, Swiss Confederation AS51430 AltusHost B.V.] 
You use 2 DNS servers: 2a00:7145:c1:1:ae29:727:2b87:f64 [Switzerland, Swiss Confederation AS51430 AltusHost B.V.] 
178.162.194.30 [Germany AS28753 LeaseWeb Deutschland GmbH] 
Conclusion: DNS may be leaking.

Other rogue DNS that have appeared before (trimmed to only include the rogue DNS'es

172.253.9.5 [United States of America AS15169 Google LLC] 

2a01:4f8:c17:739a::2 [Germany AS24940 Hetzner Online GmbH]
116.203.32.217 [Germany AS24940 Hetzner Online GmbH] 
159.69.114.157 [Germany AS24940 Hetzner Online GmbH] 

146.70.198.66 [Canada AS9009 M247 Europe SRL]

AirVPN staff have suggested I look into how my server could be learning about these DNS but I am a little stumped...  As far as I can tell these DNS are not associated with Quad9 so its not like my host server's DNS is leaking into the container...

Here's my docker-compose file (this compose uses the linuxserver Wireguard client).  I should add that I use the default wireguard config file provided by AIRVPN:
 

services:
  wireguardclient:
    image: lscr.io/linuxserver/wireguard:latest
    container_name: wireguardclient
    cap_add:
      - NET_ADMIN
      - SYS_MODULE
    environment:
      - PUID=1016
      - PGID=1020
      - TZ=OMITTED
      - LOG_CONFS=true #optional
    volumes:
      - /home/NAME/containers/qbittorrent/wireguardconfig:/config/wg_confs/.
      - /lib/modules:/lib/modules
      - /home/NAME/containers/qbittorrent/scripts:/scripts
    ports:
      - VPNPORT:VPNPORT/tcp
      - VPNPORT:VPNPORT/udp
      - WEBUIPORT:WEBUIPORT
    sysctls:
      - net.ipv4.conf.all.src_valid_mark=1
      - net.ipv6.conf.all.disable_ipv6=0
    restart: unless-stopped

  qbittorrent:
    image: linuxserver/qbittorrent:4.5.5
    container_name: qbittorrent
    network_mode: "service:wireguardclient"
    volumes:
      - VOLUMES
    restart: 'unless-stopped'
    environment:
      - TZ=OMITTED
      - WEBUI_PORT=WEBUIPORT
      - PUID=1003
      - PGID=1004

Any help/advice to debug this would be greatly appreciated.  Thank you! Edited ... by absolution

[absolution 0]

I've swapped back to using gluetun, and using the default DNS for the container (DoT + cloudflare), for testing.

I see a similar behaviour there.  The majority of the time I see an expected query

162.158.148.72 [Switzerland, Swiss Confederation AS13335 CloudFlare Inc.]

However, sometimes I see other DNS servers.  Here are the others I've seen
 

80.255.10.194 [Germany AS201011 Core-Backbone GmbH]
194.110.115.34 [Belgium AS9009 M247 Europe SRL]
142.147.89.225 [United States of America AS6233 xTom]
79.142.69.160 [Switzerland, Swiss Confederation AS51430 AltusHost B.V.]

The last one seems to be the AirVPN DNS...

Any advice on what to look into? 

[absolution 0]

Further testing: I setup a http proxy to google chrome to connect to my gluetun container.  I've run the ipleak.net test several times and all of my DNS results point to cloudflare in CH (bar a couple that went to cloudflare in the US), which is what I want to see.

Looking more into the command line script, it looks like it uses bash.ws under the hood for its dnsleak test.  Does anyone know how reliable that test is?

Something else I don't quite understand.
ipleak.net says the CH cloudflare dns is 162.158.148.106.  However, bash.ws says the CH cloudflare dns is 162.158.148.72.
Why do they point to different IP addresses?

[OpenSourcerer 1361]

49 minutes ago, absolution said:

Why do they point to different IP addresses?

CloudFlare is a worldwide CDN, using available servers dynamically to balance the load. The important part is that both addresses appear to be in the same subnet 162.158.148.0/24.

[absolution 0]

I see.
The two leak tests are consistent with their IPs.  Do different leak tests run tests in different ways?

Do you have any advice about the occasional rogue DNS servers when using https://github.com/macvk/dnsleaktest ?

[OpenSourcerer 1361]

34 minutes ago, absolution said:

Do different leak tests run tests in different ways?

They resolve multiple random addresses in quick succession and note down the servers resolving each query, but the processes vary in their execution.
 

36 minutes ago, absolution said:

Do you have any advice about the occasional rogue DNS servers when using https://github.com/macvk/dnsleaktest ?

I'd say, they're backup servers, if there really is only one DNS server configured in your system.

[absolution 0]

Thank you for the info.

Right now I'm using gluetun with a QBT container that's connected to gluetun's network service.
My host is running pihole as a dhcp server with quad9 as the upstream.

So, my home network uses one DNS and the VPN uses another, but the VPN should be isolated.

When using gluetun's default DNS config (unbound with cloudflare as a provider) or using AirVPNs DNS for Xuange, I do see similar results.  Roughly 3 times in 24 hours there will be different DNS servers appear in the leak test but they are typically geographically nearby (either the same country or a nearby country...)

I think you are right; they are backup servers.  
Though AirVPN staff said that I should -only- see the Xuange Server DNS when using AirVPN's DNS...

[OpenSourcerer 1361]

Can't help you with Gluetun, I'm afraid. :)

[absolution 0]

If it helps, I have also tested using the linuxserver wireguard container with the wireguard config provided by AirVPN.  The DNS behaves in a similar way.  
A couple of times every day (when running the DNS leak test every minute) I see unexpected servers.  There's actually a lot of overlap between the rogue servers I see when using Cloudflare or AirVPN as DNS (the most common one being "80.255.10.194 [Germany AS201011 Core-Backbone GmbH]").
But, as you said, maybe it is a backup server?

My host server's dns is a pihole using quad9 as upstream so I can't really figure out how that could point to the German DNS...

The German DNS is geographically close to Switzerland so maybe its just a backup DNS...

[bulk88 0]

Do you have any apps, linux, windows, or android, that would embed their own DOH client or hard code well known global DNS server IPs? certificate pinning/(embed the corp public cert forever in the app, bypass ICANN PKI CAs totally) and facebook smartphone app, for example, comes to mind. Some app might be doing wifi portal detection, or 3 letter agency interception detection, by direct UDP port 53 to well known public DNS by hard coded IPs, bypassing the OS.

[absolution 0]

I don't think anyone in the house has the Facebook app... We do use dockerised-Caddy as a reverse proxy for a few services...  There is also pihole in a docker container.

Is there any way I could test for wifi portal detection or 3LA interception detection?

If I ran the same dns leak test on the host for a couple of days, but didn't see any of the same servers, then that would be a good sign that its just backup servers?

[absolution 0]

I decided to repeatedly run the dns leak script on my host server (which is running pihole pointing to quad9 upstream) to see if I saw the same set of rogue servers.

Occasionally there are a different set of rogue servers
 

212.102.36.145 [Switzerland, Swiss Confederation, AS60068 DataCamp Limited]
194.35.233.172 [United Kingdom, AS62240 Clouvider Limited]
Fri 24 Nov 18:28:58 GMT 2023 - 2a03:1b20:4:f011::8888 [Sweden, AS39351 31173 Services AB]
2a01:4f8:13b:3407::face [Germany, AS24940 Hetzner Online GmbH]
2a0d:f302:110:6517::bb4:214 [Austria, AS40994 Hohl IT E.U.]
83.138.55.186 [Austria, AS40994 Hohl IT E.U.]
164.68.121.162 [Germany, AS51167 Contabo GmbH]
185.65.135.123 [Sweden, AS39351 31173 Services AB]
146.70.198.66 [Canada, AS9009 M247 Europe SRL]

I think I've seen [Germany, AS24940 Hetzner Online GmbH] and [Canada, AS9009 M247 Europe SRL] but otherwise these look new.

So, am I just seeing backup servers?  The set of rogue servers I see does seem to depend on where I am connecting to...

[Staff 9764]

@absolution

Hello!

New pieces of information from another thread:Kind regards