Jump to content
Not connected, Your IP: 3.230.162.238
mrano

DNS leaks and how to fix them

Recommended Posts

I use fedora linux but still ran into the problem of DNS leaks.

My previous VPN service had these lines in their openvpn configuration files. I added the fedora equivalent commands since it was for ubuntu style.

These work for my system maybe they can help others. I am not an expert and so forth.


# Allow calling of built-in executables and user-defined scripts.
script-security 2
#
# For Ubuntu: 
# Parses DHCP options from openvpn to update resolv.conf
#up /etc/openvpn/update-resolv-conf
#down /etc/openvpn/update-resolv-conf
# For Fedora:
up /usr/share/doc/openvpn/contrib/pull-resolv-conf/client.up
down /usr/share/doc/openvpn/contrib/pull-resolv-conf/client.down

Share this post


Link to post

the webRTC block app for chrome doesnt work anymore. i tried uninstalling the app and adding it again then refresh the dns detect site but it still shows real ip.

Share this post


Link to post

the webRTC block app for chrome doesnt work anymore. i tried uninstalling the app and adding it again then refresh the dns detect site but it still shows real ip.

 

Hello!

 

Confirmed. In reality, it probably never worked, it was only the old testing code that was inadequate to force the leak. As you may have already seen, now ipleak.net web site is able to force a leak with Chrome regardless WebRTC Block extension is active or not. Therefore, without firewall aid (our client Eddie Network Lock for example), we are currently unaware of any method to effectively prevent such leaks with Chrome. If one does not prevent such leaks with Network Lock or anyway methods that are out of Chrome, we think that it is very important NOT to use Chrome when inside the VPN.

 

Kind regards

Share this post


Link to post

This does not help. I need to activate "force dns" to solve the DNS leak but I still want to know why I can't do this with OpenVPN and my shown config?

Share this post


Link to post

I followed the hints given in this thread but DNS is still leaking.

As far as I understood it I have to change the settings on my local adapter and not the virtual one from openvpn.

attachicon.gifdnsleak.PNG

 

Why do I am still leaking my DNS which is set in the router?

 

edit:

I also changed the settings of the openvpn virtual adapter and set the dns server manually but I still see the DNS Server which is in my router on dnsleaktest.

My OS is Win 8.1 x64

 

edit2:

only the "force dns" in Eddie works but not the thing with openvpn and the dns server.

Could anybody see my mistake?

 

Hello!

 

Eddie sets 10.4.0.1 as primary DNS of all the system network interfaces, do you do the same? Compare the status of the computer network interfaces with Eddie "Force DNS" method and with your method. There must be some difference to justify the different behavior. Compare all network cards with command "ipconfig /all" issued from a command prompt.

 

Kind regards

Share this post


Link to post

I followed the hints given in this thread but DNS is still leaking.

As far as I understood it I have to change the settings on my local adapter and not the virtual one from openvpn.

attachicon.gifdnsleak.PNG

 

Why do I am still leaking my DNS which is set in the router?

 

edit:

I also changed the settings of the openvpn virtual adapter and set the dns server manually but I still see the DNS Server which is in my router on dnsleaktest.

My OS is Win 8.1 x64

 

edit2:

only the "force dns" in Eddie works but not the thing with openvpn and the dns server.

Could anybody see my mistake?

 

try setting the default gateway which is the ip to the router \ modem.

Share this post


Link to post

I would like to mention that these are the settings I use regularly. the other day I tested for a dns leak with the static ip set and sure enough I had one... 

Share this post


Link to post

www.ipleak.net is not showing any leak for me (only VPN server is showing) yet www.dnsleaktest.com is showing my real ISP's DNS servers so seems the leak test on www.ipleak.net is not working properly.

 

All the solutions for users like me (not that knowledgeable and only connects to VPN once in a while) seem to be either complicated or a pain in the butt. Aren't there programs that automate everything that needs to be automated in order to change the DNS when connecting through OpenVPN and change it back to your ISP's (for optimal performance) when it disconnects? Or do I really need to write code and create .bat files to get en effective working solution?

Share this post


Link to post

www.ipleak.net is not showing any leak for me (only VPN server is showing) yet www.dnsleaktest.com is showing my real ISP's DNS servers so seems the leak test on www.ipleak.net is not working properly.

 

All the solutions for users like me (not that knowledgeable and only connects to VPN once in a while) seem to be either complicated or a pain in the butt. Aren't there programs that automate everything that needs to be automated in order to change the DNS when connecting through OpenVPN and change it back to your ISP's (for optimal performance) when it disconnects? Or do I really need to write code and create .bat files to get en effective working solution?

 

 

Hello!

 

Assuming that you run Windows, the system with DNS leaks problems due to lack of global DNS concept, please make sure to tick "Force DNS" in our client "AirVPN" -> "Preferences" -> "Advanced" menu.

 

Then, disable IPv6 in your system, when you're connected to the VPN (our service supports only IPv4). Microsoft provides tiny utilities to enable and disable IPv6 with a click:

http://support.microsoft.com/kb/929852

 

IPv6 is perhaps the reason of the difference you observe between ipleak.net and the other web site. Since ipleak.net does not support IPv6, it should be used only for IPv4 tests. EDIT: that does not seem very plausible, could you tell us whether ipleak.net still does not detect all the DNS nameservers IP addresses or if it works correctly now?

 

Kind regards

Share this post


Link to post

I was using OpenVPN directly when doing those tests. I installed dnsleak fix and that seemed to work (both sites mentioned above were no longer showing any leaks. However, something even weirder started to happen as I would connect to a server, do a test showing everything was ok, then come back a few minutes later to realise my real IP (not just the DNS) was now showing while the OpenVPN client was telling me I was still connected to the network.

 

I tried the Eddie client and the same thing happened (I checked the "switch DHCP to static" option to prevent DHCP reassignment) and also checked "force DNS". Again, everything works fine for the first rounds of tests and then all of a sudden the connection stops working all together and I can no longer browse the Internet except to the ookla speedtest page which now shows my real IP connection (while the client tells me I'm still connected).

 

I have to do more tests because so far, for some reason, my Windows 8 setup and/or firewall are not playing well with the VPN.

 

I'm assuming the"force DNS" option is important to avoid DNS leaks but if I don't choose "Switch DHCP to static", does it run the risk of being reset if/when a new DHCP IP is changed?

Share this post


Link to post

OK I found my problem. There was an other program requesting access to the tap adapter sporadically and screwing with the VPN connection (and leaking my real IP in the process yikes). It would change the IP address of the tap adapter to 10.127.127.1 as a result.

 

It would be nice if there was a way for the AirVPN client to prevent config modifications to the tap driver while in use (don't know if that's possible) as this seems to be a security flaw.

 

So far everything looks good. I've set the "force DNS" option to on. Not sure if I should switch to static IP or not. But it works.

Share this post


Link to post

Hello,

 

you could have prevented the leak by enabling "Network Lock". About preventing modifications to the tap driver, it is not our competence to protect your system against malware. A software injecting code into a system driver without your knowledge falls into the category of malware.

 

However, you probably meant manipulation of the tun/tap interface properties. In order to do so, the program must be authorized by you to have administrator privileges... we'll hear our Windows experts to know if some protection against programs running with administrator privileges is possible or not.

 

Kind regards

Share this post


Link to post

Yes don't know why I wrote tap driver, I meant tap adapter properties indeed. Just a way to "lock" its properties while in use by the client would be nice, as there can be many programs potentially requesting access for whatever reason and trying to overwrite whatever values were set by the client. And as I experienced first hand, this can really compromise the effectiveness of the VPN when that happens.

 

In any event, I like your client better than using the OpenVPN client for the additional security options so I'll stick with it.

Share this post


Link to post

 

we'll hear our Windows experts to know if some protection against programs running with administrator privileges is possible or not.

 

 

I am no expert but here are a few things I do:

------------------------

Login as a Power User. I setup anything I need to run with administrative privileges in the shortcut. So when I run any flavor of the OpenVPN GUI, I am prompted for the administrative passwd. Pain in the butt; however I am accustomed to it. (Must admit sometimes it pisses me off but that’s generally a personal or patience issue, not necessarily a computing thing. Like I want what I want when I want it, instant gratification and all that.)

 

There are also a variety of articles on setting up a shortcut to run with administrative priviledges, without the UAC prompt. This is one. You can scroll down to, “Related Tutorials” for other similar ones. I use these for the Pre/Connect/Disconnect scripts with OpenVPN, the DNS leak workaround Nadre posted and a few other items.

 

If you are having difficulty running applications, check out this page. There are additional links at the bottom of this also.

------------------------

I rename the Administrator user and create a bogus Administrator user, placing it in the Guest group. Cut the description (“Built-in account for administering…”) from the real one and paste it into the bogus user account.

------------------------

I do not rely on third-party applications to protect my computer, network and (especially) data. I tie down my computers to protect myself from myself. After a short time practicing, “safe computing” is easy to deal with.

------------------------

Whitelist so applications can only run from specific locations. You can find out more about this online. Something like this:

 

Run MMC as admin. > File > Add/Remove Snap-ins > select Group Policy Objects > Add > Local Computer > Finish

 

Local Computer Policy > Computer Configuration  > Windows Settings > Security Settings > Software Restriction Policies:

 

Enforcement:

All software files except libraries (such as DLLs)

All users except local administrators

 

Designated File Types:

Remove "LNK" if it's in there so that shortcuts will work.

 

Security Levels > Disallowed > Set as Default

 

Additional Rules (Security Level – Unrestricted):

%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%

%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir (x86)%

%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir%

*.lnk (shortcuts i.e. from start menu)

 

Note: I do not add my Downloads, Documents or Temp directories. I create a sub-folder within my downloads folder and create a policy that allows execution. I download and drag it into this sub-directory then execute it.

 

So something like one of these would be added to Security Level – Unrestricted:

%USERPROFILE%\Downloads\executable directory name or C:\executable directory path

Again, this is NOT the downloads directory.

 

(Security Level – Disallowed):

C:\Windows\regedit.exe

C:\Windows\System32\regedt32.exe

Note: If you need to run these, open a cmd prompt with administrative privileges and run them.

 

I add any application paths outside of Program Files that I might need (network locations, etc.).

 

You’ll run into issues with applications that do not execute from Program Files directory. Some might be: LogMeIn, WebEx, Chrome. You might want to create an explicit rule just for that one application.

 

Acrobat Reader, Flash, Firefox or other apps that automatically download to %temp% to update will fail. When I need to run an update, I run an MMC shortcut that takes me directly to GPO. I allow the temp environment for the update, then go back and disallow it. With Firefox, I download the full installer. The US location is here.

 

Blacklisting may help but is not as effective and you may find your list of rules grow over time.

------------------------

Turn off automatic sharing of $ Administrative Shares

------------------------

Remove bindings I do not use from adapters. I.E.

My Wireless Adapter does not need File and Print Sharing or IPv6, so I uncheck them.

For TAP I remove/uncheck everything but IPv4 and an AntiVirus shim.

------------------------

Disable Autorun

------------------------

I read the dialogue of installations and do not accept everything. Sometimes the install script is installing an application I never wanted. If so, I do not use that application unless I really need it.

------------------------

Read User Account Control and see what executable is trying to run with administrative privileges. I do not just assume it is what I (think I) selected.

------------------------

If I run P2P, I do it from a DMZ.

------------------------

If I am not familiar with an application, I place it in a virtual machine or sandbox.

------------------------

I do not really deal with certificates that much and would be interested in hearing if/how others have.

Share this post


Link to post

Thanks for taking the time to post all this I appreciate the info. I will go through it and see if I can implement some of it without becoming too much of a hassle. It's all about balance between security and usability. I haven't had any more problems since uninstalling the program conflicting with the use of the tap adapter so I know this was definitely the reason behind my troubles and I'm very pleased with the quality of this VPN service provider so far.

Share this post


Link to post

Everything but whitelisting would probably take 10-15 minutes. With regard to "protection against programs running with administrator privileges", whitelisting would apply. Or the obvious- going with another operating system but that wasn't the context of this conversation. The whitelisting came in handy for an old collegue, some sr software architect who was doing 10 things at once and would have gotten nailed by crypto-locker if it wasn't implemented.

As long as you are paying attention and use some common sense, you should be fine without it.

Share this post


Link to post

As suggested by some posts on here, the following worked for me (using the client version 2.3).

 

Going to the Preferences > Advanced > [tick] force DNS & [tick] checking if tunnel use airVPN DNS & [tick] Checking if the tunnel works effectively.

 

 

(Then tested using http://ipleak.net/ , http://whoer.net/extended & xmyip )

 

That whoer.net link is interesting. It compares local time (as reported by Javascript "Date()"?) against the "local" time (where the IP address appears to be?). And flags a mismatch.

 

So I suppose we now need to worry about a local time leak?

Share this post


Link to post

Hi,

 

I know this is ancient, but I can't find another good place to start this, also don't want to open a new thread for this alone.

 

So basically, I'm trying out AirVPN for the first time here, because I want privacy from my ISP and such, but I guess something is wrong.

On ipleak.net it shows my I have a leaking DNS, that does mean I am NOT hidden, am I correct here?

I followed this guide here, but I don't see my DNS because it shows "fe80%..." which is ipv6.

Am I good to go if I simply deactivate the ipv6 protocol in the settings of the local connection (LAN) and then read out the DNS, which is ipv4 then and follow the guide again?

 

Sorry for my dumbness, but I'm not that technical about internet settings (yet).

Thank you in advance!

Share this post


Link to post

...

Am I good to go if I simply deactivate the ipv6 protocol in the settings of the local connection (LAN) and then read out the DNS, which is ipv4 then and follow the guide again?

...

 

I think most people here disable IPv6 on their PC, and maybe in their router. IPv6 is a pain when it comes to privacy.

 

Unless of course you want to play with IPv6. But then you will probably be on your own.

Share this post


Link to post

 

...

Am I good to go if I simply deactivate the ipv6 protocol in the settings of the local connection (LAN) and then read out the DNS, which is ipv4 then and follow the guide again?

...

 

I think most people here disable IPv6 on their PC, and maybe in their router. IPv6 is a pain when it comes to privacy.

 

Unless of course you want to play with IPv6. But then you will probably be on your own.

 

Oh I don't, believe me, I just want help.

But I think I now may have encountered a problem. See, my connection didn't work so I had to remove AirVpn to find a fix.

Now, if I have the ipv6 protocol disabled, I don't have any connection to the internet whatsoever. (ip and dns stuff set to automatic) Is that even how you do it? I didn't see that stuff in the how to setup guide I read on this forum

Anyway, as soon as I activate ipv6, I have an internet connection going. Does anyone know how to fix it? I ask because it is related to my other question before:

 

If I have both ipv4 and ipv6 activated, do I get DNS leaks because of ipv6? That's what I infer from ipleak.net displaying my country when ipv6 was (because it isn't now, because of former stated problem) deactivated.

 

Thank you again

Share this post


Link to post

You may get unexpected behavior with IPv6 because this is the way it is designed, for connectivity but not with privacy in mind.

Do you have an IPv6 address from your ISP? Since fe80% are link-local addresses, this is not considered a leak.

You will have no leaks if you either choose to disable IPv6 in the client, or enable Network Lock.


Occasional moderator, sometimes BOFH. Opinions are my own, except when my wife disagrees.

Share this post


Link to post
Guest
This topic is now closed to further replies.

×
×
  • Create New...