Jump to content


Photo
* * * * * 4 votes

DNS leaks and how to fix them

dns leaks

  • Please log in to reply
55 replies to this topic

#41 amnesty

amnesty

    Advanced Member

  • Members
  • PipPipPip
  • 199 posts

Posted 07 March 2015 - 10:42 PM


we'll hear our Windows experts to know if some protection against programs running with administrator privileges is possible or not.

 

 

I am no expert but here are a few things I do:

------------------------

Login as a Power User. I setup anything I need to run with administrative privileges in the shortcut. So when I run any flavor of the OpenVPN GUI, I am prompted for the administrative passwd. Pain in the butt; however I am accustomed to it. (Must admit sometimes it pisses me off but that’s generally a personal or patience issue, not necessarily a computing thing. Like I want what I want when I want it, instant gratification and all that.)

 

There are also a variety of articles on setting up a shortcut to run with administrative priviledges, without the UAC prompt. This is one. You can scroll down to, “Related Tutorials” for other similar ones. I use these for the Pre/Connect/Disconnect scripts with OpenVPN, the DNS leak workaround Nadre posted and a few other items.

 

If you are having difficulty running applications, check out this page. There are additional links at the bottom of this also.

------------------------

I rename the Administrator user and create a bogus Administrator user, placing it in the Guest group. Cut the description (“Built-in account for administering…”) from the real one and paste it into the bogus user account.

------------------------

I do not rely on third-party applications to protect my computer, network and (especially) data. I tie down my computers to protect myself from myself. After a short time practicing, “safe computing” is easy to deal with.

------------------------

Whitelist so applications can only run from specific locations. You can find out more about this online. Something like this:

 

Run MMC as admin. > File > Add/Remove Snap-ins > select Group Policy Objects > Add > Local Computer > Finish

 

Local Computer Policy > Computer Configuration  > Windows Settings > Security Settings > Software Restriction Policies:

 

Enforcement:
All software files except libraries (such as DLLs)
All users except local administrators

 

Designated File Types:
Remove "LNK" if it's in there so that shortcuts will work.

 

Security Levels > Disallowed > Set as Default

 

Additional Rules (Security Level – Unrestricted):

%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir (x86)%
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir%
*.lnk (shortcuts i.e. from start menu)

 

Note: I do not add my Downloads, Documents or Temp directories. I create a sub-folder within my downloads folder and create a policy that allows execution. I download and drag it into this sub-directory then execute it.

 

So something like one of these would be added to Security Level – Unrestricted:
%USERPROFILE%\Downloads\executable directory name or C:\executable directory path

Again, this is NOT the downloads directory.

 

(Security Level – Disallowed):

C:\Windows\regedit.exe
C:\Windows\System32\regedt32.exe

Note: If you need to run these, open a cmd prompt with administrative privileges and run them.

 

I add any application paths outside of Program Files that I might need (network locations, etc.).

 

You’ll run into issues with applications that do not execute from Program Files directory. Some might be: LogMeIn, WebEx, Chrome. You might want to create an explicit rule just for that one application.

 

Acrobat Reader, Flash, Firefox or other apps that automatically download to %temp% to update will fail. When I need to run an update, I run an MMC shortcut that takes me directly to GPO. I allow the temp environment for the update, then go back and disallow it. With Firefox, I download the full installer. The US location is here.

 

Blacklisting may help but is not as effective and you may find your list of rules grow over time.

------------------------

Turn off automatic sharing of $ Administrative Shares

------------------------

Remove bindings I do not use from adapters. I.E.
My Wireless Adapter does not need File and Print Sharing or IPv6, so I uncheck them.
For TAP I remove/uncheck everything but IPv4 and an AntiVirus shim.

------------------------

Disable Autorun

------------------------

I read the dialogue of installations and do not accept everything. Sometimes the install script is installing an application I never wanted. If so, I do not use that application unless I really need it.

------------------------

Read User Account Control and see what executable is trying to run with administrative privileges. I do not just assume it is what I (think I) selected.

------------------------

If I run P2P, I do it from a DMZ.

------------------------

If I am not familiar with an application, I place it in a virtual machine or sandbox.

------------------------

I do not really deal with certificates that much and would be interested in hearing if/how others have.


  • Flx likes this

#42 guernica

guernica

    Newbie

  • Members
  • Pip
  • 7 posts

Posted 10 March 2015 - 09:33 PM

Thanks for taking the time to post all this I appreciate the info. I will go through it and see if I can implement some of it without becoming too much of a hassle. It's all about balance between security and usability. I haven't had any more problems since uninstalling the program conflicting with the use of the tap adapter so I know this was definitely the reason behind my troubles and I'm very pleased with the quality of this VPN service provider so far.



#43 amnesty

amnesty

    Advanced Member

  • Members
  • PipPipPip
  • 199 posts

Posted 10 March 2015 - 11:15 PM

Everything but whitelisting would probably take 10-15 minutes. With regard to "protection against programs running with administrator privileges", whitelisting would apply. Or the obvious- going with another operating system but that wasn't the context of this conversation. The whitelisting came in handy for an old collegue, some sr software architect who was doing 10 things at once and would have gotten nailed by crypto-locker if it wasn't implemented.

As long as you are paying attention and use some common sense, you should be fine without it.



#44 mikeb2k2001

mikeb2k2001

    Newbie

  • Members
  • Pip
  • 1 posts

Posted 12 April 2015 - 03:43 PM

As suggested by some posts on here, the following worked for me (using the client version 2.3).

 

Going to the Preferences > Advanced > [tick] force DNS & [tick] checking if tunnel use airVPN DNS & [tick] Checking if the tunnel works effectively.

 

 

(Then tested using http://ipleak.net/ , http://whoer.net/extended & xmyip )



#45 NaDre

NaDre

    Advanced Member

  • Members2
  • PipPipPip
  • 424 posts

Posted 13 April 2015 - 04:40 PM

As suggested by some posts on here, the following worked for me (using the client version 2.3).
 
Going to the Preferences > Advanced > [tick] force DNS & [tick] checking if tunnel use airVPN DNS & [tick] Checking if the tunnel works effectively.
 
 
(Then tested using http://ipleak.net/ , http://whoer.net/extended & xmyip )

 
That whoer.net link is interesting. It compares local time (as reported by Javascript "Date()"?) against the "local" time (where the IP address appears to be?). And flags a mismatch.

So I suppose we now need to worry about a local time leak?



#46 Kim1337

Kim1337

    Advanced Member

  • Members
  • PipPipPip
  • 33 posts

Posted 13 April 2015 - 05:59 PM

You people should try out this link ;) https://www.grc.com/dns/dns.htm

 

Scroll down and do the spoofability test.



#47 longif

longif

    Newbie

  • Members
  • Pip
  • 3 posts

Posted 17 August 2016 - 03:42 PM

Hi,

 

I know this is ancient, but I can't find another good place to start this, also don't want to open a new thread for this alone.

 

So basically, I'm trying out AirVPN for the first time here, because I want privacy from my ISP and such, but I guess something is wrong.

On ipleak.net it shows my I have a leaking DNS, that does mean I am NOT hidden, am I correct here?

I followed this guide here, but I don't see my DNS because it shows "fe80%..." which is ipv6.

Am I good to go if I simply deactivate the ipv6 protocol in the settings of the local connection (LAN) and then read out the DNS, which is ipv4 then and follow the guide again?

 

Sorry for my dumbness, but I'm not that technical about internet settings (yet).

Thank you in advance!



#48 NaDre

NaDre

    Advanced Member

  • Members2
  • PipPipPip
  • 424 posts

Posted 17 August 2016 - 04:22 PM

...
Am I good to go if I simply deactivate the ipv6 protocol in the settings of the local connection (LAN) and then read out the DNS, which is ipv4 then and follow the guide again?
...

 

I think most people here disable IPv6 on their PC, and maybe in their router. IPv6 is a pain when it comes to privacy.

Unless of course you want to play with IPv6. But then you will probably be on your own.



#49 longif

longif

    Newbie

  • Members
  • Pip
  • 3 posts

Posted 17 August 2016 - 09:01 PM

...
Am I good to go if I simply deactivate the ipv6 protocol in the settings of the local connection (LAN) and then read out the DNS, which is ipv4 then and follow the guide again?
...

 

I think most people here disable IPv6 on their PC, and maybe in their router. IPv6 is a pain when it comes to privacy.

Unless of course you want to play with IPv6. But then you will probably be on your own.

 

Oh I don't, believe me, I just want help. :)

But I think I now may have encountered a problem. See, my connection didn't work so I had to remove AirVpn to find a fix.

Now, if I have the ipv6 protocol disabled, I don't have any connection to the internet whatsoever. (ip and dns stuff set to automatic) Is that even how you do it? I didn't see that stuff in the how to setup guide I read on this forum

Anyway, as soon as I activate ipv6, I have an internet connection going. Does anyone know how to fix it? I ask because it is related to my other question before:

 

If I have both ipv4 and ipv6 activated, do I get DNS leaks because of ipv6? That's what I infer from ipleak.net displaying my country when ipv6 was (because it isn't now, because of former stated problem) deactivated.

 

Thank you again :)



#50 zhang888

zhang888

    Donald Trump of IT/Security

  • Moderators
  • 2219 posts

Posted 17 August 2016 - 09:14 PM

You may get unexpected behavior with IPv6 because this is the way it is designed, for connectivity but not with privacy in mind.

Do you have an IPv6 address from your ISP? Since fe80% are link-local addresses, this is not considered a leak.

You will have no leaks if you either choose to disable IPv6 in the client, or enable Network Lock.


Occasional moderator, sometimes BOFH. Opinions are my own, except when my wife disagrees.


#51 longif

longif

    Newbie

  • Members
  • Pip
  • 3 posts

Posted 18 August 2016 - 07:39 AM

You may get unexpected behavior with IPv6 because this is the way it is designed, for connectivity but not with privacy in mind.

Do you have an IPv6 address from your ISP? Since fe80% are link-local addresses, this is not considered a leak.

You will have no leaks if you either choose to disable IPv6 in the client, or enable Network Lock.

Thank you! wanted to post a screenshot of my ipleaks.net, but internet doesn't work at all now, which is stupid, because my trial will run out and I still don't know if I can get it to work (to buy a plan). Well crap.

 

edit: internet is back, but the trial ran out. Now I don't know if it works correctly for me/I can setup it. -.-



#52 sporkme

sporkme

    Newbie

  • Members
  • Pip
  • 5 posts

Posted 04 October 2016 - 02:21 AM

Hello NaDre,

 

On my Win7x64 box, I have successfully been running ISC Bind as a caching, recursive nameserver in conjunction with ForceBindIP and the OpenVPN GUI to fork my traffic, with confidential traffic going over the VPN and all general traffic over the native interface, leak-free.  Over the past week or so, I have been experiencing severe DNS resolution lag, to the point where the first couple of page load attempts result in a long delay while "looking up xyz.com" followed by a "server not found" error.  If I stop the ISC Bind service and toggle the adapter setting to "obtain DNS server address automatically," the problem stops.  No system configuration changes were made coincidentally with this problem.  I have done some digging, but ISC's voluminous documentation is quite technical and I haven't made any progress toward solving my problem.  No other connected devices experience this problem, and changing DNS servers at the router level, flushing DNS, resetting hardware and all the other typical kinds of solutions one might try have had no effect.  Can you point me in the right direction?

 

I plan to install the same configuration for a friend who has just subscribed to AirVPN, and compose a guide as I do so (hopefully suitable to be posted here), but I want to make sure the cause of this bug is avoided.

 

Thanks!

 

 

==Update 10/6/2016:==

I configured another DNS resolver similar to bind, Unbound (unbound.net) with the .conf file suggested here (tenforums.com) with the same result.  This is clearly a local network or OS issue.  I also removed a couple of logical network adapters related to Teamviewer VPN and VirtualBox with no improvement.  For now, I am using native DNS and not broadcasting any confidential traffic until I can resolve this frustrating problem.  Thanks again.

 

==Update 10/6/2016:==

Solved.

A user had activated an Avast Antivirus Pro key on the system, and their Secure DNS component was the culprit.  It should be noted that this product and similar will also interfere with OpenDNS and the like.  It should be uninstalled or disabled.

 

Unbound is working great, by the way, and I think I will stick with it.  It incorporates DNSSEC.



#53 vp86162736n

vp86162736n

    Newbie

  • Members
  • Pip
  • 3 posts

Posted 16 February 2017 - 10:12 PM

hi, Can anyone help with a problem i've started having? I am running openvpn on win7 with firefox & used to have dns leaks, I sorted them along time ago, but they have returned at random. When I check for leaks on ipleak.net it tells me I have no leaks, but refresh the page 1-3 times and dns leaks start appearing. None of my settings have changed so I have no idea how they have started. I have now also tried the steps at the start of this post but it has not helped. Any help appreciated. Thanks.



#54 Kinnerean

Kinnerean

    Newbie

  • Members
  • Pip
  • 2 posts

Posted 11 November 2017 - 07:10 PM

I am having this same problem too. I got the leaks to vanish but after a while ipleak shows them again. I have tried every fix I have found...to no avail it seems



#55 Kinnerean

Kinnerean

    Newbie

  • Members
  • Pip
  • 2 posts

Posted 11 November 2017 - 08:18 PM

Ok, I might have resolved my problem: I disabled ipv6 altogether. Leaks vanished after that.



#56 fidelnorbert40

fidelnorbert40

    Newbie

  • Members
  • Pip
  • 1 posts

Posted 23 May 2018 - 01:49 AM

You are a lifesaver. I worked for it for 10 hours nothing works.. Very helpful.. Let's have a swig..







Similar Topics Collapse


1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users

Servers online. Online Sessions: 14097 - BW: 49176 Mbit/sYour IP: 34.229.175.129Guest Access.