Ξ welcome to cryptostorm's member forums ~ you don't have to be a cryptostorm member to post here Ξ
∞ take a peek at our legendary cryptostorm_is twitter feed if you're into that kind of thing ∞
Ξ we're rolling out voodoo network security across cryptostorm - big things happening, indeed! Ξ
Ξ any OpenVPN configs found on the forum are likely outdated. For the latest, visit GitHub Ξ

Ubuntu 16.04 DNS Leaks ...

Looking for assistance with a cryptostorm connection issue? Post here & we'll help out. Also: if you're not sure where to post, do so here & we'll move things around as needed. Also: for quickest support, email our oddly calm & easygoing support reps at support@cryptostorm.is :)

Topic Author
MOQ888
Posts: 8
Joined: Sun Apr 02, 2017 6:31 pm

Ubuntu 16.04 DNS Leaks ...

Postby MOQ888 » Mon Apr 03, 2017 9:30 am

Hey guys, sorry to drag this up but for years I've enjoyed CS - until last night.

Seems I have the dreaded DNS Leak despite setting the info in GitHub.

Symptom - I get a message saying this website is blocked because it contravenes (Aust) law.

What I've done so far -
1. Kept Ubuntu updated
2. Installed OpenVPN 2.3.14
3. Disabled IPv6 and added the necessary lines in one .ovpn file, removed and re-imported that config.
4. Go to dnsleaktest.com and ipleak.net and WAH it shows my ISP's DNS Proxy. How do I know it's their proxy? I have my own DNS on my LAN which has different DNS forwarding IPs (still the same ISP), so I'm thinking they're intercepting my DNS requests.

Oddly I turned the machine off in frustration last night and had another look just now. After connecting to CS US West I opened dnsleaktest.com and voila, it showed a US DNS. Hooray!

Still connected to CS I closed FireFox and tried the leak test again, and it had gone back to my ISP's proxy.

The machine is using DHCP but I have a reservation set, a recent development so I could x11vnc to it. I tried setting a static IP last night, changing the LAN DNS to 8.8.8.8 and OpenDNS but none of that worked.

Am I doing something really dumb (or is it me)? I thought I had followed all the instructions ...

User avatar

crypto_addict
Posts: 4
Joined: Tue Apr 11, 2017 8:39 pm

Re: Ubuntu 16.04 DNS Leaks ...

Postby crypto_addict » Thu Apr 13, 2017 9:17 am

I notice the same thing when I connect also. Still reporting a second dns address. My isp has dhcp for wan, and I set my own dns resolver, but I go to whoer.net, and it detects 2 addresses. First one CS dns, second the one I entered for my router. I am also searching for a solution. If I find one, I'll share it.

User avatar

crypto_addict
Posts: 4
Joined: Tue Apr 11, 2017 8:39 pm

Re: Ubuntu 16.04 DNS Leaks ...

Postby crypto_addict » Thu Apr 13, 2017 10:34 am

Well, I found out how and now it's fixed.
I went here:
https://github.com/cryptostorm-dev/csto ... tostorm.sh[url][/url]

I copied the code into a script, execited, and went back to whoer.net to check if it's still leaking.
Nope, everything is all good now. Thanks Fermi and all who contribute to making CS the best!


Topic Author
MOQ888
Posts: 8
Joined: Sun Apr 02, 2017 6:31 pm

Re: Ubuntu 16.04 DNS Leaks ...

Postby MOQ888 » Thu Apr 13, 2017 12:56 pm

Thanks for your input crypto_addict, much appreciated.

I copied the script, edited the LAN subnet to match mine, and ran it. Works perfectly until I reboot.

I guess this is something I need run every time I launch a CS connection unless someone can advise if there's a way to make it stick ... ?

At least now I can start rebuilding my CS connections and resume enjoying the awesomeness of CS.

Thanks again!

User avatar

Fermi
ForumHelper
Posts: 208
Joined: Tue Jun 17, 2014 11:42 am

Re: Ubuntu 16.04 DNS Leaks ...

Postby Fermi » Thu Apr 13, 2017 1:23 pm

There's no need to launch it @ reboot.
You can make these rules persistent. If you google for your linux version and iptables + persistent you'll get some hits on the how ... .

Of course is we add/remove nodes it is advised to re-run and save again.

I need to update the script to include protection against WebRTC and update rules, so nslookup can switch to tcp to handle:

Code: Select all

The Transmission Control Protocol (TCP) is used when the response data size exceeds 512 bytes, or for tasks such as zone transfers.


I'll post something in this thread when done ... .

/fermi


Topic Author
MOQ888
Posts: 8
Joined: Sun Apr 02, 2017 6:31 pm

Re: Ubuntu 16.04 DNS Leaks ...

Postby MOQ888 » Thu Apr 13, 2017 3:19 pm

Thanks Fermi, I'll do some searching to learn about making the changes persistent.

User avatar

Fermi
ForumHelper
Posts: 208
Joined: Tue Jun 17, 2014 11:42 am

Re: Ubuntu 16.04 DNS Leaks ...

Postby Fermi » Thu Apr 13, 2017 4:13 pm

The latest and (perhaps 8-) ) greatest can be found here:

Code: Select all

https://github.com/fermi-cryptostorm/fermi-cryptostorm-git


/fermi


Topic Author
MOQ888
Posts: 8
Joined: Sun Apr 02, 2017 6:31 pm

Re: Ubuntu 16.04 DNS Leaks ...

Postby MOQ888 » Thu Apr 13, 2017 5:22 pm

well I did learn something ...

I installed iptables-persistent and did a backup, and confirmed that the backups looked correct (post script).

After a reboot iptables -S showed the same but since the local DNS is no longer accepted I was not able to browse when not connected to CS, nor could I connect to any CS server. That makes sense to me since it can't look up anything.

So I did an export on the 16.04 notebook and created a default.v4 file on the desktop and restored it. After a reboot I was able to use the machine again.

I'll just leave it for now, run the script after I connect to CS. It's not a big deal, I can live with it. Eventually it'll bother me and I'll do some more searching and reading.

Thanks as always

User avatar

Fermi
ForumHelper
Posts: 208
Joined: Tue Jun 17, 2014 11:42 am

Re: Ubuntu 16.04 DNS Leaks ...

Postby Fermi » Thu Apr 13, 2017 7:02 pm

The reason why you get this is because the script doesn't allow DNS queries before you connect to Cryptostorm. If you are not using IP addresses to connect to Cryptostorm, the system will not be able to connect.

To avoid this, you change (or you use IP addresses to connect:

Code: Select all

$IPT -A OUTPUT -d 192.168.1.0/24 -p udp --dport 53 -j REJECT -m comment --comment "prevent usage of local DNS server"


to

Code: Select all

$IPT -A OUTPUT -p udp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT -m comment --comment "allow DNS queries"
$IPT -A OUTPUT -p tcp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT -m comment --comment "allow DNS queries"


After applying this, the lines with:

Code: Select all

--comment "dnscrypt-cert.okturtles.com"

are obsolete and can be removed.

After this change you should be able to make your tables persistent.

/fermi


Topic Author
MOQ888
Posts: 8
Joined: Sun Apr 02, 2017 6:31 pm

Re: Ubuntu 16.04 DNS Leaks ...

Postby MOQ888 » Fri Apr 14, 2017 9:23 am

Thanks for this Fermi, I'll give this a go later today.

My main goal is to preserve the ability to use the machine when not connected to CS, and obviously have no DNS leaks when I am connected.


Topic Author
MOQ888
Posts: 8
Joined: Sun Apr 02, 2017 6:31 pm

Re: Ubuntu 16.04 DNS Leaks ...

Postby MOQ888 » Fri Apr 14, 2017 12:51 pm

After adjusting the script to allow the local DNS, unfortunately ipleak.net showed my ISP's (IPv6) DNS again.

I can live with non-permanent original iptable script, it's important that I am able to use this machine without the CS iptable changes and it's easy to run the script immediately after connecting. I've made ipleak.net my homepage so it'll remind me to run the script if I haven't.

Please don't waste any more of your time on this Fermi, you've done more than enough already!

User avatar

Fermi
ForumHelper
Posts: 208
Joined: Tue Jun 17, 2014 11:42 am

Re: Ubuntu 16.04 DNS Leaks ...

Postby Fermi » Sat Apr 15, 2017 1:40 pm

This is odd, because of:

Code: Select all

$IPT6 -P OUTPUT DROP -m comment --comment "set default policies to drop all communication unless specifically allowed"


It shouldn't allow DNS queries over the IPv6 stack.
Perhaps it's a good idea to disable IPv6 in your kernel.

/fermi


Topic Author
MOQ888
Posts: 8
Joined: Sun Apr 02, 2017 6:31 pm

Re: Ubuntu 16.04 DNS Leaks ...

Postby MOQ888 » Sat Apr 15, 2017 5:17 pm

I had added the IPv6 disable lines as directed in the Github notes when I noticed the DNS leaks, and I had previously set IPv6 to none (ignore) for each CS server during setup.

My LAN & router have no IPv6 settings, I have my own class-c network that I've had since mid-90s, so I don't know why it manages to come up with two IPv6 DNSs from my upstream - I guess they're doing something behind the scenes.

When I was getting IPv4 leaks (and the "this site is blocked" messages) ipleak.net showed an IPv4 DNS as well as the ISP v6 DNS.

Your original script stopped both leaks. I haven't tested it with just the v6 DNS leaks, I might try that tomorrow but I suspect I'll get the same warning message from before.


Topic Author
MOQ888
Posts: 8
Joined: Sun Apr 02, 2017 6:31 pm

Re: Ubuntu 16.04 DNS Leaks ...

Postby MOQ888 » Tue Apr 18, 2017 8:22 am

Well I've done some more investigating

Booting 16.04 and running a script that drops IPv6 packets before running CS strangely yields IPv4 and IPv6 results in ipleak.net. I expected to see my IPv4 DNS but not the IPv6 ones.

When connected to CS before executing Fermi's script, ipleak gives the CS DNS and the ISP's IPv6 DNS. Attempting to access a DNS blocked site was fine but with our data retention laws, I'm not going to take any chances.

Running Fermi's script after connection to CS cleans up everything, happy days.

So despite updating sysctl.conf and running ip6tables commands to drop all traffic, how is it possible for ipleak.net to still return IPv6 DNS if I'm not connected to CS?

Does IPv6 DNS resolution even matter (data retention issues aside)?

User avatar

crypto_addict
Posts: 4
Joined: Tue Apr 11, 2017 8:39 pm

Re: Ubuntu 16.04 DNS Leaks ...

Postby crypto_addict » Tue Apr 18, 2017 7:50 pm

See, the way I use the script is that I connect to my network and CS. After that, I then run the script. I run the older one, because for me the newer iptables script was causing leaks. After that, everything is leakblocked. Only thing is if I lose connection/hibernate/suspend I must reboot to clear iptables. I realize I could probably get just the basic routes back without rebooting, but for now, I'm pretty busy with other things.


Return to “member support & tech assistance”

Who is online

Users browsing this forum: Baidu [Spider] and 13 guests

Login