Ξ welcome to cryptostorm's member forums ~ you don't have to be a cryptostorm member to post here Ξ
∞ take a peek at our legendary cryptostorm_is twitter feed if you're into that kind of thing ∞
Ξ we're rolling out voodoo network security across cryptostorm - big things happening, indeed! Ξ
Ξ any OpenVPN configs found on the forum are likely outdated. For the latest, visit GitHub Ξ

DNS leaks for dummies (how to plug your leaks)

A core mission of cryptostorm is ensuring consistent, reliable network security with minimal fuss & drama. From DNS-based services like our DeepDNS in-browser native .onion/.i2p site access, through grounbreaking research on IP6 leakblocking, & to firewall-based structures to enable "fail-closed" security, this is where we discuss & develop cryptostorm-style leakblock tech.
User avatar

Topic Author
privangle
Posts: 93
Joined: Thu Apr 25, 2013 5:57 am

DNS leaks for dummies (how to plug your leaks)

Postby privangle » Fri Mar 07, 2014 1:08 pm

    {direct link: dnsleak.cryptostorm.org}
    note: technical whitepaper on the subject of "DNS leaks" available at leaks.cryptostorm.org

Hi,

being just 48 hours online on darknet I discovered the DNS leak problem or subject.

I'm not a network geek and I try to understand the problem, so I thought I could perhaps explain what I understand about that or what I beleive I understand. Here I go :

In the past I thought that with a VPN connection I

  1. do not appear with my ISP IP-Number but with a number of some CC, now CS server,
  2. my communication partners (persons or servers or p2p partners or who- or whatever) neither see my original IP nor knows that my IP is not my original ip (well the 2nd point is perhaps not true because CS servers & its IP numbers will be known when time goes by...), and
  3. my ISP does not know what I am doing on the internet : he does neither see my meta data of my activities nor the content of the packets I sent or I receive. All my ISP sees is that I am connected to a server in Iceland and that there is a data flow, thats all.

By reading the posts in the forum I discovered that there is a problem called DNS leak.

Well, I did the test on dnsleaktest.com and effectively, my IP number is (for example) some in Iceland, but doing the DNS test, an IP number of the country I live appears (its even a server of the company of my ISP). This is supposed to be the "DNS leak" I guess. It's not my ISP IP number, but a ip number in my country and the connection myComputer <-> DNS server is not the encrypted connection. So the DNS server could log all the urls I'm visiting, hi could get the meta data of my life in the www.

So now my question:

If there was no DNS leak, would this mean that my cryptostorm connection (cs-c) goes directly to my ISP server, from there to a CS exit node, and only then my tunneled connection contacts some DNS server nearby the CS exit node, for example in Iceland or near Iceland, from there I visit the web pages, so the webserver contact AND the DNS server contact both happens through the tunneled connection ? Is that right, is that the goal?

But if some DNS server is connected with the cs-c, the DNS server could not understand my requests (what IP number is this domain, what IP number is that domain etc) because the cs-c is encrypted. Here I get confused. You see, by writing this down I seem to discover a contradiction in the problem I thought to approach, as if vpn without DNS leak is in principle not possible??!

Cryptostorm has not its own DNS servers I suppose.

Now this is what I tried to do. (My system: opensuse linux).

  • I tried to block port 53 (udp in my firewall), nothing changed.
  • I tried the option --redirect-gateway with def1 flag (see here) for openvpn.
  • I tried to make a connection without DHCP service and with manual written DNS servers and my ISP IP number in static.

The DNS server was always in my country, but at least its no more the usual DNS server from my ISP company, its one of the DNS servers I wrote down in my ConnectionManager and I found on http://www.opennicproject.org. This could be an improvement if the DNS server nearby my ISP does not get any more my DNS requests. But if my DNS server is transparent, he always could see what I'm doing ?

Then I had the following idea: my adsl modem is also a router.
This router has its own DHCP server in connection to my ISP, so I disabled it.

No changing, I see one of my DNS servers I wrote in my ConnectionManager.

I spent some hours to work on it, trying things out and now I prefere to know if I look in the right direction or if I deeply missunderstand the DNS leak problem. What would it look like if the DNS leak problem was solved ?

Perhaps some of the network specialists here could clarify my questions.

Thank you.

User avatar

parityboy
Site Admin
Posts: 1102
Joined: Wed Feb 05, 2014 3:47 am

Re: DNS leak for dummies

Postby parityboy » Fri Mar 07, 2014 4:31 pm

@OP

You can keep the DHCP server active in your router, but make sure your own computer has a static, manually assigned IP address. Also ensure that the alternate DNS addresses are entered for both the clear connection and the tunnelled connection. It's probably wise to reboot your machine at this point (assuming you're running Windows).

Once the tunnel is up again, check your routing table to amke sure your default route goes over the tunnel, which I think it's doing anyway based on what you've written so far.

User avatar

Topic Author
privangle
Posts: 93
Joined: Thu Apr 25, 2013 5:57 am

Re: DNS leak for dummies

Postby privangle » Sat Mar 08, 2014 12:31 am

Thank you for your answer. Ok I will reactivate the DHCP in my router and check my routing tables.
By the way my system is Linux.

After a night of thinking about this, I found an answer and an error in my considerations

What would it look like if the DNS leak problem was solved ?

Well, the szenario without the DNS leak would be like that : a cryptostorm (CS) server (exit note) is able to decrypt the tunneld connection. Therefore this server can read the DNS request and should take care of this request.

So, for example if I am connected to a CS server in the US, the DNS request should be made by the CS server in the US and only by him, not at my side. Is this right ?

Now I ask me, where the origin of the problem is - is it in openvpn, is it a problem of launching openvpn with the right options, is it a problem of the configuration file or a problem of the network configuration on the user side?

User avatar

parityboy
Site Admin
Posts: 1102
Joined: Wed Feb 05, 2014 3:47 am

Re: DNS leak for dummies

Postby parityboy » Sat Mar 08, 2014 5:41 am

@OP

By the way my system is Linux


Good start. :)

So, for example if I am connected to a CS server in the US, the DNS request should be made by the CS server in the US and only by him, not at my side. Is this right ?


Tor exit nodes can do this, but I'm not sure if OpenVPN can. I assume that if it can - and you were connected to the US exit node - then if you specified Google as your DNS server (8.8.8.8 and 8.8.4.4 are load balancers as far as I can tell) you would get their US DNS server(s) as opposed to their European ones.

Try this: when the tunnel is up, run a traceroute on a well-known DNS server and see if the traceroute goes over the tunnel. Also, check /etc/resolv.conf - if the exit node in Network Manager is a hostname as opposed to an IP address, you will very obviously have to have access to a DNS server before the tunnel is active, in order to resolve that hostname. Likely it's that DNS server that is leaking.


Goonie
Posts: 1
Joined: Tue Nov 11, 2014 2:52 pm

Re: DNS leaks for dummies (how to plug your leaks)

Postby Goonie » Tue Nov 11, 2014 3:34 pm

Hi all,

I have read the above and have perused most of the board but I still miss a how-to-for-even-dummier-than-dummy guide. Perhaps I am very naive, but would it be possible to get someone to produce a quick manual for the suitable/necessary set-up IN ADDITION to using the widget (Windows 8.1)?

- what DNS settings, how
- what IP settings (static, automatic), how
- router settings
- etc

Again, I understand that issues like DNS leaks can be very complicated and must be addresses by experts, but a starter guide would be helpful, too, to get at least the most relevant parameters right. Thanks!


Return to “DeepDNS.net - cryptostorm's no-compromise DNS resolver framework”

Who is online

Users browsing this forum: No registered users and 5 guests

cron

Login