How do I prevent DNS leaks on Mozilla Firefox?

A vpn is moot when there are DNS leaks from the web browser. How do I prevent these DNS leaks?

 

Huh?

How does the browser specify its own DNS servers?

 

try dnsleaktest.com

 

In addition to observing dns leaktest's site. I would recommend going over to the AirVpn forums (you don't need to be an Air customer) and reading their headline threads about firewall rules to totally block dns leaks. The absolute and real culprit is the windows operating system. You can pretty much lock it down from these leaks if you write the correct global firewall rules.

 

I know it is a little old thread, but I found it interesting as I have a doubt about dns leaks

If windows is the culprit, I solve the problem using Ubuntu?

 

i'm sure mirimir will explain it better when he goes online but i believe the best bet would be to use vm & pfsense.

 

There are two aspects to "DNS leaks" while using VPNs. One is which DNS server(s) are being used. The other -- which is a special case of overall VPN leakage -- is whether DNS queries are going out through the VPN tunnel, or directly through the network adapter, bypassing the VPN tunnel.

Properly configured VPN connections don't leak in either way. The VPN servers push instructions about what DNS server(s) to use, and also rules to route all traffic through the VPN tunnel.

However, it's hard to craft VPN configurations that work properly for all users, given all the possible customizations, security apps, and so on. There's also the problem that modern network managers are focused on providing a working network connection, no matter what it takes. Windows does that, and so does Network Manager in Linux.

So, for example, if the VPN goes down, the system may try to directly connect via the physical network adapter. And if the VPN didn't provide a working DNS server, the system may try to use defaults pushed by the LAN router.

The best solution that I've found is using pfSense VMs as VPN clients, because you can nail down all that stuff, using a simple webGUI. It's possible to secure Windows and Linux with firewall and routing rules, and specify which DNS servers to use for which network interface. But that's a lot more complicated.

Edit: And then there's Multipath TCP (mptcp) which can switch transparently among wired LAN, WiFi and cellphone networks. That, especially with IPv6, will be a serious pain to lock down

 

good post. thanks.
is there any way to test this out? simply the netstat command?

 

I'd use Wireshark, and capture for a while, hitting several sites, and running the DNS test at <-https://www.grc.com/dns->.

 

thanks, mirimir. will do, when i have the time.

 

De nada

You could also do a capture after killing the openvpn process.

 

that's a good idea too.

 

Since default ISP provided routers typically link to the ISP's DNS servers, one thing you can do is to login to the router as admin, and manually modify all of the ISP DNS server settings to be the IP addresses of OPENDNS server IP addresses (primary and secondary), for example, regardless of the source of your DNS leaks whether using a VPN or not. At least by doing this, if a failure occurs in the VPN, and the DNS request gets diverted, then at least it to a DNS server under your local control and not the ISP's DNS servers.

-- Tom

 

Exactly. Set your preferred DNS providers only (OpenDNS, Swiss/German Privacy Foundations, etc...) in the router, *and* in the Windows primary adapter. Worst case, one of those will provide the address...I'm no expert, but I don't think even Windows would make up 8.8.8.8 all on it's own, and send the requests there.

PD

 

Check here for OpenNIC DNS servers and find ones that are non logging servers. (check right hand side where it says Anon logs-yes or no)

http://wiki.opennicproject.org/Tier2

 

Comodo "hardwires" it's own DNS into it's browsers, there's scope for an add on/extension/tweak that will enable a user defined DNS to be set within the browser.
The dare I say fail-safe method is to set the DNS within the router.

 

https://www.dnsleaktest.com/how-to-fix-a-dns-leak.php

After connecting to VPN, start cmd as admin and write:

ipconfig /flushdns

netsh interface IPv4 set dnsserver "xxxx your primary connection" static 0.0.0.0 both

It helped me to prevent DNS leaks, all online test passed

 

you sure? i check the enable DNS leak protection option in my VPN so i'm hoping it's not leaking...

 

i'm afraid it might be. because client integrated protections tend to fail sooner or later. i recommend you to search for mirimir's posts (and of others that contributed to those topics) on wilders and take a look at them.
because general opinion is it takes more than ticking a small box in a client software. at least that's how it seems to me after reading pages of threads and hundreds of posts about vpn services related issues here.
regards

 

There's no need to trust this or that.

Just test with Wireshark. Mess with the VPN in as many ways as you can, and see where traffic goes.

 

Indeed...I checked the killswich box of my vpn client...and I was happy listening to pandora...then...vpn breaks out, pandora shows my real IP , showing a text that it is not allowed...and so on...Now I'm learning how to do prevent dns leak and stop all connection in case of vpn failure with tweaks...

 

Mirimir, I would like to do that, but Wireshark for me looks like the Matrix...and I'm not Neo...

 

All you need for this is the Statistics/Endpoints tool. See <-https://www.ivpn.net/privacy-guides/advanced-privacy-and-anonymity-part-2-> at "Installing and Checking VPN-Firewall on Linux Workstation".

 

exactly. even wilders is full of stories similar to yours. so it's not that uncommon with vpn client software to fail in those departments.
i remember reading in one of his posts how caspian's ip was exposed to a forum to which he always connected behind a vpn ip due to a connection failure with his vpn client software.

 

I tried to resist posting on this thread but as you see I failed. I agree with many of the posts on this thread. I have been reading around/posting here for awhile now and one thing I see constantly:

Please do yourselves a favor and learn to keep your own system safe and locked down. It is a MISTAKE to trust a "tick box" on some VPN client software and assume that little tick makes you now bullet proof. Take a little time and learn how to close down your system. Its the best time you will spend learning stuff. If this is perceived as a "soapbox rant" than I apologize, but I am fearful of those "Hey I am safe because my little VPN client says I am" posts.