Can't resolve domain using DSNCrypt with OpenVPN? Read this! (Also: Privacy concerns bc solution!)

Hi

currently there is no information about this anywhere else to find. I make this for others that google and have the same problem and to discuss it's effects.

Description of the problem:
I can not resolve domain names when using OpenVPN and DNSCrypt-proxy together.

Issue:
OpenVPN blocks domain name resolutions outside the tunnel.

Solution:
Check if you have the following line in your .ovpn file: "block-outside-dns". Remove it or put a # in front of it.


I believe removing block-outside-dns does not cause privacy issues, but I am not sure how that works together with DNSCrypt. I assume it get's blocked because it is not a DNS I get over DHCP using OpenVPN, but a loopback address. (search block-outside-dns here for an explanation to how it works)
I think the proxy then encrypts the request and sends it over TLSv1.2 (in my case) through the VPN. But I don't know.

Looking at it with wireshark while I test for DNS leaks here https://www.dnsleaktest.com, shows that the IPs that the leak test comes up are not identical to what I configured in DNSCrypt.
But they show the host names or provider:

Code:

172.69.52.148    none              Cloudflare     Netherlands
45.76.35.212     ns0.dnscrypt.nl   Choopa, LLC    Netherlands

(I use Cloudflares 1.1.1.1 and dnscrypt.nl-ns0-doh and configured OpenVPN to use a VPN in Netherlands)

Can someone shine some light on this?
Thank you!

 

You ought to use VPN services that run their own DNS resolvers, which have addresses on the VPN tunnel subnet. That means that DNS lookups can’t leak around the VPN tunnel. Also, the VPN's DNS resolvers should route traffic to whatever DNS resolvers they use through the VPN exit. If that's the case, there’s no link from DNS lookups to your ISP-assigned IP address.

Destination websites see the VPN exit IP address, and it's not such a huge issue if other DNS resolvers see queries from that IP address. Still, it would be prudent for VPN providers to use DNSCrypt for their lookups. That's now best practice for Tor exits. However, as long as you use firewall rules to restrict DNS traffic to the VPN tunnel, I see no problem with using Cloudflare DNS and DNSCrypt. It's just that 1.1.1.1 is a public IP address, and so traffic to it could leak around the VPN.

OK, so how do you know whether the VPN’s DNS relay has an address on the VPN tunnel subnet? Some VPNs will have that in their FAQs. But you may need to test yourself, and look at the VPN connection log. You should see something like “dhcp-option DNS 10.33.12.1”, meaning that the DNS relay is at “10.33.12.1”, which is an IP address on the VPN tunnel subnet.

And how do you know that the DNS relay is routing through the VPN exit? Well, with the VPN connected, check your IP address with a test website. Then test with a DNS leak test website. They should both give you the same IP address.

 

Ok, VPN server has a DNS in it's tunnel network. Confirmed with dhcp-option DNS...
Testing my DNS with only OpenVPN shows that ... I have a much bigger issue:

Description:
There are two interfaces enabled: One is my standard Ethernet adapter with it's static IP. (Therefore I need to configure a DNS here) The second is the OpenVPN interface that is fully DHCP. (Not using DNSCrypt atm)
Now because I have to configure a DNS in my Ethernet adapter these DNS show up in the DNS-query of the leak tests. That is obviously not what I want, because even though my IP is the VPN server. (That would be a DNS leak. Though not the worst kind.)
Though I am not using my ISPs DNS (Only if it would be DHCP) in the Ethernet adapter, it is still a problem. I used 1.1.1.1 and that shows up as about 15 different addresses from Cloudflare in the DNS leak test. (1.1.1.1 is using Cloudflares servers symbiotically)

Issue:
Both Interfaces have automatic interface metric. (Because that is standard.) Having multiple interfaces can produce such issues when interface-priority is not automatically changed. (afaik: no pro)

Solution:
Change the Interface metric from automatic to a specific value: Ethernet = 2, OpenVPN = 1. That changes the priority of the interface and makes OpenVPN primary. So now DNS querys are using the OpenVPN interface and therefore show up as only one address: My public VPN-IP.
Now activating DNSCrypt and testing again gives the result of the two DNS server I configured in it. (And not additionally the VPN DNS anymore.)

Finally. Now back to this...
"And how do you know that the DNS relay is routing through the VPN exit?" - I guess I know this now; and it's not. Does that mean I have to route traffic from DNSCrypt-proxy to the VPN internal DNS? (from “dhcp-option DNS 10.33.12.1”)
How?


Thank you

 

Just have a set of firewall rules to use when the VPN is connected. Block all traffic on the ethernet adapter except the VPN client. Then your DNS lookups can only use the VPN tunnel. I doubt that you'll need to specifically route DNS traffic.

But you still might get lookups through the VPN to DNS resolvers specified for your LAN adapter. You could prevent that by adding a firewall rule on the VPN tunnel that blocks traffic to those DNS resolvers. Or you could use alternate LAN properties when the VPN is connected, with no DNS resolvers specified.

Stuff like this was a major factor for me in starting to use VMs for VPN work

 

Ok I'll see if I can set simplewall to block that. EDIT: Seems like no. I tried disabling the adapter but that was not a good idea. xD
But I am using DNSCrypt in all adapters/interfaces(/whatever I'm confused about that) I can't block that then. I need a working resolver outside the VPN to even be able to connect to the VPN. Isn't that the one in the ethernet adapter?

 

I don't know Simplewall. But I'm pretty sure that's doable in Windows Firewall.

You can specify VPN servers by IP address, rather than by hostname.

 

Simplewall uses WFP, but it does not have the functionality to do that. I don't like windows firewall at all.
IP Address ... Well that makes sense. I' have done that now. Thanks

If I do not specifiy a DNS in my LAN port, then I'd just use my ISP, wouldn't I? Or would that work because I don't use DHCP? ... testing ... oh nice that works! Great! I can live with that.

Why are the DNS that come up in https://www.dnsleaktest.com still identical to what I configured? I use only this one now https://dnscrypt.nl/ and it comes up with its IP. Isn't that a DNS leak?

 

You've lost me

When you use DNS leak test sites, they give you the public IP address of the DNS resolver. So I'm using an IVPN exit, and hit the DNS resolver at an IP on the tunnel subnet. But https://www.dnsleaktest.com/ shows me the exit server's IP.

 

Is it a bad thing if they get the IP from my dnscrypt server? The reason to not leak is to hide your identity, isn't it? So I still am.
I assume it is because the DNS is not in the tunnel and the querys go over a different protocol, 443, so that the ProtonVPN server at the end does not know it is a DNS request and forwards it like any other. (I'm using ProtonVPN server in OpenVPN to have more control over the ovpn file.)
Could this be a bad thing? Is it a privacy issue?