DNS Leak question

Hi,

I had VirtualBox DNS leak my ISP DNS the first time, and then a second time did a full bypass of my VPN exposing both my real IP and ISP DNS. I have corrected the issue, and nothing is leaking anymore. I'm just wondering has/will that leak affect the anonymity/security/privacy of past or future connections? Or since everything has been corrected, and is no longer leaking is everything anonymous/secure/private again? The leak was very brief, lasting only minutes, as the first thing I did on the virtual machine is do a leak test immediately both times and caught it within minutes. Other applications on the host never leaked, does that mean even during that connection the only thing anyone would have been able to see was what the virtual machine did, and now everything is safe again? I'm not totally sure what the leak did, is it once a leak has occurred, it permanently damages everything with anonymity/security/privacy etc, or is it once the leak has been corrected, everything is fine again? I think once the leak has stopped it's fine again correct?

Thank you

 

I think all of us have asked this question at one time or another. Much of your response would be according to the threat model you are working under.

I have absolutely made the mistake you describe and more than once. It took me awhile to learn how to lock down all DNS leaks. I had some decisions to make.

If you have a handle on what activities you were conducting you can adjust easily. For instance, if you were signed in here as "Mr. X" and having your actual IP in the forum logs bothers you, you could delete your account and then come back under a new IP via VPN with a new user name. The website server (any website forum you visited) might still retain your old logged IP but now you are moving around using a new IP and under a different name. The old Mr. X just dies off. That's about as good as it will get after an error like that.

From what you describe you are more at risk from having your ISP knowing what sites you visited. DNS leaks betray such things to your ISP. Again, depends upon where you were. I use https exclusively in here, so even a dns leak would only show where I was and nobody could see Palancar or monitor my current session activity because the connection is SSL. Of course I mean even if I were not on a VPN tunnel, which I am.

Many of us, myself included, are mostly concerned about privacy and not so much any legal action per se. If that is true of you then just plug the hole and keep moving. If your threat is more significant you'll want to react more thoroughly. Only you can decide that.

Live and learn!!

 

Please say more about what caused the leaks, and what you did to correct.

 

The leak was caused by just firing up a virtual machine in virtual box. The host was Fedora Linux. No other application was leaking, just the virtual machine, I did nothing but immediately check for any leaks when the virtual machine was started, upon finding out it was leaking, I immediately shut it down; tried to correct the error, but only made things worse when I changed Virtual Box network settings, and it appeared to have bypassed the VPN entirely. I then immediately shut it down again, to clarify the virtual machine was started 2 times, and the only thing I did on them was check for a dns leak, upon immediately finding out that a leak was occurring, I shut it down both times instantly. Again, no other application on the host was leaking. I did the check by going to dnsleaktest.com on the virtual machine. I am wondering if any past or future connections are at any anonymity/privacy/security risk now? I fixed the issue simply by discontinuing use immediately of Virtual Box. Nothing is leaking now, I have verified this with Wireshark, I also verified while the virtual machine was running that no other host application was leaking. Is there any risk now of anonymity/privacy/security since the leaking has stopped, and everything is working as it should now?

 

Out of curiousity, is there some reason you don't want to use a DNS outside of your ISP?

 

As I stated for anonymity/privacy/security. It's also slow. And I really just don't need my ISP logging my every move on the web. I talked with support from my VPN, and the told me everything should be ok as long as the leak stopped which it did. They told me once the leak stops, everything goes back to the way it should be going. They also told me only the virtual machine would have had anything leak, and the host would have been fine. My vpn is non logging, and uses shared IP's, so I believe everything should be intact correct? And again to verify, the only thing I did on the virtual machine was check for DNS leaks, it was so I immediately shut it down, and again, no other host application was leaking. I'm just worried has this permanently affected the anonymity/security/privacy of my VPN? I can't really see how it could affect future or past connections, as they were/are not leaking. And to answer Palancar, no I was not logged into anything in the virtual machine. I was logged into some stuff on the host however, but again nothing was leaking on the host, only the virtual machine. VPN support said the only thing seen was the dnsleaktest.com nothing else would have leaked, and everything is ok. Is this true?

 

No I said "why you don't want to use a DNS outside of your ISP"...meaning some DNS other than your ISP. I guess I was thinking of "DNS leak" in terms of revealing your ISP DNS to the sites you visit, thus partially negating your use of a proxy/VPN. That's what it sounded like you were afraid of when you said "I had VirtualBox DNS leak my ISP DNS".

I wasn't thinking you were talking about leaking to your ISP. But something like DNScrypt will not only force use of OpenDNS servers (thus removing your ISP from handling your DNS queries), but also encrypt the traffic on the "last mile" between your computer and the DNS resolution.

Maybe I'm missing something. I was just wondering if you're trying to cut out your ISP from your traffic, why you have it set to go through your ISP DNS at all, no matter what the situation is (i.e. if your VPN is working or not).

 

I probably should set it to something other then my ISP at all, but the VPN does that for me normally, just not under virtual box. I'm just wondering, as right now I'm not leaking, and before using that virtual machine wasn't leaking. Has that affected the anonymity/security/privacy from the past or in the future that does not leak? As I did nothing in the leaking virtual machine other then do a dns leak test. All other applications never leaked, I verified this with Wireshark.

 

I'm guessing that you're running a VPN client on the host, and want VMs to connect through it. Yes?

I've done that on several hosts, and have never seen a DNS leak from a VM. VMs get their DNS server(s) from the VirtualBox DHCP server, and it gets its DNS server(s) from the host. When the host VPN is connected, the host gets its DNS server(s) from the VPN server. If the host VPN goes down, however, there may be leaks, unless you have proper routing and firewall rules.

However, if you have the VM's network adapter bridged to the host's NIC, rather than NATed to the host, it will get its IP address -- and its DNS server(s) -- from your LAN router, and not from the VirtualBox DHCP server. Is that what happened?

 

I'm not actually trying to get VM's working on the host. I'm wondering if that very brief DNS leak, and then full VPN bypass has permanently affected any past or future connections in terms of anonymity/privacy/security? I confirmed that the virtual machine was the only things leaking, and the VPN client on the host did not disconnect or have any other failure. All applications except the VM was correctly using the VPN. I presume this means only what was done in the VM was affected correct? And the only thing I did in the virtual machine was do a dns leak test, and then found out it was leaking and shut it down, I did this both times. So I presume this means all past and future connections that do not leak are as anonymous/secure/private as if the leak never even happened, correct?

 

OK. But then, why did you install VirtualBox, and run a VM?

Having that VM use your ISP's DNS server(s) did no damage. Your ISP can't see past your Internet gateway, so it can't tell that the VM was running the leak test, rather than your host machine, or any other machine on your LAN.

However, having such a DNS leak (let alone VPN bypass) is very unusual, and leads me to suspect that something is misconfigured.

Yes, that's correct.

Yes, the leak doesn't compromise future activity. To be absolutely sure, delete the VM that leaked.

It would be prudent, however, to understand what caused the leaks.

 

I should have worded that better. I would have liked if the VM worked, but it wasn't really part of my question. To answer your question about how it leaked, the first time I started the VM, I left it NAT and that's when the DNS leak happened, the IP was the VPN's, but the DNS was my ISP. I changed it to bridge the second time, and that's when it fully bypassed the VPN, and it showed my real IP and ISP dns. I'm was just wondering if the VM leak compromised the anonymity/privacy/security of future or past connections that did/are not leaking. My VPN support told me the only thing the ISP would have seen during that time is what the VM did. I just want to make sure that is the truth, and that all future and past connections are anonymous/secure/private again that are not leaking. So, if I understand your answers correctly, you are saying that the VM has not compromised the anonymity/privacy/security of any past or future connections that are not leaking, correct?

 

Thanks. VirtualBox should be using the VPN's DNS server, rather than your ISP's DNS server, for VMs with NAT. The fact that it didn't indicates that your VPN configuration is messed up.

In addition to fixing the VPN configuration, you can do two things to reduce the risk and impact of leaks. First, you can pick DNS servers that aren't associated with your ISP. Then, if there are leaks, there's less association with you. OpenDNS is good, and very mainstream.

Second, you can protect against leaks by adding routing and firewall rules to your host, to permit Internet connections only through the VPN tunnel. This won't help much with DNS leaks, by the way, if you're using your ISP's DNS servers

Yes, that's the expected result for bridged networking in VMs. In bridge mode, the VM's network adapter is directly connected to the host's network adapter. That totally bypasses the VPN tunnel.

Yes, that's correct. Your ISP just saw that you ran a leak test using their DNS server. That's somewhat unusual, but doesn't compromise you in any other way.

 

Ok, I just followed my VPN's instructions on how to setup OpenVPN on Linux, I used Fedora's default network manager GUI to set it up, as the instructions from the VPN say to use it. It seems like it worked, as nothing is leaking as Wireshark shows no DNS requests or anything, and all network traffic it shows is going over OpenVPN to my VPN. But VirtualBox didn't listen apparently, as my real network connection is setup to get DNS from my router, so I think that's what VirtualBox did while on NAT was it told my network to get DNS which is set to my router, so it got back my ISP DNS. Everything else though, DNS and all for every other application shows it is all going over OpenVPN.

 

That's not what I've seen VirtualBox do for VMs in NAT mode.

Whatever happened, it's better to avoid using your ISP's DNS servers when you're using VPNs. That way, if something gets messed up, you're not hitting your ISP's DNS servers through the VPN tunnel.

 

Ok, I've switched to Google public DNS, which is one of the DNS providers my VPN uses. So, I think everything is working properly, DNS leak test shows everything's fine, and so does Wireshark, so that means everything should be ok again correct?

 

You haven't revealed anything that matters.

However, everything may still not be OK.

Rereading your questions, I recall that networking in Fedora is configured somewhat differently than networking in the Debian family. It's possible that the OpenVPN configuration is pushing the VPN's DNS servers in a way that Fedora doesn't understand.

I recommend researching that before concluding that all is well.

 

Ok, I'll check things out, but I have followed the Fedora docs which just says to use NetworkManager, which I have. Wireshark and dns leak test show everything is indeed going over the VPN entirely. Just so I understand how a leak can affect privacy/security/anonymity, a leak is only a threat while it is actually occurring, and like in my case if it didn't leak anything that matters, like just running a dns leak test, then it can't affect the privacy/security/anonymity of past connections that did not leak, and is not affecting the privacy/security/anonymity of future connections that are not leaking, and didn't affect any other application during that leak, as all the other applications were correctly going over the VPN for everything, correct?

 

Yes, that's correct.

But if DNS leaked once, using VirtualBox, it might leak again, doing something else, unless you fix the fundamental error.

Switching to third-party DNS servers has mitigated the potential impact of future leaks, however.