DNS server leaks when using a VPN

Discussion in 'privacy problems' started by trott3r, Dec 22, 2017.

  1. trott3r

    trott3r Registered Member

    Joined:
    Jan 21, 2010
    Posts:
    1,032
    Location:
    UK
    Hello i am using airvpn on a GL,net openwrt mini router attached to my main TPLink modem/router.
    The GL,net router has my VPN details installed via the openvpn client tab.

    My problem is my DNS server is showing up as my ISP in win7 64bit home premium even though i have changed it in my network settings under IPv4 (disabled IPv6).

    The Netadaptor utility (connar bernhard) shows the expected dns servers but using https://ipleak.net shows my isps dns server.

    I have flushed the dns cache with the netadptor utility and rebooted but the same happens.

    Windows xp pro does not leak my dns servers.

    What am i missing?

    thanks for your time
    Martin
     
  2. trott3r

    trott3r Registered Member

    Joined:
    Jan 21, 2010
    Posts:
    1,032
    Location:
    UK
    BTW i have turned off the webrtc leaks in firefox with media peerconnection? setting
     
  3. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    7,691
    What DNS servers are configured in the OpenWrt router?

    I don't know OpenWrt. In pfSense, you can route the VPN tunnel to LAN, and run a DHCP server that's configured with the VPN provider's DNS servers.
     
  4. ClaytonThomas

    ClaytonThomas Registered Member

    Joined:
    Feb 4, 2018
    Posts:
    17
    Location:
    Sofia, Bulgaria
    How long did you pay for Air VPN? If you paid for just one month, you might want to consider changing the VPN service because the best VPN for Linux doesn't necessarily best for Windows. I was using Trust Zone before on Linux but then didn't pass the DNS Leak Test. Lucky for me, I paid for Trust Zone for just one month.

    Air VPN works like a charm on Linux but for Windows, I'm not sure. Just Google the keyword: "best VPN for Windows 2018" and if you are on Linux keyword: "best VPN for Linux 2018".
     
  5. trott3r

    trott3r Registered Member

    Joined:
    Jan 21, 2010
    Posts:
    1,032
    Location:
    UK
    One year.

    Xp is OK but win7 is not so it varies between os versions.

    I could run xp via glnet and 7 via Eddie client but that would mean I have to mess with ether net cables
     
  6. zmechys

    zmechys Registered Member

    Joined:
    Dec 29, 2012
    Posts:
    574
    Location:
    usa
    Here is an interesting thing.

    I've using several VPN services but the result is the same.

    IPv4 shows my VPN's IP, but
    IPv6 shows my real IP.
     
  7. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    7,691
    See my VPN testing site :)

    You either need to use a VPN that blocks IPv6, or one that provides its own IPv6.

    For blocking, you can just use a firewall.
     
  8. zmechys

    zmechys Registered Member

    Joined:
    Dec 29, 2012
    Posts:
    574
    Location:
    usa
    Thanks.
    I've always trusted Privatoria but it has failed me.
    That cheap Ivacy has a button to prevent IPv6 leaks but it does not work...
     
  9. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    7,691
    Yeah, that's not uncommon :(

    I haven't updated that site for a year now. But the ones that didn't leak IPv6 should still be OK.
     
  10. MisterB

    MisterB Registered Member

    Joined:
    May 31, 2013
    Posts:
    1,200
    Location:
    Southern Rocky Mountains USA
    Sounds like a router firmware issue, not a VPN provider problem. The IPV6 code likely has some issues that don't show up with IPV4. More than likely, it doesn't implement ip6tables prerouting rules for IPV6 internally or not quite the same ones as for IPV4. The great thing about Linux open source routers is that you can add to them and alter them with custom scripts and iptables rules.

    I lock down DNS on my routers with these IP tables rules. I'm not using IPV6 so the examples given are for IPV4 but the IP tables rules should work with IPV6 if rewritten as ip6tables rules with IPV6 addresses. The first example forces all DNS queries on port 53 from a whole subnet to a specific DNS server. I used Google's 8.8.8.8 as the example IP. The second example forces an individual client on that subnet to use that DNS server. The DNS settings in the router's GUI are overridden by these rules. All clients will use the DNS server specified regardless of the DNS settings in the OS. The only way around it is to layer another VPN upon the VPN in the router in the client.



    Code:
    iptables -t nat -I PREROUTING -i br0 -p udp --dport 53 -j DNAT --to 8.8.8.8
    iptables -t nat -I PREROUTING -i br0 -p tcp --dport 53 -j DNAT --to 8.8.8.8
    
    iptables -t nat -I PREROUTING -s 192.168.0.113 -p tcp --dport 53 -j DNAT --to 8.8.8.8
    iptables -t nat -I PREROUTING -s 192.168.0.113 -p udp --dport 53 -j DNAT --to 8.8.8.8
    I took a quick look at a reference and my IP tables rules translated to IPV6 would look something like this.

    Code:
    ip6tables -t nat -I PREROUTING -i br0 -p udp --dport 53 -j DNAT --to 2001:4860:4860::8888
    ip6tables -t nat -I PREROUTING -i br0 -p tcp --dport 53 -j DNAT --to 2001:4860:4860::8888
    
    ip6tables -t nat -I PREROUTING -s fd30:0000:0000:0031 -p tcp --dport 53 -j DNAT --to 2001:4860:4860::8888
    ip6tables -t nat -I PREROUTING -s fd30:0000:0000:0031 -p udp --dport 53 -j DNAT --to 2001:4860:4860::8888
    Blocking IPV6 is a lot easier but sooner or later we are all going to have to deal with ipv6. We finally have fiber internet in my area and the one provider requires ipv6 for full speed. I live far from the fiber lines so I don't yet have to choose between bandwidth and VPN security or mess around with ip6tables.
     
  11. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    7,691
    Well, some may want IPv6 to work when not using a VPN.
     
  12. zmechys

    zmechys Registered Member

    Joined:
    Dec 29, 2012
    Posts:
    574
    Location:
    usa
    Yes, you are correct about that IPv.6 blocking.
    IPv6.PNG IPv6-2.PNG
     
Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.