Fix A DNS Leak - What's All This Nonsense?

Discussion in 'privacy technology' started by DasFox, May 9, 2011.

Thread Status:
Not open for further replies.
  1. DasFox

    DasFox Registered Member

    Joined:
    May 5, 2006
    Posts:
    1,825
    I ran across this the other day;

    http://www.dnsleaktest.com/how-to-fix-a-dns-leak.php

    Take a look at;

    Solution B - Manually clearing the DNS

    Number 5 & 7, seems like a load of nonsense to me...

    You can't run ' static 0.0.0.0 both'...

    What's wrong with just flushing the dns and then putting in the dns you want to use in your router, or adapters and being on your merry way? Personally that's all I do and I'm not leaking any dns, at least with all the tests I have done it's not...
     
  2. SteveTX

    SteveTX Registered Member

    Joined:
    Mar 27, 2007
    Posts:
    1,641
    Location:
    TX
    because if you don't knock out the dns resolver AND dhcp source AND convert your routes to static, the dhcp on the other end (your vpn or isp) can send dhcp updates directly to your tap adapter and put all that information back into your adapter/interface.
     
  3. DasFox

    DasFox Registered Member

    Joined:
    May 5, 2006
    Posts:
    1,825

    Well all I've ever done is add in the Pri & Sec DNS to the adapters, flush the dns and go about my business, so what's wrong with just doing that?

    If that isn't enough then what do you recommend, what I have shown you in this link or another method?

    Are you suppose to run this command as you actually see it below? Because I don't understand what 0.0.0.0 represents and you can't run it like that.

    netsh interface IPv4 set dnsserver "Local Area Connection" static 0.0.0.0 both

    THANKS
     
  4. SteveTX

    SteveTX Registered Member

    Joined:
    Mar 27, 2007
    Posts:
    1,641
    Location:
    TX
  5. DasFox

    DasFox Registered Member

    Joined:
    May 5, 2006
    Posts:
    1,825
    Yes I do know this link of yours, I was thinking you were going to show it to me, hehe... :)

    3. Find out which adapters are active.
    'and see who gets dhcp updates', see who gets updates where?

    5. If you run this command on the connection connected to you are going to get disconnected, this is ok?
    netsh interface ip set address "Local Area Connection" static 192.168.1.4 255.255.255.0 192.168.1.1 1

    7. Clear the DNS Resolver cache again.
    This time the DNS information won't come back, won't come back where?

    Everytime you are done using the VPN you have to run netsh exec c:\net.cfg and then when you connect to the VPN again, you have to run the steps over?

    How does do this prevent your computer from talking through any adapter except your VPN TAP adapter?

    How about this in OSX and Linux TUT too?

    THANKS
     
    Last edited: May 11, 2011
  6. SteveTX

    SteveTX Registered Member

    Joined:
    Mar 27, 2007
    Posts:
    1,641
    Location:
    TX
    To see which interfaces are being updated from dhcp.

    Shouldn't get disconnected. Should stay up and keep routing, only statically. If the IP you are connecting to frequently changes, that could be an issue. Otherwise, it should work.

    DNS resolver cache means the cached IP addresses of domains you look up via DNS, ex: ebay.com. So you don't have stale, cached, or poisoned DNS entries in your existing resolver cache, and if any crept in while you were changing the above settings, they get wiped out.

    Sigh, yes.

    Leaks occur when your computer knows of interfaces to get out of your computer. So what we do here is cripple the other interfaces while keeping the expected routes up, and stop listening to anyone sending network updates other than the TAP adapter.

    Lol no, windows doesn't have proper routing tables. In Linux you can just use IP tables / outbound firewall, likely the same with mac.

    You're welcome.
     
  7. DasFox

    DasFox Registered Member

    Joined:
    May 5, 2006
    Posts:
    1,825
    While connected to the VPN on ethernet I run the cmd as;

    netsh interface ip set address "Local Area Connection" static 192.168.1.9 255.255.255.0 192.168.1.1 1

    Since we are connecting to the VPN and flushing the cache, then you're suppose to run the cmd on the adapter you are active on? Well then when I run it I disconnect and I thought we need to keep the connection alive in order to complete this process properly?

    Also running netsh exec c:\net.cfg does not put my LAN adapter back I have to run;

    netsh interface ip set address "Local Area Connection" DHCP

    This is what my net.cfg says;

    # ----------------------------------
    # IPv4 Configuration
    # ----------------------------------
    pushd interface ipv4

    reset
    set global icmpredirects=enabled


    popd
    # End of IPv4 configuration


    I understand that ipconfig /flushdns removes the DNS cache, what I'm trying to say is, I don't get what you mean about 'see who gets dhcp updates'. Right now if you tell me to see then I'm looking where to see, then you say who, so I'm also looking at who?

    So In OSX and Linux you don't need to do something like this in order to prevent a DNS leak?

    Again all I've done in the past is just place in a Pri & Sec DNS in the adapters in OSX and Linux...


    THANKS
     
    Last edited: May 11, 2011
  8. SteveTX

    SteveTX Registered Member

    Joined:
    Mar 27, 2007
    Posts:
    1,641
    Location:
    TX
    You set static all the routes that aren't the vpn adapter.

    Ha no. You keep your VPN adapter working. The problem is all the other adapters. So we are crippling them from updating by converting dhcp to static routes.

    The netsh exec command merely restores whatever network settings you had prior to running the command and storing it in the net.cfg file. If you weren't on Local Area Connection, it won't set that.

    Oooh. Yes, that isn't covered in that simple tutorial. Clearly there are already too many difficulties!

    No, you would just set some IP tables rules or run a proper outbound firewall. Windows network firewalls are terrible because windows networking is terrible.

    For linux, or windows?
     
  9. DasFox

    DasFox Registered Member

    Joined:
    May 5, 2006
    Posts:
    1,825

    Thanks Steve...
     
    Last edited: May 11, 2011
  10. DasFox

    DasFox Registered Member

    Joined:
    May 5, 2006
    Posts:
    1,825
    Hey Steve I got it, WoOT! :)

    Seems like if you have a Pri & Sec DNS in the adapter and you run the cmd it kills the connection.

    Here's a screen shot showing now the Local Area Connection on the left and the Tap adapter on the right;

    http://postimage.org/image/35nh6xgck/

    The adpaters look ok, I mean the Tap on the right should stay like it was on DHCP?

    Now how do you use a different DNS like ClearCloud or Norton, Comodo, etc., if you want to? Even in my router I set a Pri & Sec DNS and it doesn't work when you set the adapter static...

    By the way Steve please look at this link;
    http://www.dnsleaktest.com/how-to-fix-a-dns-leak.php

    Have you seen this app before, dnsfixsetup.exe?

    Just some scripts and bats that automate this for OpenVPN.

    Please have a look at this dnsfixsetup.exe if this looks like a nice automated way to do this and if you see any problems in the bats or scripts then maybe you can edit them and improve them if needed.

    I ran the dnsfixsetup and found it worked really nice when connecting and disconnecting, but I'd really like your feedback on it...

    THANKS
     
  11. SteveTX

    SteveTX Registered Member

    Joined:
    Mar 27, 2007
    Posts:
    1,641
    Location:
    TX
    This looks like they just ripped off our work and put it into a batch file. Fine by me, but the problem is that it is hard to really do that stuff manually and get the info right because each network is different.


     
  12. DasFox

    DasFox Registered Member

    Joined:
    May 5, 2006
    Posts:
    1,825
    When you say different, what are you referring to?

    Can this be made to work for everyone, maybe you could create something and improve upon this?

    I'm using as an example with VPNCheck Pro and the only issue I see at the moment is it doesn't resolve the network for a few tries then it connects. But this is only when I use it with VPNCheck Pro starting the VPN automatically. If I run OpenVPN manually with the GUI I don't see this happening...

    THANKS
     
  13. SteveTX

    SteveTX Registered Member

    Joined:
    Mar 27, 2007
    Posts:
    1,641
    Location:
    TX
    Different: different number of adapters, people have personally setup networks, etc. What I can do is probably script up *some* of it for only the most basic setups (say 70% of users) and add that into OpenVPN UP/DOWN for the next xB VPN replacement we put out. Send me the batch files, DasFox.
     
  14. DasFox

    DasFox Registered Member

    Joined:
    May 5, 2006
    Posts:
    1,825

    I'd say grab the dnsfixsetup.exe so you can see everything going on with it, in case I over looked anything...

    If you could make something other VPN users could use that would be really great!

    THANKS
     
Loading...
Thread Status:
Not open for further replies.