How do I prevent DNS leaks on Mozilla Firefox?

Discussion in 'privacy problems' started by DesuMaiden, Jun 27, 2013.

Thread Status:
Not open for further replies.
  1. DesuMaiden

    DesuMaiden Registered Member

    Joined:
    Jan 25, 2013
    Posts:
    534
    A vpn is moot when there are DNS leaks from the web browser. How do I prevent these DNS leaks?
     
  2. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,030
    Huh?

    How does the browser specify its own DNS servers?
     
  3. Micah63

    Micah63 Registered Member

    Joined:
    Jul 1, 2013
    Posts:
    3
  4. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    1,594
    In addition to observing dns leaktest's site. I would recommend going over to the AirVpn forums (you don't need to be an Air customer) and reading their headline threads about firewall rules to totally block dns leaks. The absolute and real culprit is the windows operating system. You can pretty much lock it down from these leaks if you write the correct global firewall rules.
     
  5. JoeAverage

    JoeAverage Registered Member

    Joined:
    Oct 26, 2013
    Posts:
    25
    I know it is a little old thread, but I found it interesting as I have a doubt about dns leaks

    If windows is the culprit, I solve the problem using Ubuntu?
     
  6. imdb

    imdb Registered Member

    Joined:
    Nov 2, 2011
    Posts:
    758
    i'm sure mirimir will explain it better when he goes online but i believe the best bet would be to use vm & pfsense.
     
  7. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,030
    There are two aspects to "DNS leaks" while using VPNs. One is which DNS server(s) are being used. The other -- which is a special case of overall VPN leakage -- is whether DNS queries are going out through the VPN tunnel, or directly through the network adapter, bypassing the VPN tunnel.

    Properly configured VPN connections don't leak in either way. The VPN servers push instructions about what DNS server(s) to use, and also rules to route all traffic through the VPN tunnel.

    However, it's hard to craft VPN configurations that work properly for all users, given all the possible customizations, security apps, and so on. There's also the problem that modern network managers are focused on providing a working network connection, no matter what it takes. Windows does that, and so does Network Manager in Linux.

    So, for example, if the VPN goes down, the system may try to directly connect via the physical network adapter. And if the VPN didn't provide a working DNS server, the system may try to use defaults pushed by the LAN router.

    The best solution that I've found is using pfSense VMs as VPN clients, because you can nail down all that stuff, using a simple webGUI. It's possible to secure Windows and Linux with firewall and routing rules, and specify which DNS servers to use for which network interface. But that's a lot more complicated.

    Edit: And then there's Multipath TCP (mptcp) which can switch transparently among wired LAN, WiFi and cellphone networks. That, especially with IPv6, will be a serious pain to lock down :(
     
    Last edited: Nov 6, 2013
  8. imdb

    imdb Registered Member

    Joined:
    Nov 2, 2011
    Posts:
    758
    good post. thanks.
    is there any way to test this out? simply the netstat command?
     
  9. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,030
    I'd use Wireshark, and capture for a while, hitting several sites, and running the DNS test at <-https://www.grc.com/dns->.
     
  10. imdb

    imdb Registered Member

    Joined:
    Nov 2, 2011
    Posts:
    758
    :thumb: thanks, mirimir. will do, when i have the time.
     
  11. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,030
    De nada :)

    You could also do a capture after killing the openvpn process.
     
  12. imdb

    imdb Registered Member

    Joined:
    Nov 2, 2011
    Posts:
    758
    that's a good idea too. :thumb:
     
  13. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,097
    Since default ISP provided routers typically link to the ISP's DNS servers, one thing you can do is to login to the router as admin, and manually modify all of the ISP DNS server settings to be the IP addresses of OPENDNS server IP addresses (primary and secondary), for example, regardless of the source of your DNS leaks whether using a VPN or not. At least by doing this, if a failure occurs in the VPN, and the DNS request gets diverted, then at least it to a DNS server under your local control and not the ISP's DNS servers.

    -- Tom
     
  14. PaulyDefran

    PaulyDefran Registered Member

    Joined:
    Dec 1, 2011
    Posts:
    1,163
    Exactly. Set your preferred DNS providers only (OpenDNS, Swiss/German Privacy Foundations, etc...) in the router, *and* in the Windows primary adapter. Worst case, one of those will provide the address...I'm no expert, but I don't think even Windows would make up 8.8.8.8 all on it's own, and send the requests there.

    PD
     
  15. TheCatMan

    TheCatMan Registered Member

    Joined:
    Aug 16, 2013
    Posts:
    327
    Location:
    sweden
  16. Gitmo East

    Gitmo East Registered Member

    Joined:
    Jul 28, 2013
    Posts:
    106
    Comodo "hardwires" it's own DNS into it's browsers, there's scope for an add on/extension/tweak that will enable a user defined DNS to be set within the browser.
    The dare I say fail-safe method is to set the DNS within the router.
     
  17. PanTauxyz

    PanTauxyz Registered Member

    Joined:
    Nov 8, 2013
    Posts:
    3
    https://www.dnsleaktest.com/how-to-fix-a-dns-leak.php

    After connecting to VPN, start cmd as admin and write:

    ipconfig /flushdns

    netsh interface IPv4 set dnsserver "xxxx your primary connection" static 0.0.0.0 both

    It helped me to prevent DNS leaks, all online test passed
     
  18. pajenn

    pajenn Registered Member

    Joined:
    Oct 26, 2009
    Posts:
    930
    you sure? i check the enable DNS leak protection option in my VPN so i'm hoping it's not leaking...
     

    Attached Files:

  19. imdb

    imdb Registered Member

    Joined:
    Nov 2, 2011
    Posts:
    758
    i'm afraid it might be. because client integrated protections tend to fail sooner or later. i recommend you to search for mirimir's posts (and of others that contributed to those topics) on wilders and take a look at them.
    because general opinion is it takes more than ticking a small box in a client software. at least that's how it seems to me after reading pages of threads and hundreds of posts about vpn services related issues here.
    regards
     
  20. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,030
    There's no need to trust this or that.

    Just test with Wireshark. Mess with the VPN in as many ways as you can, and see where traffic goes.
     
  21. JoeAverage

    JoeAverage Registered Member

    Joined:
    Oct 26, 2013
    Posts:
    25
    Indeed...I checked the killswich box of my vpn client...and I was happy listening to pandora...then...vpn breaks out, pandora shows my real IP , showing a text that it is not allowed...and so on...Now I'm learning how to do prevent dns leak and stop all connection in case of vpn failure with tweaks...
     
  22. JoeAverage

    JoeAverage Registered Member

    Joined:
    Oct 26, 2013
    Posts:
    25
    Mirimir, I would like to do that, but Wireshark for me looks like the Matrix...and I'm not Neo...:D
     
  23. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,030
    All you need for this is the Statistics/Endpoints tool. See <-https://www.ivpn.net/privacy-guides/advanced-privacy-and-anonymity-part-2-> at "Installing and Checking VPN-Firewall on Linux Workstation".
     
  24. imdb

    imdb Registered Member

    Joined:
    Nov 2, 2011
    Posts:
    758
    exactly. even wilders is full of stories similar to yours. so it's not that uncommon with vpn client software to fail in those departments.
    i remember reading in one of his posts how caspian's ip was exposed to a forum to which he always connected behind a vpn ip due to a connection failure with his vpn client software.
     
  25. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    1,594
    I tried to resist posting on this thread but as you see I failed. I agree with many of the posts on this thread. I have been reading around/posting here for awhile now and one thing I see constantly:

    Please do yourselves a favor and learn to keep your own system safe and locked down. It is a MISTAKE to trust a "tick box" on some VPN client software and assume that little tick makes you now bullet proof. Take a little time and learn how to close down your system. Its the best time you will spend learning stuff. If this is perceived as a "soapbox rant" than I apologize, but I am fearful of those "Hey I am safe because my little VPN client says I am" posts.
     
Loading...
Thread Status:
Not open for further replies.