I need help about DNS leak

Discussion in 'privacy technology' started by Melita, Feb 24, 2015.

  1. Melita

    Melita Registered Member

    Joined:
    Nov 20, 2014
    Posts:
    30
    Location:
    Ottawa, Canada
    I use a VPN for Internet anonymity. I have also manually selected 'Open DNS' instead of the automatic DNS servers of my ISP. While connected to the Internet via the VPN, I checked my DNS addresses using a web site that does a 'dnsleaktest' (I can post a link to this site if it is not violating the forum rules).

    During this test:-
    In addition to the addresses of the DNS servers provided by the VPN, The DNS addresses of the 'Open DNS' that I have chosen for my Internet connection are also displayed. My real Internet IP (provided by my ISP) is not displayed. Only the IP given by the VPN can be seen.

    The web site calls this a "DNS leak" and says the following: "If you are connected to a VPN service and ANY of the servers listed above are not provided by the VPN service then you have a DNS leak and are choosing to trust the owners of the above servers with your private data".

    This being my situation, is my Internet anonymity compromised. Is an interested party able to find my real identity because of this "DNS leak"?

    Thank you
     
  2. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    1,594
    I can only forward my suggestions to you. Since you have decided to trust a VPN with assisting in your anonymity, why not select THEIR DNS if they provide one. They already know who you are via your ISP's IP anyway. It sounds like you are running a one hop VPN circuit on a windows machine just from reading your post. DNS can be quite revealing if the adversary is advanced. By locking down your VPN tunnel to ONLY the vpn provider's DNS you will leave all others in the dark as to what sites you visit. The WHERE you visit is the issue for DNS leaks since they reveal that info.

    If you need help with how to allow ONLY your vpn providers dns there are numerous threads around here. After reading a few if you get stuck post back and someone will be glad to jump in. Good luck.
     
  3. krustytheclown2

    krustytheclown2 Registered Member

    Joined:
    Nov 18, 2014
    Posts:
    210
    What Palancar said is correct, OpenDNS is a bad idea for privacy since they sell your data to ad companies and probably keep logs. Don't mess with the DNS settings of your VPN unless you really know what you're doing (you probably don't, no offense), it can just create an issue for no benefit whatsoever.

    The best way to check for DNS leaks is with Wireshark. All your packets should show as OpenVPN (if you're using the default port 1194, otherwise HTTPS if it's set up to use 443), besides ARP and DHCP (these are communications with your router, not the internet).
     
  4. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,029
    What OS are you using?
     
  5. Melita

    Melita Registered Member

    Joined:
    Nov 20, 2014
    Posts:
    30
    Location:
    Ottawa, Canada
    I did some browsing around without much luck. Is it possible to direct me to a few good threads, for this purpose. I am new here, with poor networking knowledge :confused:
    I did this DNS change only for normal browsing (without the VPN), of safe web sites like this forum here. I didn't know that they compromise privacy. When I want to use the VPN, I first connect to the Internet normally (which will connect me with my ISP and of course Open DNS), I log on to the VPN before opening a browser.That's what I have been doing when I did the DNS leak test. I did that with a number of web sites that do this check and the results were the same with all of them.
    I didn't do anything to the DNS of the VPN. I simply connect to the VPN, like I described above in this post and let them connect me to their DNS servers. I am embarrassingly aware of my limitations! In any event, there are no options available to meddle with their settings. I can only connect and leave everything else in their hands.

    I should be able to do this after learning how to, but I am almost certain that my DNS is showing.
    Windows 7 Home Premium.

    Thank you to all three of you for helping.
     
  6. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    1,594
    Melita,

    Relax. One thing you may want to examine is whether or not your vpn provider has a client with what you already want configured. I know of several that do. Just so you know the three folks responding on this thread so far, are all running linux. Windows has some unique challenges where security is concerned. However; depending upon your threat model you may be just fine.

    If you are not worried about letting us know, which vpn provider are you using? Many of us are very familiar with the clients available on most of the providers systems. I have access to windows clients where the dns is locked and a tunnel loss will shutdown your connection completely, which protects you. These clients will only be of value if you subscribe to the various vpn's in question here.

    Absent a fully functioning client, I can direct you to a vpn forum where you can do some research for what you need. I wrote a few of the guides there. Speaking in full disclosure, I always employ a personal firewall along with any client I use. I take no chances for a client malfunction leaving my browser out in the open. Never happened yet, but if its going to it will be on my dime. LOL!

    For now how about verifying whether or not you have access to a vpn client as described above?
     
  7. Melita

    Melita Registered Member

    Joined:
    Nov 20, 2014
    Posts:
    30
    Location:
    Ottawa, Canada
    I have no problem about disclosing my VPN. It is SoftEther VPN. This has a comprehensive client manager. Of course I am totally in the dark about to how to set it up! Here is the link to the web site:

    http://www.vpngate.net/en/
     
  8. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,029
    I've forgotten most of what I ever knew about OpenVPN in Windows :(

    Can one hard code different DNS servers for the TAP adapter?
     
  9. Melita

    Melita Registered Member

    Joined:
    Nov 20, 2014
    Posts:
    30
    Location:
    Ottawa, Canada
    I just had a look. There is the option to manually select DNS severs for all the adapters, including 'TAP-Windows Adapter V9' and 'VPN Client Adapter - VPN'. I have changed only the 'Wireless Network Connection Atheros AR5B95....', to Open DNS.

    ADAPTERS.JPG
     
  10. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,029
    OK, then configure the DNS servers provided by the VPN in the TAP adapter.

    With the VPN disconnected, the DNS leaktest site should show only OpenDNS. With the VPN connected, it should show only the DNS servers provided by the VPN.
     
  11. Melita

    Melita Registered Member

    Joined:
    Nov 20, 2014
    Posts:
    30
    Location:
    Ottawa, Canada
    When I open the list of servers from the VPN Client Manger, it looks like there are over hundred DNS servers used by this VPN. Please see the attachment. This is only a small fraction of their list of servers. What should I do? Apart from this large number of servers, I am not even sure how to find the DNS address of any server.

    VPN SERV..JPG
     
  12. guest

    guest Guest

    Uhm... ipconfig/all?
     
  13. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,029
    Those are the VPN servers. When you connect to one, it will push some DNS server(s).

    I wasn't thinking this through, however. SoftEther is more like an aggregator than a VPN service.

    Just pick another couple DNS servers from https://www.wikileaks.org/wiki/Alternative_DNS and configure the TAP adapter with them.
     
  14. Melita

    Melita Registered Member

    Joined:
    Nov 20, 2014
    Posts:
    30
    Location:
    Ottawa, Canada
    I have configured the adapter with 2 DNS addresses from the 'Wikileaks' link above and it is working. Only the selected DNS addresses are shown in DNS leak tests.
    I noticed that SoftEther is not using the TAP adapter but the other one, 'VPN Client Adapter'. So that is the one I configured. In the long list of available DNS addresses at the above link only nine are working. I checked all of them.

    Here are the only ones that work (this may be of use to someone). I have not included Open DNS.
    213.73.91.35 - Chaos Computer Club Berlin---------Germany
    212.82.225.7 - ClaraNet-----------Germany
    212.82.226.212 - ClaraNet------------Germany
    *156.154.70.1 - DNS Advantage-----------USA
    **156.154.71.1 - DNS Advantage------------USA
    *156.154.70.22 - Comodo Secure DNS---------USA
    **156.154.71.22 - Comodo Secure DNS---------USA
    8.8.8.8 - Google
    8.8.4.4 - Google

    There is a peculiar thing here. When the adapter is configured with the 2 DNS servers above, marked '*' located in USA, the DNS leak test shows a singe DNS server for both, which is located in Japan (NTT Communication), showing a completely different DNS ID of 61.120.158.--

    Similarly, When the adapter is configured with the 2 DNS servers above, marked '**' the DNS leak test shows a single completely different ID for both as, 4.31.99.-- In this case it says "level 3 communication" (this one shows USA correctly as the location).

    Each DNS ID was entered separately only under 'Preferd DNS server'. 'Alternate DNS server' was left blank. I checked these repeatedly with the same result. Only these 4 DNSs' behave this way.

    What could be the reason? What does "level 3 communication" mean?

    Thank you
     
    Last edited: Feb 26, 2015
  15. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,029
    Level 3 is an ISP's ISP.

    I suspect that the * and ** DNS servers are forwarding to some Japanese DNS server and Level 3's one.

    What does https://grc.com/dns show?
     
  16. Melita

    Melita Registered Member

    Joined:
    Nov 20, 2014
    Posts:
    30
    Location:
    Ottawa, Canada
    I find this somewhat daunting. Do I have to look for anything more than "Anti-Spoofing Safety" in these tests?
     
  17. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,029
    What matters at https://grc.com/dns is just what DNS servers it finds. I recommend it because it does a better job at finding all available DNS servers than many DNS leak test sites.
     
  18. Kiebler

    Kiebler Registered Member

    Joined:
    Feb 3, 2015
    Posts:
    15
  19. Melita

    Melita Registered Member

    Joined:
    Nov 20, 2014
    Posts:
    30
    Location:
    Ottawa, Canada
    grc.com test results are identical to the above tests done with the following web sites:
    http://ipleak.net/
    https://dnsleaktest.com/ (same as Kiebler has posted above)
    grc found the same DNS servers for both '*' and '**' (61.120.158.-- Japan and 4.31.99.-- USA, respectively. Only those servers and nothing more. Anti-Spoofing Safety was graded as 'Excellent' for both.

    I am sure this will be useful. Thank you.
     
  20. JimmySausage

    JimmySausage Registered Member

    Joined:
    Apr 11, 2010
    Posts:
    53
  21. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,029
    Thanks :) Good to know.
     
  22. MisterB

    MisterB Registered Member

    Joined:
    May 31, 2013
    Posts:
    1,103
    Location:
    Southern Rocky Mountains USA
    Softether is its own VPN client with its own virtual adapter. It is not OpenVPN at all and its virtual adapter can coexist with an OpenVPN TAP adapter on the same Windows system and a two hop connection made if both are active at the same time. This doesn't work with OpenVPN using VPNgate servers but it does with OpenVPN using another provider.

    I used Softether and VPNgate quite a bit before finding a paid VPN and setting up a VPN tunnel on my router. I still have it installed and I'm glad to read about setting up DNS servers for each virtual adapter. Something that I hadn't thought about that is good to know.

    There is a free 3 month subscription for a VPN service that only works with Windows 7 or newer. I posted about it last week and it was still going on when I checked this morning. So far, I've found it to be quite competent and I've had no glitches with either the client software or VPN connection. The main drawback is limited OS support. If you are using Windows 7, it is a good addition to Softether.


    https://www.wilderssecurity.com/threads/f-secure-vpn-free-3-month-subscription.373464/
     
  23. Melita

    Melita Registered Member

    Joined:
    Nov 20, 2014
    Posts:
    30
    Location:
    Ottawa, Canada
    1. Now that only a few of the 'Wikileaks' list of public DNSs are working, is there a place where I can get a more complete list of them that are working?
    2. Where personal anonymity is concerned, are Google and Open DNS servers (which are in the above list), safe to use? Do they log the identity of the users?
    Thank you for this information.
     
  24. Stefan Froberg

    Stefan Froberg Registered Member

    Joined:
    Jul 30, 2014
    Posts:
    108
    Yes, they certainly log if the DNS provider is company. If you use any so called free service of some company then you are the product and pay that free usage in one way or another. In this case with your surfing habits and what other info they can collect of you.

    Here's Google DNS privacy policy for example:
    https://developers.google.com/speed/public-dns/privacy

    And here's the other, popular public DNS alternative from that list, OpenDNS, privacy policy:
    https://www.opendns.com/privacy-policy/

    Quite horrifying reading, but at least they are honest and tell it all.
     
  25. MisterB

    MisterB Registered Member

    Joined:
    May 31, 2013
    Posts:
    1,103
    Location:
    Southern Rocky Mountains USA
    The advantage of Google DNS is the sheer volume of traffic and blending in the crowd. I don't have a problem using it from a VPNs shared IP but I do for my real IP. OpenDNS implements censorship--I can't remember what sites specifically but I've been blocked by them. Google allows everything.
     
Loading...