Some Chrome VPN Extensions Leak DNS Queries

Discussion in 'privacy technology' started by mood, Apr 3, 2018.

  1. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    6,030
    Some Chrome VPN Extensions Leak DNS Queries
    April 3, 2018
    https://www.bleepingcomputer.com/news/security/some-chrome-vpn-extensions-leak-dns-queries/
     
  2. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    7,719
    Damn, more browser VPN foolishness :(
     
  3. MisterB

    MisterB Registered Member

    Joined:
    May 31, 2013
    Posts:
    1,200
    Location:
    Southern Rocky Mountains USA
    They're not a VPN tunnel even if they are proxying encrypted traffic to and from a browser through a VPN server It is very easy to leak both IP and DNS servers regardless of what the providers say. Any port that is not 80, 8080 or 443 is a potential leak and port 53 above all.

    That being said, they are useful for browser obfuscation. I'm pleased to see that the only one I use, Windscribe, is one of the less leaky ones. I use it for general browser obfuscation, not as a VPN. It has other features such as randomizing agent strings, ad and tracker blocking, shifting browser time to proxy time and several more. The secure proxy is just another part of the package. Sometimes you want to switch IPs on the fly and a browser extension is useful for that but don't expect it to be very secure.

    I see that the better less leaky VPN browser extensions come from established VPN providers like PIA, Windscribe, NordVPN and Cyberghost and the ones that leak all started as browser extensions. That says something right there.
     
  4. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    7,719
    Interesting. So these are less leaky than "anonymous" HTTPS proxies, right?
     
  5. MisterB

    MisterB Registered Member

    Joined:
    May 31, 2013
    Posts:
    1,200
    Location:
    Southern Rocky Mountains USA
    I'm just going by the article referenced. Windscribe got a pretty decent rating from The Privacy Guy as well. In my use of the Windscribe extension, I'm not really concerned about leakage. It is used over a VPN already and I'm using it for something like registering a second time with a different IP for some sort of giveaway or browsing with a different IP while downloading something with another browser. I would think that a VPN provider already has the server infrastructure in place and some in house expertise while an addon developer has to rent servers and learn how set them up correctly.

    A quick check of the proxy settings of a browser with Windscribe enabled shows that "An extension, Windscribe, has taken over the Proxy settings" and I don't have the option to see or change them. So they are using the built in http, https proxy capabilities of the browser. Not a VPN but not a bad thing if done right. A useful tool but not the tool advertised. It's the advertising that is the problem, not the tool. It is a real trap for someone who doesn't understand VPN technology browsing an app store. One trap among many.

    I did a quick test with browserleaks.com of the Windscribe extension and the DNS didn't leak but both Flash and WebRTC give away the real IP, in my case the VPN IP. Chromium, oddly enough, has an IPV6 address that is located somewhere totally different than the IPV4 IP with IPV6 disabled in the router. No IPV6 address at all in Vivaldi with the same extension. I kind of like that. As I said, I'm using Windscribe for obfuscation and the more contradictory and false information coming from the browser, the better.
     
  6. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    7,719
    How many different IPs can Winscribe provide?
     
  7. Stefan Froberg

    Stefan Froberg Registered Member

    Joined:
    Jul 30, 2014
    Posts:
    420
    "The issue is that DNS Prefetching continues to function when pac_script mode is used. Since HTTPS proxy does not support proxying DNS requests and Chrome does not support DNS over SOCKS protocol, all prefetched DNS requests will go through the system DNS. This essentially introduces DNS leak," Mason said today in a blog post describing the issues in more technical depth."

    How can that be possible that Chrome does not support DNS over SOCKS? o_O
    I mean, UDP, TCP (both witch can carry DNS) and pretty much any other protocol can be tunneled throught SOCKS5 proxies. SOCKS5 don't care what goes throught them.
    And there is even cmd-line switch --proxy-server="socks5://yourproxyserverhere:1080" so what gives?

    EDIT:
    I remembered now, firefox has a separate setting for doing dns throught socks:
    http://kb.mozillazine.org/Network.proxy.socks_remote_dns
    So is this an issue with firefox too? That without that preference turned on it would leak DNS ?
     
    Last edited: Apr 5, 2018
  8. MisterB

    MisterB Registered Member

    Joined:
    May 31, 2013
    Posts:
    1,200
    Location:
    Southern Rocky Mountains USA
    In the free version just a handful and a limit of 2gb. If you subscribe, all of their VPN servers. It is not quite a small amount as the chart suggests because each location has several servers.

    https://windscribe.com/upgrade?pcpid=ext_upgrade

    I checked the IPV6 address and it does indeed come from Windscribe. Weird, it is the same address on two different browsers with different IPV4 IPs. Not so useful if it is a fixed address. Might just be there to make traffic look more normal to Google. I've been confronting captchas from VPN servers that shouldn't get them and they are always labled IPV4 and I'm beginning to think that Google is tagging traffic that is IPV4 only when they talk about "unusual traffic from your network" and dish out a captcha to do a search.
     
  9. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    7,719
    Thanks. So more secure than HTTPS proxies, but less IP choice. That does fill a gap between VPNs and proxies.
     
  10. Yuki2718

    Yuki2718 Registered Member

    Joined:
    Aug 15, 2014
    Posts:
    1,483
    Interesting, but one thing I care is probably extension developer can identify you even when you chained different VPNs, so if I will use it I have to trust Windscribe, or am I missing sth? I don't know what info can extension dev grab, tho its coverage should depend on permission of the extension.
     
  11. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    7,719
    It depends on how you chain VPNs. I have each VPN client running in a different machine (typically one in the host, and others in pfSense VMs). All work I do in another VM, which uses one of the pfSense VMs (the last VPN in the chain) as a LAN router. So anyway, Winscribe couldn't see anything before that VPN.
     
  12. Yuki2718

    Yuki2718 Registered Member

    Joined:
    Aug 15, 2014
    Posts:
    1,483
    Thx, that is what I haven't fully get understood yet. Just to confirm, is it necessary to use NAT for virtual network? If I use bridge or semi-virtual network, are there any risk?
     
  13. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    7,719
    Unless you're running servers, there's really no reason to bridge VMs to the host, rather than using NAT.

    When using VMs to chain VPNs, if there's no VPN client running on the host, you can either bridge or NAT the first VM in the chain (typically pfSense) to the host. But if you are running a VPN client on the host, it's safest to NAT. If you bridge, it must be to the VPN adapter, not to the LAN adapter.

    For other pfSense VMs in the chain, you're always connecting a VM's WAN adapter and the LAN adapter of the "previous" (in the VPN chain, I mean) pfSense VM to the same internal network. That's also NAT, with each pfSense VM getting its IP address from a DHCP server on the previous one.

    In other words, VPN chaining involves intentional multiple NATing.
     
  14. Yuki2718

    Yuki2718 Registered Member

    Joined:
    Aug 15, 2014
    Posts:
    1,483
    All right, so this is the main question. I understood if you chained 2 VPNs with VMs which always use VPN, e.g. 1 in host and 1 in VM (NAT), 1 in router and 1 in VM (NAT or bridge), or 2 in VMs (NAT), you'll be safe. Probably, if you chained 2 VPNs on router and host w/out VM, and you always use VPN on both (router and host; with proper firewall rule ofc), you'll be safe...right?

    But what if I always use VPN on router and occasionally use VPN on host? When I don't use VPN on host, still all outbound connection will be through 1st VPN on router, but as the router has ISP assigned IP if I execute ipconfig on host I'll be able to get real IP. And I'll browse w/out second hop VPN, in this case can an browser extension tell real IP?

    This is what I care, but sorry I wrote before I organize my thought.
     
  15. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    7,719
    First thing, I don't recommend using a particular machine (or VM) both with and without a VPN. So in your case, that would be always with the VPN on the router, and VPN connected or not in the machine. That's because there's no way to know for sure what's been left on the disk after a session. So stuff left with the VPN running may leak when the VPN isn't running (as in the FBI NIT exploits) or vice versa. And even without malicious stuff, it's not so hard to forget which browser, websites, accounts and so on that you use with the VPN running, vs those that you use without it. So maybe you accidentally pwn yourself.

    If your router is running a VPN client all the time, and your machine is getting its IP address from a DHCP server on the router, I don't believe that the machine can see the WAN IP address of the router. It of course sees the router's LAN IP address. But that shouldn't be set by your ISP. If it is, change it. Or if you can't change it, get your own router/firewall and bridge it to the ISP's device.

    Even with traceroute on your machine, you'll only see the path through the router's VPN tunnel. You could, of course, make that possible by messing with the router, forwarding a port, and allowing traffic. But just don't do that :)
     
  16. Yuki2718

    Yuki2718 Registered Member

    Joined:
    Aug 15, 2014
    Posts:
    1,483
    Ok I understood the risk, but that is my current usage of VPN. At least for me it's a relief to hear that as long as VPN is enabled on router, browser plugin can't know real IP. I'm going to set always-on VPN on OPNSense router once I got enough time & a cheap shuttle barebone kit, while will use another VPN on mobile devices always so that it's tunneled on LTE and double tunneled on wifi. Admittedly I'm not very hard core about privacy, rather just trying to gradually improve it.
     
Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.