What's the best DNS option for multihop VPN service users?

Discussion in 'privacy technology' started by fedupfred, Mar 24, 2014.

Thread Status:
Not open for further replies.
  1. fedupfred

    fedupfred Registered Member

    Joined:
    Nov 23, 2013
    Posts:
    13
    Location:
    USA
    I plan to use a multi-hop vpn service for privacy, and would like to know what's the most anonymous way to use DNS (best server and anything related that could enhance my security and anonymity).

    Also: does it even matter if there are multiple hops? Would the best DNS setup be the same regardless of how you use VPN services?

    Thanks in advance!
     
  2. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    1,591
    I use multi-hops quite often. My opinion is that multi hops are MUCH more effective if the hops are with different providers. e.g. two vpn providers. Another really strong option depending upon what your speed needs are, would be to connect to a good vpn and then grab TOR for surfing around. That is a minimum of 4 hops and the circuit changes automatically every few minutes.

    As far as dns; my view is that locking down your machine to vpn1's dns makes total sense. Firewall rules will prevent your machine from connecting anywhere else, ever. Your ISP is always going to see the fact that you connect to vpn1 so why not use their dns? Your subsequent hops will be hidden in a virtual bridge. The most crucial is the dns to vpn1, and above all make SURE you block your ISP's dns from being used.

    There are some great links in these forums for chaining vpn's. As you start out just learn to lock down ONE initial vpn and any dns leaks. Do NOT rely on vpn client software buttons. You can add a linux VM with TOR as your next step and be amazingly secure even at that point. You can learn and build from there. There are some addicts around here. LOL!!
     
  3. Taliscicero

    Taliscicero Registered Member

    Joined:
    Feb 7, 2008
    Posts:
    1,439
    German/Swiss Privacy Foundations. Or your VPN's own servers.
     
  4. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,024
    I agree with Palancar that creating your own multi-hop VPN from multiple VPN services is best. With a multi-hop VPN from one provider, adversaries would need to compromise only that one provider.

    I agree with Palancar and Taliscicero that it's OK to use either the VPN service's DNS server(s) or neutral third-party ones. There's a good list at <http://www.wikileaks.org/wiki/Alternative_DNS>. And it's absolutely crucial to avoid using your ISP's DNS server(s) for any of the VPNs.

    If you're creating your own multi-hop VPN from multiple VPN services, you only need DNS servers for traffic leaving the last VPN exit in the chain. You can specify the access servers for the intermediate VPN services by their numeric IP addresses, so there's no need for DNS lookups.

    That's easy to do using pfSense router/firewall VMs as VPN clients. In the pfSense VM for the last (innermost) VPN service, you configure the DHCP server on LAN with the DNS server(s) for your workstation VM(s). That's the "Services: DHCP server" tab in the pfSense WebGUI. You can use either that VPN service's DNS server (obtained from the VPN connection log) or neutral third-party ones.

    There is one other tweak needed for the pfSense VMs in that setup. pfSense needs to know the correct time, and so it queries NTP timeservers. However, pfSense specifies the timeserver as <0.pfsense.pool.ntp.org>, and that's useless without DNS lookup.

    The solution is simple. Using a Linux LiveCD VM attached to the pfSense VM's LAN, browse "System: General Setup" in the pfSense WebGUI. Then, in a terminal window, run "host 0.pfsense.pool.ntp.org". In the "NTP time server" text box, replace "0.pfsense.pool.ntp.org" with the numeric IPs that you got, as a space-separated list. Then do the same for the other pfSense VMs. You will get different IPs, because <0.pfsense.pool.ntp.org> resolution is localized.

    You don't need to do that for the last pfSense VM, because it will have DNS servers. However, you do need to enter neutral third-party DNS servers in the "System: General Setup" tab. pfSense will use those for itself, but the ones that you specify in the "Services: DHCP server" tab in the pfSense WebGUI will override them for LAN clients.
     
  5. dogbite

    dogbite Registered Member

    Joined:
    Dec 13, 2012
    Posts:
    1,166
    Location:
    EU
    I have a simple question here, which I think does not deserve a new Thread.
    Since the DNS leak is kinda usual in Windows but I learnt it does not occur in Linux, my question is:

    If I run a Linux VM on a Windows Host and then I connect via VPN on Linux only (meaning that Windows Host is basically connected to the ISP), am I fully VPN protected when operating Linux?
     
  6. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    1,591
    dogbite,

    I have used a similar setup on more than one occasion. My thinking is that the critical piece to your puzzle is securing the DNS on your host windows OS. You have said that the windows host is what you are using to connect to your ISP. That being said your ISP will be firing their dns at your host around the clock. How are you limiting/controlling the windows dns issues? Before you go on building the rest of your project you should make sure the "host" has the dns situation handled. I don't know if you have been reading some of my threads but I am actually building a machine to use a linux host that will never see the internet. It is similar to what you are suggesting.

    In theory, you could make windows simply connect to your router and use Pfsense in a VM for your vpn tunnel, followed by other VM's for your internet surfing, etc.... Notice I said theory. I could actually do that but I have no way to confirm whether or not to trust windows with such an operation. So I have now decided to create what you are doing only 100% with linux. I also have no concrete way to confirm that Linux is trustworthy. My experiences and the revelations of Mr. Snowden and Microsoft's continually burning their loyal customers leaves me with the suspicion that Linux is a safer choice. There are posts around here between me and Mr. Brian discussing the windows project. I have abandoned that project simply because of eroded trust in the windows platform, and more specifically Microsoft.

    One of my current scenario's is close to what you do. I use the windows host to connect to vpn1 and its completely locked down to vpn1's dns. The host cannot go online anywhere at anytime to any dns/connection other than the sole permitted vpn. From there I use additional VM's to create multiple hops. At least this way I know beyond a doubt that only one dns will ever get processed/used by my machine. I know this is going to sound "out there" but this last paragraph is only accurate IF windows is not covertly using some other unknown method to compromise me and my setup.
     
  7. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,024
    That's not necessarily so.

    In Linux, DNS servers are specified in two ways. Classically, they were specified in /etc/resolv.conf, but now they're handled by Network Manager. Network Manager updates /etc/resolv.conf, and overrides modifications made otherwise.

    If all goes well, the VPN server pushes its DNS servers when the client connects, and there are no DNS leaks. But it can go wrong.

    By default, VirtualBox will pass DNS lookups back to the host machine. So, as backup, you need to manually configure neutral third-party DNS servers in Windows connection properties. In the Linux VM, configure different neutral third-party DNS servers for the wired connection in Network Manager. And then check that your VPN is using DNS servers pushed by its server.

    Also, I recommend running adrelanos' VPN-Firewall <https://github.com/adrelanos/VPN-Firewall> on the Debian host machine. In Linux, the kernel handles routing, and the package iptables is the firewall. VPN-Firewall comprises two shell scripts. One configures iptables, and the other controls when and how the first gets run. In setting it up, you need to specify the numeric IP address of the VPN server that you're using. It will allow all traffic on the VPN tunnel, and block everything else except connections to the VPN server.
     
  8. dogbite

    dogbite Registered Member

    Joined:
    Dec 13, 2012
    Posts:
    1,166
    Location:
    EU
    Guys, thanks but unfortunately I am quite limited when operating on the Windows Host. My PC is company owned and I am already out of policy since I installed some programs which are not formally allowed..(even Dropbox, for example should not be installed.
    Then my idea was to install a Portable Virtual Box on the External E-sata drive (really fast) and running Ubuntu on that. To make it short, in Ubuntu I can do everything, but basically I should leave W7 untouched.
     
  9. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    1,591
    dogbite,

    I had no idea you were so far over the line on a company machine. I couldn't sleep if I were in the situation.

    May I make a suggestion, which would really add security and then you can clean up the tracks in your company machine?

    You could download 13.10 Ubuntu and easily create a free standing OS on a fully encrypted Linux flash drive. You can grab a 32/64 Gig for 20-30 bucks or less and then create an awesome linux OS on that. When you are using it the company hard drive would not even get a mark on it. When you are not using it the flash would be encrypted 100% with solid and tested crypto. This flash would be bootable and completely separate from the company drive. All you need is a machine that allows for usb boot in the bios. Most have that these days but not all.

    Would this be an option for you?
     
  10. dogbite

    dogbite Registered Member

    Joined:
    Dec 13, 2012
    Posts:
    1,166
    Location:
    EU
    Palancar, thanks for your suggestion. I like it. I think my Latitude 6220 is able to boot from USB, but i need to further check.
    I have a concern, though. The laptop is fully encrypted with MCAfee Endpoint Encryption: I guess booting from USB would not affect it, but I need to be sure because I cannot afford messing up (..again..:D :oops: ) MCAfee...

    At the moment I am testing Vbox Portable on the external HDD, which works quite well.
     
  11. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    1,591
    It won't affect it at all. You will install it solely on the flash and even place /boot (that is what starts Linux) on the flash. If you are doing this at home you can remove the company hard drive during the process to be totally sure if it makes you feel better. By setting the boot order in the bios to USB before hard drive, it will mean that when the linux flash is inserted and you boot up it will be all Linux. The windows drive won't even be used at all. If you need a link I have a thread in these forums about it for 13.10. Worked like a charm on this end.

    I see that you keep mentioning an external drive. That also would be a great option for a standalone Linux install. I have another external that boots from "itself" and it runs almost as fast as a bare metal install (which you can't use).
     
  12. dogbite

    dogbite Registered Member

    Joined:
    Dec 13, 2012
    Posts:
    1,166
    Location:
    EU
    yeah I have an external HDD (E-sata) but I think BIOS does not allow to boot from that (I am not sure, though).
    Please send me the link, I just ordered a 32GB USB Stick..:D
     
  13. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    1,591
    From my thread in our unix forum: https://www.wilderssecurity.com/showthread.php?t=361641


    I have a link in that thread. BTW --- you could just use a simple little cheap flash drive for /boot and then have the actual linux OS on the external drive. Either way works great. The steps in that link are pretty straightforward, but if you have any questions just add them to that thread. The 13.10 installer has full lvm encyption so you can easily encrypt the full device if you want.
     
  14. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,024
    Also, if you're extremely paranoid, you could backup the LUKS header of your encrypted eSATA drive to the /boot folder in the flash drive, and then overwrite the LUKS header with random characters. Having done that, the eSATA drive is apparently randomized, with no evidence of data. "I just wiped it!" is totally plausible. When you want to access it, you boot from the flash drive, drop into initramfs, restore the LUKS header, and reboot.
     
  15. redcell

    redcell Registered Member

    Joined:
    Sep 27, 2010
    Posts:
    126
    I have a question to those using VPN (doesn't matter if they're multi hops). Any payment made for paid VPN subscription is traceable.

    Unless you guys use VM (VPN) and over base VPN connection which all of them are free or full-featured promo.
     
  16. Alexandru

    Alexandru Registered Member

    Joined:
    Jan 18, 2014
    Posts:
    15
    Location:
    Netherlands
    sometimes I'm using dnscrypt and sometime usual DNS provided by swiss privacy foundation.

    dnscrypt: double-hop VPN (2 different provider)

    DNS by swiss privacy or other: double-hop VPN (2 different provider) and afterwards one connection over SSL (third provider / stunnel4). My last provider has SSL-DNS support. In this case the DNS is going through the stunnel4 !

    https://www.privacyfoundation.de/wiki/SSL-DNS
     
  17. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    1,591

    Parts of your post are a little confusing as to what you are saying. From experience, I can tell you that use of Bitcoins makes "crypto currency" payments very quick and easy.
     
  18. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,024
    Free is a good option. For example, you could get a SecurityKISS account via Tor, using one-time email from <https://anonbox.net/>. That would be hard to trace, as long as you connect the VPN only via Tor. But you can do the same with paid VPN accounts, as long as you use highly anonymized Bitcoins. You mix Bitcoins a few times via Tor, doing multiple passes through Bitcoin Fog over a few weeks, with several MultiBit clients, each in its own Whonix instance. After that mixing process, there's no connection between the Bitcoins that you started with and the ones that you're paying for VPNs etc with. And you can verify that by searching at <https://blockchain.info/>. See <https://www.ivpn.net/privacy-guides/advanced-privacy-and-anonymity-part-7>.
     
Loading...
Thread Status:
Not open for further replies.