Xerobank VPN

Discussion in 'privacy technology' started by JB007, Jan 28, 2009.

Thread Status:
Not open for further replies.
  1. JB007

    JB007 Registered Member

    Joined:
    Jan 25, 2009
    Posts:
    18
    Apologies if this has been done to death, however I was reading on here somewhere a post about a home computer may leak some kind of information while using a Xerobank VPN and this could lead to the site revealing your actual Ip address. Please excuse my lack of tech knowledge here, but I have only recently started looking at this kind of protecton due to our governments incomming censorship ban.

    Is is the case that if I were to sign up for something like Xerobank and use a VPN that all traffic from my pc would be both private and anonymouse, without leaks in the software? I assume all thats required is download it, install and then sign in/run and away you go?

    Many thanks

    JB
     
  2. geazer40

    geazer40 Registered Member

    Joined:
    Jun 11, 2008
    Posts:
    128
    xerobank like others leak dns its a windows thing so steve has said and he wrote on here that he had the solution for monday but yet again nothing from him so in affect i dont believe that xerobank is any better than say trackbuster but you must make your own mind up
     
  3. caspian

    caspian Registered Member

    Joined:
    Jun 17, 2007
    Posts:
    2,301
    Location:
    Oz
    From what I understand, it has nothing to do with Xerobank. It is openVPN in general that "can" leak a DNS request. Not that it will, but that it could happen. As far as I know this does not mean that it reveals your true IP. It just lets your ISP know that you are requesting a webpage. Now I may be mistaken but this is my understanding of the issue.

    Steve did say that they are working on a way to prevent the possibility of this ever happening. I am confident that they will. They were the first, and maybe still the only VPN provider that made it possible for openVPN to be used on a Vista 64 bit computer. That fix came about almost immediately.

    What I am excited about is using their cryptorouter when it comes out. From what I understand, that will be the ultimate "fix".
     
  4. SteveTX

    SteveTX Registered Member

    Joined:
    Mar 27, 2007
    Posts:
    1,641
    Location:
    TX
    Greetings. No, XeroBank does not leak DNS requests, but there are some things you can do to keep your own computer from leaking DNS requests, if you would like. They are relatively simple to do: go to network settings, tcpip, properties, and manually assign the DNS to 10.244.2.1
     
  5. caspian

    caspian Registered Member

    Joined:
    Jun 17, 2007
    Posts:
    2,301
    Location:
    Oz
    Thanks I will do that when I get back from vacation.
     
  6. JB007

    JB007 Registered Member

    Joined:
    Jan 25, 2009
    Posts:
    18
    Hi Steve, thanks for the reply. I actually tried to PM you prior to posting this, however the site said PM was not working. I realised that it wasnt Xerobank, but seemed to be a windows problem as I had read somewhere earlier. Being so new to all this I was wondering what the point of paying for a service was if info somehow leaked and people were getting your IP or able to see where you surfed. Being so untech minded, I guess I was after something I could just turn on with my pc (vista) and simply give me anonymous/safe internet useage. I was of the understanding that a VPN both encrypted, and gave anonominity from every prying eye? Also people refer to an "open" VPN, is there any other more secure type?

    Many thanks

    JB
     
  7. jonw

    jonw Registered Member

    Joined:
    Jan 22, 2009
    Posts:
    83
    They realeased a update that fixed most of these issues,I had the same concern before.These guys are the only ones with openvpn not leaking dns.Your correct what would be the point of using a service that leaked dns.Go to xerobank's site and read there blog and you can read about the update.
     
  8. SteveTX

    SteveTX Registered Member

    Joined:
    Mar 27, 2007
    Posts:
    1,641
    Location:
    TX
    Some clarity on DNS leaks.

    Your internet connection is like an outside hose and faucet. The water traveling from the faucet to the hose is your internet traffic. Using PPTP VPN is like using a hose made of perforated rubber: a bad choice. Using OpenVPN is like using a steel reinforced hose.

    Your computer's network interface is like the faucet. If the threads on the faucet are weak or stripped, no matter how good the hose is, the connection will leak. So if you've got bad DNS configurations in there, you'll get leaks even with a good vpn.

    When you get a leak using PPTP, it can leak all your traffic. If you get a leak with OpenVPN, it can leak DNS traffic, which asks your ISP what the IP address is of the website you want to visit.

    Even though our hose is strong, we think we can also help out if your faucet is weak. We're adding more technologies that will strengthen the bond between your faucet and our hose. Some of this technology we can implement server side, some we can implement on client side. In the end, you'll get "defense in depth" which creates many layers that would to fail to leak DNS etc.
     
  9. JB007

    JB007 Registered Member

    Joined:
    Jan 25, 2009
    Posts:
    18
    Thanks Steve, is there a way to see if you are leaking,so to speak? Also is the mac address protected using VPN , not that I am aware if this can identify a person.
     
  10. SteveTX

    SteveTX Registered Member

    Joined:
    Mar 27, 2007
    Posts:
    1,641
    Location:
    TX
    We are developing a public DNS leak test. It works by generating unique subdomains and seeing if your requests leak from different IPs. MAC address doesn't leave your machine.
     
  11. blueprince

    blueprince Registered Member

    Joined:
    Mar 11, 2009
    Posts:
    1
    Dns leakage is a real problem.For security we use aes algorithm with openvpn,privoxy etc...but when it comes to dns leakage problem all these countermeasures sucks.i live in turkey.in our country there is a govermental internet censor filter.this filter does it job by dns filtering and ip blocking.i am a user of trilightzone.org.when i joined and installed openvpn for this service firstly i noticed censor filter understands that i am accesing prohibited blocked sites.
    i was very disappointed how such a thing was possible.all polished words about openvpn are fake??after a little research in the internet noticed dns leakage problem.
    So here is my solution.right click my network properties,right click your network adapter(not your tap vpn adapter!),go to internet protocol tcp/ip properties,assign a custom dns server that does not exists.A fake,not working dns address.mine is:
    primary:111.111.111.111
    secondary:222.222.222.222
    all set.now you distrupted default network adapter.forcing your computer to use vpns dns server.
    also there is an another positive side of that solution.think of a situation that you are in the middle of a very secret internet activity.for some reason vpn connection to the secure server lost.computer will automatically connect with default network adapter which is non-secure.you can not risk your self in that situation.by distrupting default dns servers if vpn connection gets lost internet connection will be lost too.
    so you dont need to worry.secure data transfer or no data transfer.A radical solution!
     

    Attached Files:

  12. SteveTX

    SteveTX Registered Member

    Joined:
    Mar 27, 2007
    Posts:
    1,641
    Location:
    TX
  13. coderman

    coderman Registered Member

    Joined:
    Feb 12, 2009
    Posts:
    39
    note that the fix mentioned above is only effective protection against DHCP assigned nameservers. a directed query against a local nameserver (java applet or flash, for example) could leak DNS or reverse public IP explicitly regardless of nameserver settings in the host.

    the only way to fully address all potential DNS vectors is to modify the routing table in Windows itself to ensure that the only path for data to any non-localhost destination is through the default route (the openvpn tun device).

    best regards,
     
  14. SteveTX

    SteveTX Registered Member

    Joined:
    Mar 27, 2007
    Posts:
    1,641
    Location:
    TX
    I agree with that Martin, but the problem as we've seen it is that modifying the routing table in windows seems to be a rather surgical procedure that would be different for each user's setup.

    Take TorVM for example: If the user is using an adapter that is not named "Local Area Connection" then the TorVM appears that it would fail to prevent DNS leakage because it isn't addressing the right interface name that it is setting static routes on, ie "Wireless Network Connection" would pass right through if the DNS on the interface failedover for whatever reason, or the bridged adapter decided to send the DNS request through another interface for whatever reason. Windows is tricky.

    I'm definitely up for discussing it, especially if there are some better and universal windows solutions.
     
  15. coderman

    coderman Registered Member

    Joined:
    Feb 12, 2009
    Posts:
    39
    well, it is invasive at least. the procedure is similar: iterate over each networking device and disable it or assign it an unroutable /31.


    yes. another possibility (other than disabling interfaces) is to implement an intermediate layer driver to filter DNS on any non-tap interface. but that's even more work :)

    fortunately the direct UDP DNS queries are more difficult to pull off than usual side channel leakage, which can be fixed as described in this thread.


    those are the only two options i've considered so far. there are probably others and maybe even a simple fix. i'd be curious to know what works well in practice too.

    best regards,
     
  16. SteveTX

    SteveTX Registered Member

    Joined:
    Mar 27, 2007
    Posts:
    1,641
    Location:
    TX
    an intermediate layer driver... scary like a software firewall. I still think the routing table parsing is the best way to go, for now. One idea I had was disabling unused adapters and also breaking the arp, call it defense in depth. When i spoke with our CSO, he seemed to think it could be done but would require rewriting OpenVPN GUI to handle the routing tables.

    I'm wonder this: how do we reliably discover which networking hardware device the TAP/TUN is actually (and correctly) speaking through so we don't disable the wrong interfaces/adapters.
     
  17. coderman

    coderman Registered Member

    Joined:
    Feb 12, 2009
    Posts:
    39
    forgot to add: detecting the internet route device requires looking at the destination IP (your openvpn server), checking the route metric for up interfaces that have a gateway configured, and using the first match. i think that info is under SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318} ...

    best regards,
     
  18. SteveTX

    SteveTX Registered Member

    Joined:
    Mar 27, 2007
    Posts:
    1,641
    Location:
    TX
    I'm not so sure that will work...

    horror.PNG
     
  19. coderman

    coderman Registered Member

    Joined:
    Feb 12, 2009
    Posts:
    39
    you've got to use the network adapter guid list to check specific entries; that key contains all of the services, not just network devices. for example, start with SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318} to narrow down the services you check by explicit guid in that huge key...

    (that is to say, the CurrentControlSet\Control\Class , CurrentControlSet\Control\Network , CurrentControlSet\Services\Tcpip\Parameters\Interfaces , and CurrentControlSet\Services all expose different characteristics of the devices present.)

    best regards,
     
  20. SteveTX

    SteveTX Registered Member

    Joined:
    Mar 27, 2007
    Posts:
    1,641
    Location:
    TX
    If we're justing looking for which GUID corresponds to the OpenVPN adapter, we can just go right to openvpn.exe and ask, and that should be right, of course we would be screen scraping. This is getting a little technical, happy to continue over email/im.
     
Loading...
Thread Status:
Not open for further replies.