20

If I use my own VPN and use third party DNS - can I trust it?

For example, is there any possibilities that an attacker can track the requests by contacting the DNS-hosting (assume that attacker have order and DNS-hosting have logs), and find out what sites I have visited? Because DNS requests are bypassing the VPN?

And if there is such a risk, how to solve this problem? Should I use my own DNS server instead of third party for added security?

Rui F Ribeiro
  • 1,736
  • 8
  • 15
ideloxew
  • 497
  • 1
  • 5
  • 16
  • With the third party DNS, you definitely run the risk that your website visits are identified either when the attacker colludes with the DNS service provider, or the DNS server itself is compromised. Running your DNS server as a recursive server for your network is a neat option. – sandyp Jun 03 '16 at 22:42
  • 2
    If you run your own DNS, where do you think your private DNS server gets its information from? Most likely from another DNS. Unless you're exclusively accessing private names, it's turtles all the way down. In which case, you probably can just add those names to your /etc/hosts file. – Lie Ryan Jun 10 '16 at 12:42

7 Answers7

13

No, you can't.

It's as easy as you search information about "DNS leak" topic. When you use a VPN, you have the risk of a DNS leak. In other words, your DNS resolution will be made outside your VPN.

Second, VPN server knows (in some way) who you are, where are you from and where you want to go. It's the same risk that exit nodes of Tor Network pose.

Anyway, it depends of how paranoid you woke up today.

techraf
  • 9,141
  • 11
  • 44
  • 62
  • 1
    This is not entirely true. Granted, the risk is enormous. However There is efective counter-measures and technologies that can be employed with several degrees of success. At home, I have several measures that combined can effectively eliminate the DNS leak problem, and I have not yet resorted to a "enterprise" profile of connecting always on demand. Alas, if you take your VPN seriously, I do advise only selecting the commercial ones in iOS/Mac that provide you with profiles that activate always-on demand connections. Thus, it cannot be said it is not possible. – Rui F Ribeiro Jun 08 '16 at 07:33
  • What do you mean by "it's the same risk that exit nodes of Tor Network have"? What risk? Who is at risk? – techraf Jun 09 '16 at 06:14
  • Take a look: [link](https://nakedsecurity.sophos.com/2015/06/25/can-you-trust-tors-exit-nodes/) . As far I know, a TOR exit node knows where you come and where you go (like a normal VPN node). So, TOR / VPN is secure as far as the exit node is. – Rodrigo Calvo Jun 09 '16 at 06:22
  • Thx. Suggested an edit: that's the risk they pose not have. – techraf Jun 09 '16 at 09:56
  • 2
    @Rodrigo Calvo: that's incorrect Tor exit nodes know where your connection is going to, but it doesn't know where you came from. A VPN on the other hand, knows both where you came from and where you're connecting to. – Lie Ryan Jun 10 '16 at 12:44
9

You shouldn't trust them. You may suffer from "DNS Leaking". Ideally, your computer should send DNS Requests through the VPN, but it may request it directly. Your IP address will be exposed. Anyone snooping on the connection to the DNS Server will see what site you are accessing. That also opens you up to the dangerous Man-In-The-Middle attack. Use DNSCrypt protocol. It literally encrypts your DNS requests to OpenDNS or a similar provider.

k9lego
  • 151
  • 3
  • 1
    As I had already explained in my post, you need: 1) A local dnscrypt proxy/DNS server to encrypt the connections on your side 2) Firewall rules that intercept DNS requests to other DNS servers not given by your DHCP, and transparently force/route them via your dnscrypt enabled service. Otherwise, either you are not doing dnscrypt or you are having the illusion of not having DNS leaks. As I often say to my trainees, besides having access to the tools, you ought to understand what they do. – Rui F Ribeiro Jun 07 '16 at 15:50
5

There are really two things you need to trust here: the DNS response's authenticity and privacy.

Authenticity

You can be reasonably sure of the authenticity of the data returned if all of the below are true:

  • The site supports DNSSEC
  • The site's TLD supports DNSSEC
  • Your client checks DNSSEC - For a browser I recommend the extension at dnssec-validator.cz (Can't post more than 2 links at my reputation)

Privacy

It is more difficult to make the DNS response private. I see two solutions. Either use a server that supports DNSCurve, or tunnel the DNS traffic through the VPN.


Note that you will likely need to change the DNS server you use in either case, as it's unlikely the ISP's DNS server supports DNSSEC, and almost certain it doesn't support DNSCurve. However, you don't need to use your own, you can use reputable public servers such as Google DNS or OpenDNS.

EDIT: Be aware that the response becomes more authentic when it is private, as changing the response becomes a lot harder (Either the DNS server you use needs to be compromised or the VPN server needs to get Man-In-The-Middle'd, depending on which solution you choose.

ConnorJC
  • 326
  • 2
  • 6
3

While using your own VPN you can increase your security, putting the DNS server on the side of the network of the VPN service, and forcing any DNS request going through it through your own local DNS service/proxy.

The ISP/DNS provider of the server/network where the DNS is hosted can however log, intercept and modify your DNS queries.

Setting up a DNS server/caching/proxy server that does not talk with the normal root name servers, but instead talks via TLS with dnscrypt enabled servers you solve in one stroke both the privacy element of your DNS requests and any potential leaking.

For additional security, you should setup up also additional firewall rules that intercept DNS requests coming from your premises/your DNS client that are not using your DNS IP address and force the DNS requests to be sent to your DNS service (for instance, a machine with the Google DNS server 8.8.8.8 setup by hand will those be forced to talk with your DNS services instead).

As an additional security measure, please do note that for instance, OS/X and iPhone allow the setup through profiles of VPN on-demand. In other words, any new connection request wont be satisfied without the VNP going up, thus negating any accidental connection while the VPN is not established.

As a side note, at home I run a DNS server that serves my equipment, and use frequently my own Home VPN, the work VPNs managed by me, and a commercial VPN. In this case, there cannot be DNS leaks to the local ISP as I talk with foreign DNS servers over dnscrypt/TLS.

It is also worthwhile to note that whilst services like https://www.dnsleaktest.com test for leak, the "absence" of a leak does not vouch for your setup; those tests are much more useful when they do find leaks.

As a last reminder, I also would add that policies/firewall rules added by a VPN client, especially default rules added by commercial VPN software, may change expected behaviours of your infra-structure.

Rui F Ribeiro
  • 1,736
  • 8
  • 15
0

To address the DNS leak issue, I'm certain you can obtain the IP address of your VPN provider that you are making the connection to and firewall off all outgoing connections heading to any other IP address on any port other than the specific IP and port being used by your VPN. That will prevent any "leaked" traffic from exiting your network. Done.

After that, only the VPN provider will know for certain which sites you are visiting, and it depends on whether or not they keep logs of your traffic. Your options here are transmitting your data through I2P after you've connected to your VPN.

After that, only large-scale timing attacks such as those from nation-level adversaries are likely to find you.

Desthro
  • 1,007
  • 5
  • 5
-1

If you are using a VPN and that VPN is using a public DNS then your requests are most likely anonymous enough. The truth is that if they want to find you badly enough they will.

Running your own DNS would be a bad idea as the requests being sent to a DNS with only one user would stand out as strange. I would say you should find the most popular DNS there is and use that. Conversely you could find out the IP's of the sites you would like to visit and skip DNS all together.

coffeethulhu
  • 158
  • 5
  • Thanks for the answer. "If you are using a VPN and that VPN is using a public DNS then your requests are most likely anonymous enough" - can you explain this moment in little bit more details? Or give links where I can read about this? For example, I have a questions: 1) I need configure DNS on VPS(VPN?)? 2) If first question "yes", do I need configure DNS on my own machine or not at all? 3) Assume that if I configure DNS on my VPN/VPS and DNS hosting will see just IP of my VPS, not my real IP address? – ideloxew Jun 03 '16 at 15:16
  • You need to read through the documentation from your VPN provider about what DNS options there are for you. What I mean by anonymous enough is that your computer is not making any DNS request directly since all the requests are coming from the VPN end point. – coffeethulhu Jun 03 '16 at 17:33
-2

If you are a technical person and also if you are security expert than you should not trust on any third party DNS. Because of there are so many websites and web-server , those are provides their services and also sell their data to another hackers for their profits. So If you have your own well prepared DNS and VPN then trust on yourself only.

Shadow
  • 121
  • 13
  • 1
    Who is selling data to hackers? – Mirsad Jun 03 '16 at 18:17
  • 1
    The organizations or website those provides the third party DNS services and Proxy Servers. I got the name of too many websites like this in a Hacker's PDF. – Shadow Jun 04 '16 at 06:12
  • 1
    I this answer is incorrect; I'm (as are you) unclear about what data is being sold; but even if you run your own "well prepared DNS". You'd need a constant updated copy of several domain's DNS data. This gives you the same issue. – ndrix Jun 07 '16 at 15:31
  • @Ankit Gupta I'd trust a 3rd party independent one instead of the official ones since nowdays the official DNSs filter billions of sites they consider undesirable. – Overmind Jun 08 '16 at 08:27