2

Background:

So I use a private VPS to host my own VPN, rather than pay/trust another company to host it for me. I am an intermittent traveller so it is cheaper for me to spin up or down my server as I choose.

The main reasons I use a VPN are 1. To stay secure in WiFi networks I don't trust 2. Avoid filtering services 3. Avoid DNS logging in countries that now use it.

I do not use it for or care about sophisticated attacks against me or high-level government investigations against me. (I just want to be left out of broad-brush surveillance techniques like DNS logging/snooping)

Since I spin the server up and down as needed, it is a pain to change the IP address in the OpenVPN config files for all my devices each time. As such I have pointed a subdomain I own eg vpn.mydomain.com (A record) at my VPN server, and all I need to is make sure that it points at the VPS's IP every time I spin it up and I'm good to go.

Question:

Since the domain name vpn.mydomain.com will be resolved by DNS un-encrypted anyone can look at my traffic see that the last DNS request sent was for vpn.mydomain.com and then all they will see is encrypted VPN traffic. All they then need do is look up the IP of vpn.mydomain.com and look at the DNS traffic of that IP and they will have aa 100% capture of my DNS traffic. completely undoing reason 3?

Is this logic valid? The only solution I can think of is to host the VPN server in a distant country with no snooping, keep manually changing the IP addresses or use some fancy re-direct methods that will probably make auth fail.

Message to mods: I know "Is it a bad idea to use a domain name to access my VPN?" is a very similar question, but it doesn't address this point.

Harvs
  • 121
  • 1
  • 1
  • 3
  • 3
    "see that the last DNS request sent was for vpn.mydomain.com" - How is this any different from simply noticing you're sending all of your traffic to a specific IP without doing a DNS request before hand? – AndrolGenhald Apr 27 '18 at 15:56
  • It isn't, now I feel stupid! – Harvs Apr 27 '18 at 16:14
  • If your VPN client is configured to talk to `vpn.mydomain.com`, couldn't you just update a line in `/etc/config` or `C:\Windows\System32\drivers\etc\hosts` with the newly spun-up IP address? Might be easier than modifying the `A` record, and (for what it's worth) eliminates the DNS request for it. – TripeHound Jun 21 '19 at 14:05

2 Answers2

2

TL;DR: They can get the VPN IP anyway. Use DNSCrypt.

There is actually a bit better solution to hiding your DNS requests, using DNSCrypt. Of course, you need to find a DNS server you trust that supports it. This can be in addition to VPN.

As for point 3, yes. If the people spying on you can spy on your servers connection, then they will see your traffic and it could be arguably easier as that VPN server is probably easier to associate with you than a random public wifi connection. On the other hand, this depends on where your VPN server is, as foreign countries would not be able to simply spy on a server in your home country (maybe? hopefully? Paranoia kicking in...).

As for using vpn.mydomain.com to get IP of your DNS server, it is not really relevant. Attackers inspecting your traffic will most likely be able to say, that you are connecting to a VPN and get the VPN IP directly.

Peter Harmann
  • 7,728
  • 5
  • 20
  • 28
  • "and get the VPN IP directly.", Ahh, of course, silly me! Are you recommending I enable DNS crypt on my server or client machines, or both? – Harvs Apr 27 '18 at 16:12
  • @Harvs I don't even know it is possible on the server. I would choose client. No reason to not have it end to end. – Peter Harmann Apr 27 '18 at 17:38
2
  1. To stay secure in WiFi networks I don't trust 2. Avoid filtering services 3. Avoid DNS logging in countries that now use it.

The difference between using IP or domain is relevant only for question 3. You could create random looking subdomains: jupiter.domain.com is way less suspicious than vpn.domain.com.

If you are not concerned about government attacks against you, this will be enough to protect you. You could even use SSLH to mask the real use of the server: install a random innocent website on it, and put both Apache/Nginx/LightHTTPD and OpenVPN on the same port. When you connect to it using your browser, SSLH will send the request to the webserver. Connect via OpenVPN client, and the OpenVPN server will receive the connection.

ThoriumBR
  • 50,648
  • 13
  • 127
  • 142