What is the correct way to plug DNS leaks when running OpenVPN?

3

1

I've set up OpenVPN on a Linux server. All my Internet traffic goes through the VPN from that server. I'm running Windows 7 at home. I noticed in Wireshark that DNS queries are not going through the encrypted tunnel, but instead directly to my ISP's designated DNS servers.

To overcome this, I tried pushing DNS for OpenVPN from the server to my computer, and also inputting the DNS address in my wireless adapter's configuration options. This appears to have secured the DNS leak, but is it the proper way to go about it? If I didn't push the DNS address from the server to the client and only set the DNS in the client's wireless adapter, then I couldn't visit any website. And if I just pushed the DNS but didn't set it in the adapter, then some DNS requests still leaked to the ISP's DNS servers.

abaooooo34342

Posted 2011-03-22T20:39:09.840

Reputation: 31

1Odd, and nice to know one might need to be careful! When only pushing it from the VPN server: any chance that only unresolved DNS requests were sent to the ISP? (For a retry, as the first DNS couldn't find it.) Or maybe only from some specific programs? (That somehow might have cached the DNS settings from before the VPN was activated?) – Arjan – 2011-03-22T21:12:18.633

Answers

1

A VPN is great for encrypting data, however 2 of its other main functions is assuming another IP address and changing nationality to access location-restricted content. It functions because the VPN allows you to select an alternate exit server, where it pretends you're actually located by routing your data through that server.

However, security flaws like WebRTC can bypass a VPN's location changing abilities. This can be evident in what's called Leak. You can tell you have a leak by checking your IP address before and after connecting to a VPN using a IP address tool or site like:

http://whatismyipaddress.com/

If the IP address matches with the IP of your VPN's target server, you're fine. A more direct, dependable way of uncovering if there's a DNS leak is by going to:

https://www.dnsleaktest.com/

The site also includes instructions how to correctly fix a DNS Leak manually and provides a downloadable tool to automatically fix DNS Leaks. It works by automating the manual steps you'd take in finding and fixing the leak.

Simply download and install their free DNS Fix tool to the VPN's folder. Remember to turn off Antivirus temporarily while installing it as some AV programs block it from installing properly. Once properly installed, it works perfectly with OpenVPN and most other VPN's. The tool can be found here:

https://www.dnsleaktest.com/how-to-fix-a-dns-leak.html

Here's a further explanation of ways to prevent DNS leaks:

https://www.bestvpn.com/blog/5184/4-ways-to-prevent-a-dns-leak-when-using-vpn/

xCare

Posted 2011-03-22T20:39:09.840

Reputation: 739

0

You say that all your traffic goes through the VPN, can you check if udp traffic is going through it? DNS queries are done over UDP, not TCP. I think OpenVPN routes UDP, but I don't know your configuration so that could be it. You can check this simply by querying other nameservers (like 4.2.2.2 or 8.8.8.8) and see if it goes through the VPN.

Depending on where the other end of the VPN is, you may not be able to querying your ISP's DNS servers from the other end, a lot of resolving DNS servers block queries from anything off their own network.

deltaray

Posted 2011-03-22T20:39:09.840

Reputation: 1 665

I'm using udp for the vpn. As i know its best to avoid vpn over tcp as it has worse performance. Pushing dns from the server is supposed to force windows clients to use that dns but it doesn't work like that in my case (maybe in lots of cases). My router which my isp provided has a dns server running on it that overides or at least makes my computer want to use the isp's dns servers all the time. – abaooooo34342 – 2011-03-23T10:18:02.843

0

I make use of the freevpn.me service. I also have the problem that my dns requests leak. However, I always connect over TCP because UDP simply doesn't work for me. Even if I open all the ports on my router.

Using socks proxies works for me to prevent DNS leaks properly.

This is what worked for me (step by step): On my windows system (clients) I

  • Install firefox and disable WebRTC detection.
  • Install Foxyproxy for firefox
  • Force Firefox to only accept data from VPN adapter with (Comodo Free) firewall, is a permanent killswitch in case your VPN dies.
  • Gather socks proxy info from the internet and configure foxyproxy. ==> I use 'xroxy (dot) com' to filter and find ‘socks proxies’, and use www.sockslist.net to check if the proxy works. This way you should have your DNS changed, and an extra security layer.

This also works when you want to download torrents:

You can set up Vuze to only accept data from the VPN adapter (ip binding), and set it up to use the socks proxy too. This way you can ensure that Vuze isn’t using the DNS from the router. If the VPN dies, Vuze won’t be able to download because of the IP binding, similar to a firewall killswitch.

Firefox simply stops working if the Socks proxy fails, and Vuze changes it's green proxy icon (in the bottom) to yellow/red if it isn't working properly. This allows you to stop the torrent and find a new proxy for this purpose.

Rini

Posted 2011-03-22T20:39:09.840

Reputation: 11

Asked: 2011-03-22T20:39:09.840

Viewed: 1 747 times

Active: 2015-10-02T23:09:58.223