[SOLVED]Is DNS traffic encrypted when running all traffic through tun?

destou · 2018-04-29 18:28:07

I am wondering if my ISP can see my DNS traffic when I torrent if I route all network traffic through my VPN? In the end of my .ovpn config file I have:

push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 108.61.213.134"
push "dhcp-option DNS 111.223.227.125"

script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf

and I have no DNS leak and IPv6 is disabled. I am using qBittorrent, without a proxy added in the settings.

Last edited by destou (2018-05-13 13:44:18)

destou · 2018-05-09 17:27:53

bump? no one got any idea?

IrvineHimself · 2018-05-10 03:24:04

After installing my Vpn, I used various network tools like: Etherape, Iftop, Iptrap-ng and Nethogs. to analyse my traffic. Mainly because of the overhead generated by the incidental traffic of various browsers and the fact I have a limited data allowance, the results were very interesting! In fact, they were so interesting, I ditched Chromium completely, use Firefox rarely and now rely almost exclusively on either Inox or Opera.

Most of my consciously generated, presumably encrypted, traffic is tcp. So, the resulting error checking would explain the difference in data totals between tun0 and wlp2s0. As fars as I could tell, this traffic was almost exclusively directed at the Vpn servers. However, there was also a certain amount of non-Vpn Udp traffic. This traffic, as far as I can gather, is to secretly let the Arch team, (and the Amazon and Google cloud servers,) know I am awake and currently in Scotland

So, to answers your question, I don't know. But, as far as I am aware, my tcp traffic goes through the Vpn, and reverse DNS lookups point to my Vpn provider. On the other hand, if I temporally disable my Vpn, a reverse DNS lookup points to my ISP's servers. In other words, as far as I can tell, my ISP is aware I am using a Vpn but, except for the previously mentioned Udp traffic is unaware of the destination.

However, I would point out that by matching input traffic to the Vpn server with the output from the server, interested parties can easily follow your browsing habits. Additionally, it is widely acknowledged that using TOR is like waving a red flag at a bull. Using it will almost certainly lead to you being targeted by GCHQ and their NSA buddies.

Like I say, I don't know the definitive answer to your question and would love to hear from someone with more expertise than me. But, all the tests I have run suggest that, broadly, with certain caveats, my ISP is only aware that I am using a Vpn.

Irvine

Edit:
Corrected a stupid spelling mistake and added the Amazon and Google cloud servers to the people who know I am awake and in Scotland.

Last edited by IrvineHimself (2018-05-10 15:29:53)

herOldMan · 2018-05-10 16:45:54

Use an ssh connection, tunneling VNC. Then do your task on the remote machine. Transfer files with sshfs.

destou · 2018-05-12 08:30:02

Using another computer to do activities isn't an option in this case... (So no SSH) Seriously though? No one got an answer? I have almost zero experience with exploring and reading network traffic but I'm more than willing to learn if somebody could just recommend me an easy program or tutorial. I have already tried using Wireshark and I can read data but I have no idea how to check for DNS traffic specifically nor how to check if it's encrypted. I've googled around but found no answer on how to use Wireshark for checking if DNS traffic is encrypted... Any pointers would be appreciated!

IrvineHimself · 2018-05-12 10:40:45

destou wrote:

..... I have already tried using Wireshark ....

It has serious security issues that will never be fixed. (see Wiki)

There isn't a one size fit's all, you have to play about with them to get what you need. For example:

Etherape : Nice Gui that can analyze traffic and will try to do a "who is" look up to. Don't think it monitors udp traffic
Iptraf-ng: Nice cli presentation that splits traffic up into type eg udp, tcp, along with source/destination. No "who is" look up.

The others traffic anlysis tools I mentioned have their own quirks and foibles.

If you just want a plain yes/no answer, then, any traffic analysis by your Isp will make it pretty clear you are torrenting. The question is what? Remember, torrenting itself isn't illegal, it is using "piratebay" or it's equivalent that will get you in trouble. For example, one time I was playing about with some AI/Big data analysis to generate grammar rules. To do this, I had to download a small portion of Googles collection of "ngrams". This collection runs into terabytes of data, and even small portions of which are several hundred gigabytes. Using a torrent for this is perfectly legitimate.

As far as your personal problem is concerned, I can only tell you as part of a general discussion on whether your Vpn is working that I used the various traffic analysis tools to identify the weaknesses I outlined above.

Irvine

Edit
On rereading your question, you could just montor port 53 (and 443?,) but that assumes everything is well behaved and uses the correct ports.

See Tcp/Udp port numbers, and, before you ask: While I am fairly sure that at least one of the tools I mentioned is capable of filtering by port numbers, if I wished to do this, I would need to do a Google search to find the exact methodology.

Last edited by IrvineHimself (2018-05-12 11:56:07)

loqs · 2018-05-12 11:06:08

@IrvineHimself would a series of firewall rules that prevents any traffic using the interface that does not originate from the VPN work?

IrvineHimself · 2018-05-12 11:55:19

loqs wrote:

@IrvineHimself would a series of firewall rules that prevents any traffic using the interface that does not originate from the VPN work?

I have no idea, I have thought about this myself. The real problem is that, purely out of academic curiosity, last night I took a look at a couple of tracker lists. While many use tcp and http/s connections, many others use udp. (This is to get the tracker list, not to get the actual data.)

So, potentially, in my case, any interested party would be able to see udp data originating from a tracking site.

Also, since I am currently writing apparmor rules for openvpn, wpa_supplicant and NetworkManger, I am fairly up on the topology which I believe is:

Browser/BitTorentClient -> NetworkManager -> openvpn.server -> wlpp2s0 -> firewall (Edit, I may have got this wrong?)

In other words, firewall rules would have no effect on the connection between tun0 and wlp2s0. The best I could hope for is to either switch to a udp connection certificate on port 1194, or try and block all udp traffic.

The thing is, I am not actually certain that all my udp traffic is escaping the Vpn. The bits I know are escaping are fairly specific channels used by developers, as for the rest, it's an open question. Hence the reason I originally subscribed to this thread a couple of weeks before I shared my limited knowledge. Like I say, I would love to hear from an expert.

Edited to change:

"either use a udp connection certificate" to "either switch to a udp connection certificate"

Last edited by IrvineHimself (2018-05-12 17:39:00)

destou · 2018-05-13 13:44:00

I have looked at my network traffic through wireshark and etherape and I am 99% sure that all of my connections are run through tun0 and are getting encrypted. Wireshark just gives me random data when I press on a package and etherape showed no traffic from eth0 to another ip than the vpn ip, which is what I want

Arch Linux

#1 2018-04-29 18:28:07

[SOLVED]Is DNS traffic encrypted when running all traffic through tun?

#2 2018-05-09 17:27:53

Re: [SOLVED]Is DNS traffic encrypted when running all traffic through tun?

#3 2018-05-10 03:24:04

Re: [SOLVED]Is DNS traffic encrypted when running all traffic through tun?

#4 2018-05-10 16:45:54

Re: [SOLVED]Is DNS traffic encrypted when running all traffic through tun?

#5 2018-05-12 08:30:02

Re: [SOLVED]Is DNS traffic encrypted when running all traffic through tun?

#6 2018-05-12 10:40:45

Re: [SOLVED]Is DNS traffic encrypted when running all traffic through tun?

#7 2018-05-12 11:06:08

Re: [SOLVED]Is DNS traffic encrypted when running all traffic through tun?

#8 2018-05-12 11:55:19

Re: [SOLVED]Is DNS traffic encrypted when running all traffic through tun?

#9 2018-05-13 13:44:00

Re: [SOLVED]Is DNS traffic encrypted when running all traffic through tun?

Board footer