Bad DNS Servers Still Reported on DNS Leak Sites [solved]

burnt_toast · 2021-09-05 15:51:13

I keep getting DNS servers I don't want to use reported on DNS Leaks sites.

resolv.conf

# Generated by NetworkManager
nameserver 9.9.9.9
nameserver 149.112.112.112

https://www.dnsleaktest.com/results.html

IP 	Hostname 	ISP 	Country
108.162.220.204 	None 	iCloud Private Relay 	Dallas, United States
108.162.220.209 	None 	iCloud Private Relay 	Dallas, United States
108.162.220.210 	None 	iCloud Private Relay 	Dallas, United States
108.162.220.55 	None 	iCloud Private Relay 	Dallas, United States

https://www.expressvpn.com/dns-leak-test

IP address 	Provider 	Country
172.69.65.23 	Cloudflare 	United States
108.162.220.62 	Cloudflare 	United States
108.162.220.63 	Cloudflare 	United States

I don't want to use cloudeflare dns. I've tried everything.
systemd-resolved - too many configuration files
resolvconf - still reported cloudflare
NetworkManager - used the GUI to set the DNS and still reporting cloudflare

Pretty frustrated here, people. Not sure what else to do.
I also welcome an explanation as to why all these scripts are even necessary. Back in the day, I could just edit resolv.conf and bam, that was it. I don't even know wtf is going on anymore.

systemd critics, I am all ears and starting to warm up to this view

I set dnsmasq on my openwrt router and my Android TV picks up the correct servers without issue.
Still, can't fault systemd too much here since I ran:

sudo systemctl disable systemd-networkd
sudo systemctl disable systemd-resolved

installed NetworkManager and changed the DNS servers from he GUI as mentioned earlier.
And I still get those servers reported on leak sites.
Pleas help me!

Last edited by burnt_toast (2021-09-05 20:39:26)

graysky · 2021-09-05 15:53:37

What is it you want to achieve? Why do you not want to use cloudflare servers?

burnt_toast · 2021-09-05 16:33:56

What I want: Only to use Quad9 DNS
Why not Cloudflare: Because I don't trust them

graysky · 2021-09-05 16:50:51

AFAIK, specifying the quad9 addresses as you have is all it takes. Typically, I specify the DNS entries in my router, all my devices use DHCP so the router server that up to them.

burnt_toast · 2021-09-05 16:54:53

Well, you'd think, but as I mentioned in the original post, that is not working.

graysky · 2021-09-05 17:02:25

Perhaps quad9 is using cloudflare upstream? IDK.

burnt_toast · 2021-09-05 17:53:34

I appreciate you taking the time to work through this with me, but honestly, I don't think that's the case.

For one thing, I configured the quad9 dns on dnsmasq on my openwrt router. So when I did a dns leak from the chrome browser on my Android TV, it correctly showed only the quad9 servers. You'll have to take my word on this, it's a bit of a pain, but if you insist on verification, I could probably figure something out with adb or even take a photo with my phone and upload it somewhere.

Furthermore, I've done a whois on the quad9 servers and doesn't report anything by cloudflare.

By "upstream" I take it you mean when they query an authoritative server. I wasn't able to find who they connect to for authoritative servers. I did find that they were owned by IBM so maybe I need to reconsider who I use for dns.

In any case, I', pretty sure the problem is Arch specific. I have another computer with arch on it and I get the same problem. I'm really not sure. I have a strange configuration because I have several routers that I use for experimentation. But all my arch machines do the same thing regardless of the router and as far as I can tell, they've all been configured the same way.

Last edited by burnt_toast (2021-09-05 17:54:42)

graysky · 2021-09-05 18:02:15

burnt_toast wrote:

In any case, I', pretty sure the problem is Arch specific. I have another computer with arch on it and I get the same problem.

If I run 'traceroute 9.9.9.9' on my Arch box, I get the same output as I get when I run it on my openwrt router.

Last edited by graysky (2021-09-05 18:05:47)

burnt_toast · 2021-09-05 18:12:22

Well, it sure is a big mystery.

In fact, they advertise privacy but hosted on IBM, idk.

Lone_Wolf · 2021-09-05 18:33:25

I've experimented a bit and if I set 9.9.9.9 in resolv.conf , both tests show 74.63.25.238 (Woodynet Amsterdam) as server .

Searching for 9.9.9.9 lead me to https://www.techradar.com/reviews/quad9-dns

Like most public DNS services, Quad9 uses anycast traffic routing to send requests from your computers to its nearest servers. The service has servers in more than 145 locations across 88 countries,

Could it be that those other ip-addresses are from servers in the quad9 network ?

burnt_toast · 2021-09-05 18:53:34

That's a really good question.
Notice, the two dns leak tests show different providers/ISP. One says cloudflare and the other says iCloud Private relay.
Also, different IP's but I did run a whois on one and it definitely was Cloudflare. I figure they're all on the same network.

It also just dawned on me that I should've probably not posted that output from the dns leak tests. ngl, kinda embarrassed.

But since Quad9 is owned by IBM, I was planning on switching them anyway and maybe even installing dnscrypt. oh boy, fun times!

seth · 2021-09-05 19:21:50

You're exclusively relying on some browser test?
Reproducible w/ a different browser?

dig archlinux.org
drill archlinux.org
nslookup archlinux.org

burnt_toast · 2021-09-05 19:33:22

All those tools consistently show the quad9 servers.

So, begs the question, what are those sites reporting? Are those the authoritative servers, and if so, why doesn't quad9 protect that information from getting out? I'm a bit confused honestly.

seth · 2021-09-05 19:45:10

The browser might start it's own dns journey and ignore the system config, so:

Reproducible w/ a different browser?

If you're not using it already, try chromium, because I guess it won't resort to cloudflare ;-)

burnt_toast · 2021-09-05 20:18:48

That was it!
I ran it on a different browser and it showed the quad9 servers.
Furthermore, I was able to change the default dns for firefox by following this documentation:
https://newbedev.com/switch-firefox-to- … -host-file

Is there a solved button I should punch?

Last edited by burnt_toast (2021-09-05 20:19:58)

seth · 2021-09-05 20:27:39

Nope, you've to edit the first post. You can then alter the subject of thre thread to mark it [solved]

Slithery · 2021-09-05 20:28:32

burnt_toast wrote:

Is there a solved button I should punch?

CoC - How to post

burnt_toast · 2021-09-05 20:58:54

Just wanted to lastly say thanks everyone!

bwoodcock · 2021-09-06 14:52:22

graysky wrote:

Perhaps quad9 is using cloudflare upstream? IDK.

Absolutely not. The entire point of Quad9 is to give users a non-monetizing alternative.

Happy to answer any questions about Quad9 generally.

Relative to this particular situation, any time someone's hijacking your queries (this time it sounds like it was Firefox, but under other circumstances it could have been OP's ISP) it's probably time to switch to DoT and start authenticating the server. Here's a tutorial:

https://medium.com/nlnetlabs/privacy-us … f2d2b687c5

Lone_Wolf wrote:

I've experimented a bit and if I set 9.9.9.9 in resolv.conf , both tests show 74.63.25.238 (Woodynet Amsterdam) as server .
Could it be that those other ip-addresses are from servers in the quad9 network ?

WoodyNet is a transit provider for Quad9, yes. The IP addresses OP quoted are all Cloudflare, though, which is definitely not a transit provider for Quad9.

burnt_toast wrote:

...since Quad9 is owned by IBM...

Also absolutely not the case. Quad9 is a Swiss public-benefit foundation. The public owns it. You own it.

Anyway, glad you worked out what was hijacking your queries.

-Bill

burnt_toast · 2021-09-06 15:34:12

bwoodcock,
Thank you for the clarification.
Sometimes we get into things and just want to get the post up there and sacrifice a bit of articulation and nuance.

So yes, you are correct, IBM does not own Quad9 as Quad9 is a non profit organization according to wikipedia.

However, IBM (among others) did found Quad9.

Please forgive my ignorance here, IBM is in the cloud game. Are DNS servers generally hosted on cloud providers like AWS, Cloudflare, or in this case, IBM cloud?

If so, would not that present a conflict of interest or even a potential external influence that runs against the core philosophy.

A lot of these so called privacy and anonymity services are turning out to be frauds i.e. the VPN ecosystem and most recently, protonmail.

Can Quad9 confidently say that, for example, they will not divulge information to law or more to the point, can they confidently say that IBM will not if it turns out that they are relying on IBM for hosting or some other infrastructure?

Arch Linux

#1 2021-09-05 15:51:13

Bad DNS Servers Still Reported on DNS Leak Sites [solved]

#2 2021-09-05 15:53:37

Re: Bad DNS Servers Still Reported on DNS Leak Sites [solved]

#3 2021-09-05 16:33:56

Re: Bad DNS Servers Still Reported on DNS Leak Sites [solved]

#4 2021-09-05 16:50:51

Re: Bad DNS Servers Still Reported on DNS Leak Sites [solved]

#5 2021-09-05 16:54:53

Re: Bad DNS Servers Still Reported on DNS Leak Sites [solved]

#6 2021-09-05 17:02:25

Re: Bad DNS Servers Still Reported on DNS Leak Sites [solved]

#7 2021-09-05 17:53:34

Re: Bad DNS Servers Still Reported on DNS Leak Sites [solved]

#8 2021-09-05 18:02:15

Re: Bad DNS Servers Still Reported on DNS Leak Sites [solved]

#9 2021-09-05 18:12:22

Re: Bad DNS Servers Still Reported on DNS Leak Sites [solved]

#10 2021-09-05 18:33:25

Re: Bad DNS Servers Still Reported on DNS Leak Sites [solved]

#11 2021-09-05 18:53:34

Re: Bad DNS Servers Still Reported on DNS Leak Sites [solved]

#12 2021-09-05 19:21:50

Re: Bad DNS Servers Still Reported on DNS Leak Sites [solved]

#13 2021-09-05 19:33:22

Re: Bad DNS Servers Still Reported on DNS Leak Sites [solved]

#14 2021-09-05 19:45:10

Re: Bad DNS Servers Still Reported on DNS Leak Sites [solved]

#15 2021-09-05 20:18:48

Re: Bad DNS Servers Still Reported on DNS Leak Sites [solved]

#16 2021-09-05 20:27:39

Re: Bad DNS Servers Still Reported on DNS Leak Sites [solved]

#17 2021-09-05 20:28:32

Re: Bad DNS Servers Still Reported on DNS Leak Sites [solved]

#18 2021-09-05 20:58:54

Re: Bad DNS Servers Still Reported on DNS Leak Sites [solved]

#19 2021-09-06 14:52:22

Re: Bad DNS Servers Still Reported on DNS Leak Sites [solved]

#20 2021-09-06 15:34:12

Re: Bad DNS Servers Still Reported on DNS Leak Sites [solved]

Board footer