Help with Dns Leak

Smallville · 2015-04-17 11:10:16

Hi all , im using vpn with Openvpn protocol on network manager, i have dns leak how i can fix this ? I search on the forum but dont find the answer to my question.

Thx

brebs · 2015-04-17 11:56:54

Run Unbound, then you can specify particular DNS server(s) for particular domains.

Last edited by brebs (2015-04-17 11:57:04)

fukawi2 · 2015-04-17 12:13:26

Give us some information to work with here. How do you know you have a DNS leak? What are you leaking exactly? What is your OpenVPN configuration? What is your local network architecture?

You may benefit from having a read of this document, in particular this section.

Smallville · 2015-04-17 12:16:33

brebs wrote:

Run Unbound, then you can specify particular DNS server(s) for particular domains.

Thx for the tip but i think its a litle difficult for a newbie setup Unbound .... do you know another method ?

Thx

Smallville · 2015-04-17 12:21:32

fukawi2 wrote:

Give us some information to work with here. How do you know you have a DNS leak? What are you leaking exactly? What is your OpenVPN configuration? What is your local network architecture?
You may benefit from having a read of this document, in particular this section.

Thx for the reply.

I know i have dns leak because i run the dns leak test on the site http://dnsleak.com/ and show my original dns and location of dns. Im using the openvpn from arch linux repos with vpn provider file imported only have to enter my user and password and thats it. Only have a router and computer are connected by cable.

Thx

xpixelz · 2015-04-17 12:22:37

If you're using Firefox to browse through your VPN then it may cause DNS leakage and can be configured to avoid it by going to about:config and setting "network.proxy.socks_remote_dns" to "true".

Smallville · 2015-04-17 14:17:54

xpixelz wrote:

If you're using Firefox to browse through your VPN then it may cause DNS leakage and can be configured to avoid it by going to about:config and setting "network.proxy.socks_remote_dns" to "true".

I was using chrome but i switch do firefox and do that config but continues to have dns leak ..... any more tips ?

Thx

xpixelz · 2015-04-17 21:53:39

May be you'll have to disable webrtc on all your browsers.

Smallville · 2015-04-17 22:10:12

xpixelz wrote:

May be you'll have to disable webrtc on all your browsers.

Im using only firefox now and have done that to disable webrtc, but on dnsleak.com show my dns leaking ... what i can do more ?

Smallville · 2015-04-18 00:58:19

After googling a lot i find a chrome plugin "scriptsafe" i think with this plugin i dont have more dns leaking and no more webrtc .... Anyone have try this plugin ?

Thx

Last edited by Smallville (2015-04-18 00:58:47)

xpixelz · 2015-04-18 10:51:35

Then preventing non-vpn traffic should be the way to go, a sample iptables rules can be found @ AirVPN Forums - Prevent leaks with Linux & iptables

Smallville · 2015-04-18 11:39:18

xpixelz wrote:

Then preventing non-vpn traffic should be the way to go, a sample iptables rules can be found @ AirVPN Forums - Prevent leaks with Linux & iptables

Interesting post, what you think is better iptables or gufw firewall ? In case i do some mistake how i undone all on iptables? I have lost many hours config my arch

Thx

xpixelz · 2015-04-20 07:23:44

Both interact with netfilter framework (iptables & ufw CLI's, gufw GUI front-end for ufw) so use whatever you want. Disabling/removing rules you created is easy as well.

If you missed with and broke things then that's the way you'll learn more and better IMO

Smallville · 2015-04-23 10:09:14

xpixelz wrote:

Both interact with netfilter framework (iptables & ufw CLI's, gufw GUI front-end for ufw) so use whatever you want. Disabling/removing rules you created is easy as well.
If you missed with and broke things then that's the way you'll learn more and better IMO

I have tried in the last days configuration the ufw/gufw i have done this :

sudo ufw default deny outgoing
sudo ufw default deny incoming

sudo ufw allow out on tun0 from any to any
sudo ufw allow in on tun0 from any to any

sudo ufw allow out from any to (my vpn ip )

If i have the gufw enable i cant connect to anything no vpn and no my network, but if i disable the gufw i can connect to my network and vpn.
If i disable the gufw connected to vpn server i have conection and after that i enable the gufw and i dont have any dns leak and i have a kill switch.

Is there any way i can connect to my vpn withou i need do disable and enable gufw ?

Thx in advnce for the help

brebs · 2015-04-23 12:23:47

I strongly recommend you stop messing around with iptables, when you plainly haven't got a clue what you are doing, and use Unbound (or dnsmasq or BIND), which is the proper solution.

Smallville · 2015-04-23 14:17:45

brebs wrote:

I strongly recommend you stop messing around with iptables, when you plainly haven't got a clue what you are doing, and use Unbound (or dnsmasq or BIND), which is the proper solution.

With unbound i can have a kill switch ? Because gufw give-me no dns leak and kill switch in case my vpn conection go down i dont show my real ip.
Can you pls give-me an example how can i setup the Unbound ?

Thx 4 the help

brebs · 2015-04-23 15:03:05

Example snippet for unbound.conf:

# Disable default rejection of 192.168/16 range
local-zone: "168.192.in-addr.arpa." nodefault

forward-zone:
    name: "blah.mycompany.com"
    forward-addr: 192.168.2.1

# Reverse DNS
forward-zone:
    name: "2.168.192.in-addr.arpa"
    forward-addr: 192.168.2.1

What weird situation do you have, where you want to connect to something, but it would be such a big problem if you're *not* connecting via the VPN? For *that* situation (which is a separate issue to DNS "leak"), then yes, could use iptables.

Edit: Added reverse DNS lines.

Last edited by brebs (2015-05-20 22:19:24)

Smallville · 2015-05-12 22:49:48

brebs wrote:

Example snippet for unbound.conf:
# Disable default rejection of 192.168/16 range
local-zone: "168.192.in-addr.arpa." nodefault

forward-zone:
    name: "blah.mycompany.com"
    forward-addr: 192.168.2.1

# Reverse DNS
forward-zone:
    name: "2.168.192.in-addr.arpa"
    forward-addr: 192.168.2.1
What weird situation do you have, where you want to connect to something, but it would be such a big problem if you're *not* connecting via the VPN? For *that* situation (which is a separate issue to DNS "leak"), then yes, could use iptables.
Edit: Added reverse DNS lines.

I finally understand how i enable and use the unbound thx for your example brebs !!!
But i have 2 questions if anyone can help:

the 192.168.2.1 - is my router ip ?
and the "blah.mycompany.com" is the vpn server adress ?

Thx for the help

Last edited by Smallville (2015-06-12 17:57:50)

Arch Linux

#1 2015-04-17 11:10:16

Help with Dns Leak

#2 2015-04-17 11:56:54

Re: Help with Dns Leak

#3 2015-04-17 12:13:26

Re: Help with Dns Leak

#4 2015-04-17 12:16:33

Re: Help with Dns Leak

#5 2015-04-17 12:21:32

Re: Help with Dns Leak

#6 2015-04-17 12:22:37

Re: Help with Dns Leak

#7 2015-04-17 14:17:54

Re: Help with Dns Leak

#8 2015-04-17 21:53:39

Re: Help with Dns Leak

#9 2015-04-17 22:10:12

Re: Help with Dns Leak

#10 2015-04-18 00:58:19

Re: Help with Dns Leak

#11 2015-04-18 10:51:35

Re: Help with Dns Leak

#12 2015-04-18 11:39:18

Re: Help with Dns Leak

#13 2015-04-20 07:23:44

Re: Help with Dns Leak

#14 2015-04-23 10:09:14

Re: Help with Dns Leak

#15 2015-04-23 12:23:47

Re: Help with Dns Leak

#16 2015-04-23 14:17:45

Re: Help with Dns Leak

#17 2015-04-23 15:03:05

Re: Help with Dns Leak

#18 2015-05-12 22:49:48

Re: Help with Dns Leak

Board footer