OpenVPN - How to debug DNS leaks
Clash Royale CLAN TAG#URR8PPP
up vote
0
down vote
favorite
I'm using minimal Antergos linux with i3wm, with all packages being up to date and the laptop rebooted. Using Firefox as a browser, I'm experiencing DNS leaks when visiting websites such as ipleaks.net, https://www.dnsleaktest.com or https://browserleaks.com/ip.
The VPN is set up with the nm-applet using an ovpn file provided by my VPN provider. I'm have used the same ovpn files on a KDE bells-and-whistle distro, and have not experienced any DNS leaks.
My /etc/resolve.conf when connected to the VPN:
nameserver 192.168.1.1
I have disabled WebRTC in Firefox by toggling media.peerconnection.enabled to false.
How can I find out what the cause of my DNS leak is and how can I go about fixing it?
dns openvpn vpn
edited Jun 22 at 19:22
jasonwryan
46.4k14125174
asked Jun 22 at 12:13
pandita
219418
add a comment |Â
up vote
0
down vote
favorite
I'm using minimal Antergos linux with i3wm, with all packages being up to date and the laptop rebooted. Using Firefox as a browser, I'm experiencing DNS leaks when visiting websites such as ipleaks.net, https://www.dnsleaktest.com or https://browserleaks.com/ip.
The VPN is set up with the nm-applet using an ovpn file provided by my VPN provider. I'm have used the same ovpn files on a KDE bells-and-whistle distro, and have not experienced any DNS leaks.
My /etc/resolve.conf when connected to the VPN:
nameserver 192.168.1.1
I have disabled WebRTC in Firefox by toggling media.peerconnection.enabled to false.
How can I find out what the cause of my DNS leak is and how can I go about fixing it?
dns openvpn vpn
edited Jun 22 at 19:22
jasonwryan
46.4k14125174
asked Jun 22 at 12:13
pandita
219418
related unix.stackexchange.com/questions/327432/resolving-dns-via-tor
– Rui F Ribeiro
Jun 22 at 14:58
add a comment |Â
up vote
0
down vote
favorite
up vote
0
down vote
favorite
I'm using minimal Antergos linux with i3wm, with all packages being up to date and the laptop rebooted. Using Firefox as a browser, I'm experiencing DNS leaks when visiting websites such as ipleaks.net, https://www.dnsleaktest.com or https://browserleaks.com/ip.
The VPN is set up with the nm-applet using an ovpn file provided by my VPN provider. I'm have used the same ovpn files on a KDE bells-and-whistle distro, and have not experienced any DNS leaks.
My /etc/resolve.conf when connected to the VPN:
nameserver 192.168.1.1
I have disabled WebRTC in Firefox by toggling media.peerconnection.enabled to false.
How can I find out what the cause of my DNS leak is and how can I go about fixing it?
dns openvpn vpn
edited Jun 22 at 19:22
jasonwryan
46.4k14125174
asked Jun 22 at 12:13
pandita
219418
I'm using minimal Antergos linux with i3wm, with all packages being up to date and the laptop rebooted. Using Firefox as a browser, I'm experiencing DNS leaks when visiting websites such as ipleaks.net, https://www.dnsleaktest.com or https://browserleaks.com/ip.
The VPN is set up with the nm-applet using an ovpn file provided by my VPN provider. I'm have used the same ovpn files on a KDE bells-and-whistle distro, and have not experienced any DNS leaks.
My /etc/resolve.conf when connected to the VPN:
nameserver 192.168.1.1
I have disabled WebRTC in Firefox by toggling media.peerconnection.enabled to false.
How can I find out what the cause of my DNS leak is and how can I go about fixing it?
dns openvpn vpn
edited Jun 22 at 19:22
jasonwryan
46.4k14125174
asked Jun 22 at 12:13
pandita
219418
edited Jun 22 at 19:22
jasonwryan
46.4k14125174
edited Jun 22 at 19:22
jasonwryan
46.4k14125174
edited Jun 22 at 19:22
jasonwryan
46.4k14125174
46.4k14125174
asked Jun 22 at 12:13
pandita
219418
asked Jun 22 at 12:13
pandita
219418
asked Jun 22 at 12:13
pandita
219418
219418
related unix.stackexchange.com/questions/327432/resolving-dns-via-tor
– Rui F Ribeiro
Jun 22 at 14:58
add a comment |Â
related unix.stackexchange.com/questions/327432/resolving-dns-via-tor
– Rui F Ribeiro
Jun 22 at 14:58
related unix.stackexchange.com/questions/327432/resolving-dns-via-tor
– Rui F Ribeiro
Jun 22 at 14:58
related unix.stackexchange.com/questions/327432/resolving-dns-via-tor
– Rui F Ribeiro
Jun 22 at 14:58
add a comment |Â
2 Answers
2
active
oldest
votes
up vote
1
down vote
Have a look at your routing table:
ip route
I expect you have an entry for 192.168.1.0/24 to go out your local interface, as your nameserver is in that subnet the DNS traffic is not being routed down the VPN tunnel.
You could change your nameserver to a public one, like google: 8.8.8.8, your DNS traffic should then be routed down your VPN tunnel rather than using your local nameserver.
answered Jun 22 at 12:37
rusty shackleford
1,135115
I do have that entry. Is there another way than choosing a puclic DNS server?
– pandita
Jun 22 at 13:22
@pandita Other than choosing a Public DNS server you could take a page out of my book and use a localbind9or similar DNS server instance as a recursive resolver, and set it to use a Public DNS server as its 'forwarder' destination. This does, however, require you to alter your local system so that all DNS requests route through this local resolver. You would also have to configure your firewall to block external DNS requests to the system from other non-local systems if you haven't already done that, though, because you don't want others to use your computer as a DNS server.
– Thomas Ward
Jun 22 at 13:56
(note that the solution in my other comment is technically OS-agnostic so long as you have a Linux system that can runbind9or similar; it does, however, have its own caveats and configuration headaches depending on what networking / DNS management software is in use on your system)
– Thomas Ward
Jun 22 at 13:57
So I tried changing the DNS nameserver usingdnsmasqto8.8.8.8, yet the entry still shows up, and the leak prevails... I setno-resolvandno-pollindnsmasq.conf.journalctl -u dnsmasqconfirms that8.8.8.8#53is used as the nameserver... any ideas for further debugging?
– pandita
Jun 29 at 11:42
I also change my DNS nameserver directly on my router. This time browserleaks only sees the google DNS server, however it is still not routed via my VPN...
– pandita
Jun 29 at 12:34
add a comment |Â
up vote
0
down vote
It was a systemd-resolved issue; see here. In order to have all traffic being pushed through the VPN, you need to install the update-systemd-resolved script and add dhcp-option DOMAIN-ROUTE . to the ovpn file.
I'm stunned that this is not seen as a serious issue with the default settings by the systemd-resolved crew...
answered Jun 29 at 14:18
pandita
219418
add a comment |Â
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
1
down vote
Have a look at your routing table:
ip route
I expect you have an entry for 192.168.1.0/24 to go out your local interface, as your nameserver is in that subnet the DNS traffic is not being routed down the VPN tunnel.
You could change your nameserver to a public one, like google: 8.8.8.8, your DNS traffic should then be routed down your VPN tunnel rather than using your local nameserver.
answered Jun 22 at 12:37
rusty shackleford
1,135115
I do have that entry. Is there another way than choosing a puclic DNS server?
– pandita
Jun 22 at 13:22
@pandita Other than choosing a Public DNS server you could take a page out of my book and use a localbind9or similar DNS server instance as a recursive resolver, and set it to use a Public DNS server as its 'forwarder' destination. This does, however, require you to alter your local system so that all DNS requests route through this local resolver. You would also have to configure your firewall to block external DNS requests to the system from other non-local systems if you haven't already done that, though, because you don't want others to use your computer as a DNS server.
– Thomas Ward
Jun 22 at 13:56
(note that the solution in my other comment is technically OS-agnostic so long as you have a Linux system that can runbind9or similar; it does, however, have its own caveats and configuration headaches depending on what networking / DNS management software is in use on your system)
– Thomas Ward
Jun 22 at 13:57
So I tried changing the DNS nameserver usingdnsmasqto8.8.8.8, yet the entry still shows up, and the leak prevails... I setno-resolvandno-pollindnsmasq.conf.journalctl -u dnsmasqconfirms that8.8.8.8#53is used as the nameserver... any ideas for further debugging?
– pandita
Jun 29 at 11:42
I also change my DNS nameserver directly on my router. This time browserleaks only sees the google DNS server, however it is still not routed via my VPN...
– pandita
Jun 29 at 12:34
add a comment |Â
up vote
1
down vote
Have a look at your routing table:
ip route
I expect you have an entry for 192.168.1.0/24 to go out your local interface, as your nameserver is in that subnet the DNS traffic is not being routed down the VPN tunnel.
You could change your nameserver to a public one, like google: 8.8.8.8, your DNS traffic should then be routed down your VPN tunnel rather than using your local nameserver.
answered Jun 22 at 12:37
rusty shackleford
1,135115
I do have that entry. Is there another way than choosing a puclic DNS server?
– pandita
Jun 22 at 13:22
@pandita Other than choosing a Public DNS server you could take a page out of my book and use a localbind9or similar DNS server instance as a recursive resolver, and set it to use a Public DNS server as its 'forwarder' destination. This does, however, require you to alter your local system so that all DNS requests route through this local resolver. You would also have to configure your firewall to block external DNS requests to the system from other non-local systems if you haven't already done that, though, because you don't want others to use your computer as a DNS server.
– Thomas Ward
Jun 22 at 13:56
(note that the solution in my other comment is technically OS-agnostic so long as you have a Linux system that can runbind9or similar; it does, however, have its own caveats and configuration headaches depending on what networking / DNS management software is in use on your system)
– Thomas Ward
Jun 22 at 13:57
So I tried changing the DNS nameserver usingdnsmasqto8.8.8.8, yet the entry still shows up, and the leak prevails... I setno-resolvandno-pollindnsmasq.conf.journalctl -u dnsmasqconfirms that8.8.8.8#53is used as the nameserver... any ideas for further debugging?
– pandita
Jun 29 at 11:42
I also change my DNS nameserver directly on my router. This time browserleaks only sees the google DNS server, however it is still not routed via my VPN...
– pandita
Jun 29 at 12:34
add a comment |Â
up vote
1
down vote
up vote
1
down vote
Have a look at your routing table:
ip route
I expect you have an entry for 192.168.1.0/24 to go out your local interface, as your nameserver is in that subnet the DNS traffic is not being routed down the VPN tunnel.
You could change your nameserver to a public one, like google: 8.8.8.8, your DNS traffic should then be routed down your VPN tunnel rather than using your local nameserver.
answered Jun 22 at 12:37
rusty shackleford
1,135115
Have a look at your routing table:
ip route
I expect you have an entry for 192.168.1.0/24 to go out your local interface, as your nameserver is in that subnet the DNS traffic is not being routed down the VPN tunnel.
You could change your nameserver to a public one, like google: 8.8.8.8, your DNS traffic should then be routed down your VPN tunnel rather than using your local nameserver.
answered Jun 22 at 12:37
rusty shackleford
1,135115
answered Jun 22 at 12:37
rusty shackleford
1,135115
answered Jun 22 at 12:37
rusty shackleford
1,135115
answered Jun 22 at 12:37
rusty shackleford
1,135115
1,135115
I do have that entry. Is there another way than choosing a puclic DNS server?
– pandita
Jun 22 at 13:22
@pandita Other than choosing a Public DNS server you could take a page out of my book and use a localbind9or similar DNS server instance as a recursive resolver, and set it to use a Public DNS server as its 'forwarder' destination. This does, however, require you to alter your local system so that all DNS requests route through this local resolver. You would also have to configure your firewall to block external DNS requests to the system from other non-local systems if you haven't already done that, though, because you don't want others to use your computer as a DNS server.
– Thomas Ward
Jun 22 at 13:56
(note that the solution in my other comment is technically OS-agnostic so long as you have a Linux system that can runbind9or similar; it does, however, have its own caveats and configuration headaches depending on what networking / DNS management software is in use on your system)
– Thomas Ward
Jun 22 at 13:57
So I tried changing the DNS nameserver usingdnsmasqto8.8.8.8, yet the entry still shows up, and the leak prevails... I setno-resolvandno-pollindnsmasq.conf.journalctl -u dnsmasqconfirms that8.8.8.8#53is used as the nameserver... any ideas for further debugging?
– pandita
Jun 29 at 11:42
I also change my DNS nameserver directly on my router. This time browserleaks only sees the google DNS server, however it is still not routed via my VPN...
– pandita
Jun 29 at 12:34
add a comment |Â
I do have that entry. Is there another way than choosing a puclic DNS server?
– pandita
Jun 22 at 13:22
@pandita Other than choosing a Public DNS server you could take a page out of my book and use a localbind9or similar DNS server instance as a recursive resolver, and set it to use a Public DNS server as its 'forwarder' destination. This does, however, require you to alter your local system so that all DNS requests route through this local resolver. You would also have to configure your firewall to block external DNS requests to the system from other non-local systems if you haven't already done that, though, because you don't want others to use your computer as a DNS server.
– Thomas Ward
Jun 22 at 13:56
(note that the solution in my other comment is technically OS-agnostic so long as you have a Linux system that can runbind9or similar; it does, however, have its own caveats and configuration headaches depending on what networking / DNS management software is in use on your system)
– Thomas Ward
Jun 22 at 13:57
So I tried changing the DNS nameserver usingdnsmasqto8.8.8.8, yet the entry still shows up, and the leak prevails... I setno-resolvandno-pollindnsmasq.conf.journalctl -u dnsmasqconfirms that8.8.8.8#53is used as the nameserver... any ideas for further debugging?
– pandita
Jun 29 at 11:42
I also change my DNS nameserver directly on my router. This time browserleaks only sees the google DNS server, however it is still not routed via my VPN...
– pandita
Jun 29 at 12:34
I do have that entry. Is there another way than choosing a puclic DNS server?
– pandita
Jun 22 at 13:22
I do have that entry. Is there another way than choosing a puclic DNS server?
– pandita
Jun 22 at 13:22
@pandita Other than choosing a Public DNS server you could take a page out of my book and use a local
bind9 or similar DNS server instance as a recursive resolver, and set it to use a Public DNS server as its 'forwarder' destination. This does, however, require you to alter your local system so that all DNS requests route through this local resolver. You would also have to configure your firewall to block external DNS requests to the system from other non-local systems if you haven't already done that, though, because you don't want others to use your computer as a DNS server.– Thomas Ward
Jun 22 at 13:56
@pandita Other than choosing a Public DNS server you could take a page out of my book and use a local
bind9 or similar DNS server instance as a recursive resolver, and set it to use a Public DNS server as its 'forwarder' destination. This does, however, require you to alter your local system so that all DNS requests route through this local resolver. You would also have to configure your firewall to block external DNS requests to the system from other non-local systems if you haven't already done that, though, because you don't want others to use your computer as a DNS server.– Thomas Ward
Jun 22 at 13:56
(note that the solution in my other comment is technically OS-agnostic so long as you have a Linux system that can run
bind9 or similar; it does, however, have its own caveats and configuration headaches depending on what networking / DNS management software is in use on your system)– Thomas Ward
Jun 22 at 13:57
(note that the solution in my other comment is technically OS-agnostic so long as you have a Linux system that can run
bind9 or similar; it does, however, have its own caveats and configuration headaches depending on what networking / DNS management software is in use on your system)– Thomas Ward
Jun 22 at 13:57
So I tried changing the DNS nameserver using
dnsmasq to 8.8.8.8, yet the entry still shows up, and the leak prevails... I set no-resolv and no-poll in dnsmasq.conf. journalctl -u dnsmasq confirms that 8.8.8.8#53 is used as the nameserver... any ideas for further debugging?– pandita
Jun 29 at 11:42
So I tried changing the DNS nameserver using
dnsmasq to 8.8.8.8, yet the entry still shows up, and the leak prevails... I set no-resolv and no-poll in dnsmasq.conf. journalctl -u dnsmasq confirms that 8.8.8.8#53 is used as the nameserver... any ideas for further debugging?– pandita
Jun 29 at 11:42
I also change my DNS nameserver directly on my router. This time browserleaks only sees the google DNS server, however it is still not routed via my VPN...
– pandita
Jun 29 at 12:34
I also change my DNS nameserver directly on my router. This time browserleaks only sees the google DNS server, however it is still not routed via my VPN...
– pandita
Jun 29 at 12:34
add a comment |Â
up vote
0
down vote
It was a systemd-resolved issue; see here. In order to have all traffic being pushed through the VPN, you need to install the update-systemd-resolved script and add dhcp-option DOMAIN-ROUTE . to the ovpn file.
I'm stunned that this is not seen as a serious issue with the default settings by the systemd-resolved crew...
answered Jun 29 at 14:18
pandita
219418
add a comment |Â
up vote
0
down vote
It was a systemd-resolved issue; see here. In order to have all traffic being pushed through the VPN, you need to install the update-systemd-resolved script and add dhcp-option DOMAIN-ROUTE . to the ovpn file.
I'm stunned that this is not seen as a serious issue with the default settings by the systemd-resolved crew...
answered Jun 29 at 14:18
pandita
219418
add a comment |Â
up vote
0
down vote
up vote
0
down vote
It was a systemd-resolved issue; see here. In order to have all traffic being pushed through the VPN, you need to install the update-systemd-resolved script and add dhcp-option DOMAIN-ROUTE . to the ovpn file.
I'm stunned that this is not seen as a serious issue with the default settings by the systemd-resolved crew...
answered Jun 29 at 14:18
pandita
219418
It was a systemd-resolved issue; see here. In order to have all traffic being pushed through the VPN, you need to install the update-systemd-resolved script and add dhcp-option DOMAIN-ROUTE . to the ovpn file.
I'm stunned that this is not seen as a serious issue with the default settings by the systemd-resolved crew...
answered Jun 29 at 14:18
pandita
219418
answered Jun 29 at 14:18
pandita
219418
answered Jun 29 at 14:18
pandita
219418
answered Jun 29 at 14:18
pandita
219418
219418
add a comment |Â
add a comment |Â
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f451294%2fopenvpn-how-to-debug-dns-leaks%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
related unix.stackexchange.com/questions/327432/resolving-dns-via-tor
– Rui F Ribeiro
Jun 22 at 14:58