
VPN DNS leak test - fanf2
https://www.dnsleaktest.com/
======
Yxogenium
And this issue could be easily overcome if more projects implemented the
"socks5h://" protocol (note the 'h'), initially introduced by curl[1] to
mandate the SOCKS proxy to also tunnel DNS requests. Sadly it seems that very
few programs recognize this (non-standard) protocol: git[2] (using curl),
python's request (and urllib) module[3] ... And not much else.

[1]:
[https://curl.haxx.se/docs/manpage.html#--proxy](https://curl.haxx.se/docs/manpage.html#--proxy)
[2]:
[https://github.com/git/git/blob/20fed7cad40ed0b96232feb82812...](https://github.com/git/git/blob/20fed7cad40ed0b96232feb828129e3a2ee9860d/http.c#L855)
[3]: [http://docs.python-
requests.org/en/master/user/advanced/#soc...](http://docs.python-
requests.org/en/master/user/advanced/#socks)

~~~
pedrocr
Firefox over a SOCKS5 proxy done with ssh passes this test if you enable the
proxy DNS setting. Creating the proxy is as simple as:

    
    
      ssh -D 9999 -q -N <your ssh server>
    

and then configure that in the firefox proxy settings (socks to
localhost:9999). If you want a simple way to enable/disable this in firefox I
built a minimal extension to do it:

[https://addons.mozilla.org/en-
US/firefox/addon/proxyswitcher...](https://addons.mozilla.org/en-
US/firefox/addon/proxyswitcheroo/)

The defaults in the config already match that ssh line so all you need to do
is press the globe button to enable the proxy.

~~~
snowpanda
You might be the right person to ask:

When I tried shadowsocks and enabled "proxy dns" in Firefox, every website
became painfully slow. Is this simply because no DNS cache had been built?

~~~
pedrocr
Don't know but note that shadowsocks is not a traditional socks proxy. If I
understood it correctly you do a traditional socks proxy to localhost and then
a more heavily encrypted link to the actual host. Maybe that second link was
slow, either because of the encryption or because it's written in python? ssh
gives you as much or more security anyway as there are few protocols as
thoroughly checked than ssh and performance seems nice.

------
Klathmon
Why is a software VPN so difficult to get right? Why are so many of them so
poor, or miss certain protocols, or have so many leaks?

Casting aside actual "vulnerabilities" (like buffer overflows, bad encryption,
etc...), why can't a software VPN act just like a hardware VPN? Take every
byte of traffic sent to a network device, and tunnel it to another endpoint?

I'm assuming there are several major reasons that I don't know about that
makes what seems like a really trivial problem super difficult...

~~~
magnat
> Take every byte of traffic sent to a network device, and tunnel it to
> another endpoint?

You have to set up routing tables to decide which interface to use for which
destination address. Obviously you can't direct VPN packets via VPN - that
would be circular. They have to use your normal, physical connection to get to
your default gateway. But what if your default gateway is also a local DNS
server? You can't differentiate protocols in routing table.

Hardware VPN have it easier - they already know which packets to tunnel
because it has designated hardware port for internal network.

~~~
Klathmon
Interesting. So from yours and the other comment, it sounds like the issue
really comes down to not being able to force all applications to use the "VPN
interface", while still keeping the "hardware interface" functional so the VPN
itself can use it.

I can see why it can so quickly become a giant mess...

Assuming it's the OS that needs to "fix" this, are there any changes either
already made or in the works to better address this use case, or is a hardware
VPN still going to be the only "real" way to securely tunnel a system for the
foreseeable future?

~~~
magnat
You can use custom kernel filter on Windows and iptables/netfilter on Linux to
allow only one process to access physical interface. I've seen Cisco VPN
Client (10 years ago or so) do it - apart from CVPND service, all traffic
to/from ethernet was dropped. That included kernel stuff - to the point your
PC didn't even respond to ARP packets from anything other than gateway.

Of course, introducing custom kernel driver and/or your own mini IP stack is
way harder to do in a safe way - that's why it's not usually included.

As for Linux solutions - I haven't seen VPN client that used this technique,
but I guess it's a lot easier, since all the required userland tools are
already there.

------
kibwen
It would appear that Firefox's built-in SOCKS support successfully proxies DNS
as well, though I've always wondered whether or not there aren't other ways to
leak your IP via browser APIs. I imagine that Flash almost certainly would,
and I wouldn't be surprised if WebRTC does somehow.

~~~
metalliqaz
Yeah, but you have to set "socks_remote_dns" to "True" in about:config, which
is not the default.

~~~
jwilk
At least in Firefox 52 ESR there's UI to enable that (so no need to fiddle
with about:config):

 _Edit_ → _Preferences_ → _Network_ → _Settings_ → _Proxy DNS when using Socks
v5_

But yeah, it's not the default. :\

------
exikyut
I'm really really interested to find out how they're discovering the DNS
server IP addresses I'm using.

The only clue I have is that they're trying to resolve a bunch of fake domain
names (which show up as unresolveable in the console).

The webpage has the IP addresses written directly into it (so clearly the data
came from the server) which means there's nothing I can investigate (eg, in
JS) from my end.

What's going on?

~~~
Viper007Bond
"The DNS leak test works by sending your client a series of domain names to
resolve within a specific test domain. Each request is sent from your client
to your configured DNS server. Even if you have configured a single DNS
server, there may be many other servers that the request is passed on to in
order to be resolved (normally to load balance the requests). For example if
you configure Google DNS then you will often find 6-10 Google DNS servers
which are fullfilling the DNS requests."

via [https://www.dnsleaktest.com/what-is-the-
difference.html](https://www.dnsleaktest.com/what-is-the-difference.html)

Basically it's sending you unique subdomains and then in turn seeing what IP
addresses DNS requests come from. Since the subdomains are tied to you, it can
tie the requests from the DNS servers you're using back to you.

~~~
clairity
friendly reminder not to use google DNS if you care about privacy (which you
probably do if you're using a VPN in the first place), because you're
basically giving them your fingerprint in the form of the websites you visit.

~~~
exikyut
Hmmmm.

Google has ~7ms response time for me though. Even my ISP's nameservers are
slower than that :( the average everywhere else is 200ms (yup).

My internet is slow enough that this makes it a tiny bit more annoying.

But you make a very valid point, and... _sigh_ convenience is such an hacked
catalyst nowadays :(

------
myrandomcomment
Be carful here. You might not see the IP you expected even if everything is
fine. BGP anycast and other load balancing technologies can make it look like
the wrong IP. Make sure the IP is owned by the service you expect vs. being
the exact IP you have configured.

------
acidburnNSA
Crap, failed on my home road-warrior setup. Now I have to go figure out which
OpenVPN config settings to change to forward DNS better.

~~~
kumaraman
There is a page on the site that can help you with this
[https://www.dnsleaktest.com/how-to-fix-a-dns-
leak.html](https://www.dnsleaktest.com/how-to-fix-a-dns-leak.html)

------
ehPReth
This is also a handy way to see if your outbound DNS requests are being
hijacked and sent to another resolver instead of your chosen ones. One router
I tested redirected everything to OpenDNS if parental controls were in use,
some networks redirect everything to their internal resolvers, etc. Mainly for
interest purposes/spotting configuration mistakes than anything else.

~~~
ploggingdev
There's a page about transparent DNS proxies [0] on the same site. They also
have a page about how to fix dns leaks when using OpenVPN [1].

One way to ensure that DNS responses have not been tampered with is to use
DNSCrypt [2].

Can someone confirm that I understand this correctly : if I don't use DNSCrypt
and if my DNS responses are tampered with in a phishing attempt, on a site
that uses https, the browser will raise a cert error since the attacker won't
have a valid certificate. So phishing attempts by spoofing DNS responses are
only effective when the site uses plain http.

[0] [https://www.dnsleaktest.com/what-is-transparent-dns-
proxy.ht...](https://www.dnsleaktest.com/what-is-transparent-dns-proxy.html)

[1] [https://www.dnsleaktest.com/how-to-fix-a-dns-
leak.html](https://www.dnsleaktest.com/how-to-fix-a-dns-leak.html)

[2] [https://dnscrypt.org/](https://dnscrypt.org/)

~~~
simcop2387
Not just http, any unencrypted channel is vulnerable to this. So SMTP or pop
without encryption would also let someone into your email.

------
Skunkleton
It makes sense to me to always configure your firewall alongside your VPN. If
you are under the impression that all traffic on your system is routed via
your vpn, you can state that explicitly in your firewall. If things still
work, it must be true :)

------
Izmaki
The test works fine on my iPhone but as soon as I try it on my PC connected
through Viscosity it's stuck seemlingly forever. I killed it after a few
minutes. Upon disconnecting it's all good and fast. What could I be doing
wrong here?

------
confounded
[https://ipleak.net](https://ipleak.net) Is similar, but has some useful
additional diagnostics.

------
KirinDave
There's a lot of talk about various services being vulnerable to dns leak
tests or not. Which I think is slightly funny, since you're WAY more likely to
suffer data leaks via the innumerable ways your browser can do it.

For what it's worth though, a modern openvpn configuration can beat it
handily. An example of a service that passes with flying colors is ProtonVPN,
which I just checked last night since they've got a crazy discount going right
now.

------
telecuda
Pardon my ignorance, but do DNS leaks impact Tor anonymity or are we strictly
talking VPNs?

------
rev0lutions
ipvanish is good if anyone else is wondering

~~~
shitbonanza
Just tested my Ipvanish and yes it looks fine except some servers eg when
connected to Singapore, say Costa Mesa USA (i'm in Australia).

------
sigsergv
VPN is not supposed to hide you, it just provides access to some resources
that are not available without VPN.

~~~
diggan
Well, not always or not always like that. For example, I use VPN so I can
achieve my true download speed when downloading from Steam, since my ISP
limits to download speed in that case.

~~~
pbhjpbhj
Which country, which ISP, please?

~~~
gambiting
I'm not OP, but the same thing happens to me - UK, Virgin Media, even on their
highest tier truly unlimited 200mbps bundle. Steam will start downloading at
close to 20MB/s and then slow down after 10-15 minutes. When connected via VPN
it runs at full speed all the time.

~~~
diggan
Similar speeds here but works differently. Mine just gets throttled to
~2.5MB/s from start until I turn my VPN on, then I get my correct 20MB/s.

