0

I'm using minimal Antergos linux with i3wm, with all packages being up to date and the laptop rebooted. Using Firefox as a browser, I'm experiencing DNS leaks when visiting websites such as ipleaks.net, https://www.dnsleaktest.com or https://browserleaks.com/ip.

The VPN is set up with the nm-applet using an ovpn file provided by my VPN provider. I'm have used the same ovpn files on a KDE bells-and-whistle distro, and have not experienced any DNS leaks.

My /etc/resolve.conf when connected to the VPN:

nameserver 192.168.1.1

I have disabled WebRTC in Firefox by toggling media.peerconnection.enabled to false.

How can I find out what the cause of my DNS leak is and how can I go about fixing it?

jasonwryan
  • 71,734
  • 34
  • 193
  • 226
pandita
  • 723
  • 2
  • 14
  • 28

2 Answers2

1

Have a look at your routing table:

ip route

I expect you have an entry for 192.168.1.0/24 to go out your local interface, as your nameserver is in that subnet the DNS traffic is not being routed down the VPN tunnel.

You could change your nameserver to a public one, like google: 8.8.8.8, your DNS traffic should then be routed down your VPN tunnel rather than using your local nameserver.

rusty shackleford
  • 2,365
  • 9
  • 21
  • I do have that entry. Is there another way than choosing a puclic DNS server? – pandita Jun 22 '18 at 13:22
  • @pandita Other than choosing a Public DNS server you could take a page out of my book and use a local `bind9` or similar DNS server instance as a recursive resolver, and set it to use a Public DNS server as its 'forwarder' destination. This does, however, require you to alter your local system so that all DNS requests route *through* this local resolver. You would also have to configure your firewall to block external DNS requests to the system from other non-local systems if you haven't already done that, though, because you don't want others to use your computer as a DNS server. – Thomas Ward Jun 22 '18 at 13:56
  • (note that the solution in my other comment is technically OS-agnostic so long as you have a Linux system that can run `bind9` or similar; it does, however, have its own caveats and configuration headaches depending on what networking / DNS management software is in use on your system) – Thomas Ward Jun 22 '18 at 13:57
  • So I tried changing the DNS nameserver using `dnsmasq` to `8.8.8.8`, yet the entry still shows up, and the leak prevails... I set `no-resolv` and `no-poll` in `dnsmasq.conf`. `journalctl -u dnsmasq` confirms that `8.8.8.8#53` is used as the nameserver... any ideas for further debugging? – pandita Jun 29 '18 at 11:42
  • I also change my DNS nameserver directly on my router. This time browserleaks only sees the google DNS server, however it is still not routed via my VPN... – pandita Jun 29 '18 at 12:34
1

It was a systemd-resolved issue; see here. In order to have all traffic being pushed through the VPN, you need to install the update-systemd-resolved script and add dhcp-option DOMAIN-ROUTE . to the ovpn file.

I'm stunned that this is not seen as a serious issue with the default settings by the systemd-resolved crew...

pandita
  • 723
  • 2
  • 14
  • 28