Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
02-01-2014, 03:52 PM
|
#1
|
LQ Newbie
Registered: Feb 2014
Posts: 2
Rep:
|
DNS requests leaking information.
I'm on Ubuntu 13.10 if relevant.
I want to set up a VPN for privacy. So far so good, I can do that. But my limited knowledge of networking made me wonder how DNS requests are handled. I've done some further digging and it seems that my DNS requests still go to the same place. I may be wrong but the things I've tried seem to indicate this is so. If this is my ISP's DNS servers, does this not mean that even though I am connecting via a VPN, they have a full log of everywhere I was visiting? Do the DNS requests come from the other end of my VPN tunnel or from my computer first and I THEN use the resulting information to visit that IP address via the VPN?
I need to know how I can check this.
Many thanks. I wasn't quite sure whether to place this in Networking or Security, but it seemed more of a security question to me.
|
|
|
02-01-2014, 08:02 PM
|
#2
|
Moderator
Registered: May 2001
Posts: 29,415
|
Quote:
Originally Posted by H22
If this is my ISP's DNS servers, does this not mean that even though I am connecting via a VPN, they have a full log of everywhere I was visiting?
|
Unless you use modified network settings to use the VPN tunnels default gateway traffic indeed may end up at your ISPs.
Quote:
Originally Posted by H22
Do the DNS requests come from the other end of my VPN tunnel or from my computer first and I THEN use the resulting information to visit that IP address via the VPN? I need to know how I can check this.
|
That's why it's good to add "-j LOG" and "-j DROP" rules for your regular destinations while using a VPN. Easiest way to audit traffic doesn't reach certain targets.
Quote:
Originally Posted by H22
I wasn't quite sure whether to place this in Networking or Security, but it seemed more of a security question to me.
|
Taxonomy says it is a routing issue (Networking) but I do understand people class it as a security issue.
|
|
1 members found this post helpful.
|
02-01-2014, 09:23 PM
|
#3
|
Member
Registered: Jan 2006
Location: Dallas
Distribution: Slackware
Posts: 912
Rep:
|
Quote:
Originally Posted by H22
I want to set up a VPN for privacy. So far so good, I can do that. But my limited knowledge of networking made me wonder how DNS requests are handled. I've done some further digging and it seems that my DNS requests still go to the same place.
|
Are you talking about subscribing to a VPN service provider, or are you setting up a VPN server of your own (e.g., OpenVPN) running on your home system? If the former, check with the VPN provider to see how DNS is handled. If the latter, you need to redirect the default network gateway through your VPN, and push your preferred DNS servers to the client.
In your OpenVPN server.conf, these statements redirect the network gateway for clients that connect to you, and push the openDNS servers IP addresses to the client. You could use any DNS servers you trust, including ones of your own.
Code:
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
Last edited by Z038; 02-01-2014 at 09:30 PM.
|
|
|
02-02-2014, 04:36 AM
|
#4
|
LQ Newbie
Registered: Feb 2014
Posts: 2
Original Poster
Rep:
|
Hi. Thanks for both replies. To clarify (@Z038), I am subscribing to a VPN service provider. Whilst this provides some anonymity from the places I visit, I had wrongly thought that it provided anonymity from my ISP also. I.e. all my traffic was going through it, but it now seems likely that DNS requests - i.e. a complete list of where I'm going - is available to my ISP.
I'm surprised this isn't more widely known. Perhaps it is with the people who frequent this forum, but I'm sure there are a lot of people out there who think turning on their VPN offers this sort of privacy.
So anyway, this now turns into two questions:
1) How do I ensure ONLY my VPN provider's DNS servers are used. (They do provide DNS for those that want it).
2) How do I ensure that any network traffic ONLY goes via the VPN.
To explain that second one, the VPN occasionally drops. At this point, as far as I can see, Ubuntu cheerfully goes back to using its non-VPN connection. Is there any way to tell it: "unless you are connected to this VPN don't send / receive"? I'm /guessing/ that I could add something to IP tables that dropped anything outgoing other than to the VPN servers address? Not sure how I'd do that.
Also, sorry - I think now that I did put this in the wrong forum. My apologies for that. If a mod does want to move it over to Networking...
Again, thanks for all replies. This is very helpful. The world grows ever more surveillance-y and I'm interested in how to safeguard privacy.
|
|
|
02-02-2014, 11:59 AM
|
#5
|
Member
Registered: Jan 2006
Location: Dallas
Distribution: Slackware
Posts: 912
Rep:
|
It would probably be a good idea to ask a mod to move your thread to the Networking forum. You can use the Report button to ask them to do that.
My VPN knowledge is basic. I run an OpenVPN server on my home system so I can connect to it from my laptop when I'm away from home. I also run Bind (named) on my home system to provide my own DNS service. When I'm connected to my VPN from airport/hotel/coffee shop public WiFi, I'm only concerned with securing my traffic from other users of those public networks. I'm not concerned with hiding my IP address. All of my internet accesses appear to be from my home IP address, since that is my exit point.
I have tested my DNS for leaks using these sites, and they always show my own DNS server being used:
https://www.dnsleaktest.com/
http://dnsleak.com/
http://ipleak.net/
As for your first question, I should think you'd be able to ask your VPN provider how to make sure that only its own DNS servers are being used.
I'm interested in your second question too, since I'd also like to make sure that I won't fall back to a public open network if my VPN connection drops. I suspect it's possible to firewall your network traffic using iptables to ensure that everything leaving your own network can go out only through your VPN connection, but I don't know how to do it.
I did find this link that might be of some help. https://airvpn.org/topic/9139-preven...inux-iptables/
|
|
1 members found this post helpful.
|
02-02-2014, 05:33 PM
|
#6
|
Moderator
Registered: May 2001
Posts: 29,415
|
Quote:
Originally Posted by H22
Also, sorry - I think now that I did put this in the wrong forum. My apologies for that. If a mod does want to move it over to Networking...
|
No problem and no apologies necessary.
We're here to help.
I'll just move your thread to the Networking forum.
Have fun!
|
|
|
All times are GMT -5. The time now is 06:18 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|