Share your knowledge at the LQ Wiki.
Go Back > Forums > Linux Forums > Linux - Networking
User Name
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.


  Search this Thread
Old 03-30-2017, 03:06 PM   #1
Senior Member
Registered: Jul 2006
Location: North Carolina
Distribution: CentOS 6, CentOS 7 (with Mate), Ubuntu 16.04 Mate
Posts: 2,127

Rep: Reputation: 174Reputation: 174
How (I think?) I solved DNS leakage on my CentOS 7 PC

I have tired of playing with this issue so I decided to apply my normal BFH technique

openvpn is SUPPOSED to support an option "block-outside-dns" in the .ovpn configuration file from my reading. It does not seem to work.

Debian and Debian based distros ('buntus etc.) have a package resolvconf which provides scripts to manage this mischief. No such thing in CentOS. I found reference to openresolv which works in Arch but I have not gotten it to work in CentOS.

Using an Ubuntu 16.04 VM I did some testing and observing. It seems that by adding these lines to the bottom of the .ovpn configuration file
script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf
the first referenced script will fire when the VPN is enabled and the second script after the VPN closes. In this case update-resolv-conf is called both times. It determines what happened and acts accordingly. Having no luck with this script on CentOS I decided to create my own scripts.

In observing what happened on Ubuntu during this process I determined that the net result (sorry for the pun) was that the file /etc/resolv.conf was modified to stuff the VPN provider's DNS address at he top of the file. Based on my observations and confirmed by correspondence with my VPN providers I determined that their DNS addresses were: VPN and VPN (beta)

I created these files in /etc/
# resolv.conf.usenetserver
# Generated by Ken - hard coded DNS for this VPN

# resolv.conf.proton
# Generated by Ken - hard coded DNS for this VPN
My scripts are placed in /etc/openvpn. These are for the protonmail VPN. Two more for usenetserver - same concept
# replace /etc/resolv.conf with special version for protonmail VPN
mv /etc/resolv.conf /etc/
cp /etc/resolv.conf.proton /etc/resolv.conf
# restore original /etc/resolv/conf after exiting VPN
rm /etc/resolv.conf
mv /etc/ /etc/resolv.conf
To fire these scripts at the appropriate time I added these lines to the .ovpn file
security-scripts 2
up /etc/openvpn/
down /etc/openvpn/
This seems to be working. Several of the "test for DNS leak" web sites gave me a clean bill of health. The others offered me a bill if I purchased their service/product but the results listed looked reasonable to me. I have yet to have one of these sites display my REAL (ISP assigned) address.

I will be setting this up on my "router" PC which resides between my Netgear "real" router and my LAN. I am using the Netgear simply because the router PC has only one wired NIC and I must connect to the Internet with the WiFi card. The PC also runs DHCP for my LAN. The PC is run headless and I would not expect to do anything on it to cause, for example, Network Manager to overwrite the resolv.conf file which I wish to have in place.

I await your slings and arrows (torpedoes, broadsides or rotten tomatoes)... What have I screwed up with my simplistic approach?


Old 03-31-2017, 01:05 PM   #2
Senior Member
Registered: Jul 2006
Location: North Carolina
Distribution: CentOS 6, CentOS 7 (with Mate), Ubuntu 16.04 Mate
Posts: 2,127

Original Poster
Rep: Reputation: 174Reputation: 174
To take a pot shot at my own "solution"...
The openvpn command e.g.
sudo openvpn --config ~/bin/ --auth-user-pass ~/bin/propw
requires administrative permissions to execute and will tie up a bash terminal as long as it is running. To accommodate these limitations I use screen to allow me to hide the running terminal after invoking openvpn. I can then reattach the screen at a later time to cancel openvpn. As to permissions, I have two options:

I can su in the bash terminal and then run the openvpn command. This leaves a root terminal running (although hidden by screen).

If I run the command with sudo and supply a password I do not have this rouge root terminal floating around. However, by the time I cancel openvpn my escalated permissions will probably have timed out. This will cause the second script - restoring /etc/resolv.conf to fail due to file permissions.

I prefer the second scenario. I would rather not have connectivity rather than having connectivity outside of the VPN.


p.s. As I am using the "router" PC as a DHCP server for my LAN I had a DNS address (for hard coded in /etc/dhcp/dhcpd.conf. This caused a DNS leakage which it too a little time to track down. I replaced this address with the address of the "router" PC. Problem solved.

Last edited by taylorkh; 03-31-2017 at 01:32 PM.


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
DNS master CentOs and a Slave DNS in Windows Server 2012 Or vice versa To learn Linux - Server 2 09-01-2016 10:28 AM
DNS master CentOs and a Slave DNS in Windows Server 2012 Or vice versa. To learn Linux - Newbie 1 08-31-2016 03:37 AM
[SOLVED] [SOLVED] How to create a caching dns server in centos LeoPap Linux - Server 50 01-11-2013 03:10 AM
Slow DNS Problem Solved Entirely.. voidmain Linux - Networking 1 07-21-2004 08:05 AM > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 12:40 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration