DNS Leak - How is it even possible?

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking
Author Message
frunbee
DD-WRT Novice


Joined: 09 Apr 2013
Posts: 4

PostPosted: Wed Apr 10, 2013 13:24    Post subject: DNS Leak - How is it even possible? Reply with quote
I connect to my VPN using OpenVPN on my router, which is running DD-WRT, and it does change my ip. Although DNS leaks occur (I have one) I don't see how they're even possible. Obviously I'm new to this but I've started reading TCP/IP For Dummies, so I'm trying.

My limited understanding of a vpn is that the entire bit stream that my modem would (without a VPN) be transmitting/receiving is instead encrypted, with some sort of non-encrypted header that has only as much info as my isp needs to maintain the connection with my VPN. Everything else (literally) should be gobbledegook to them. If this were true, however, my isp wouldn't even know when my browser is trying to connect to a new website, much less what the domain name it's trying to find to ip address for. Yet when I connect with DNSLeaktest somehow my isp uses their own DNS. I don't see how they're able to do that for anything other than my VPN connection.

Any help to get my head around this would be greatly appreciated.

Thanks
Sponsor
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 1997

PostPosted: Thu Apr 11, 2013 4:17    Post subject: Reply with quote
This is a tough one to explain, esp. if you’re not familiar w/ some basic networking concepts. But I’ll try.

When you establish the VPN connection, it creates an encrypted session (tunnel) between the endpoints. From the perspective of your ISP or anyone else who might be eavesdropping on your traffic, it appears like any other TCP/IP session, with source and destination IPs, and of course, the encrypted data. So instead of being only on your local network, you’re also established on some remote network. And now you can reference devices on that remote network too.

But now you want to have the VPN act as your default gateway. So how does that happen? Either the VPN has to provide that option (some do, some don’t), or else you have to do it yourself. Either way, it requires manipulating the routing tables (of the router in this case) so the default gateway is changed to that of the VPN rather than that of the ISP (see iptables).

Hopefully that makes sense so far, but the obvious question is, why then would DNS requests be different than other traffic? Why would DNS requests sometimes leak but everything else not leak? Because not everything that appears to require use of the default gateway, necessarily does.

Suppose the DNS server(s) provided by your ISP reside on the same network as the WAN (e.g., 221.192.16.x). Because this network is KNOWN to the router, it does NOT require use of the default gateway! The default gateway is only required for UNKNOWN networks. Same thing would be true if you tried to PING or reference any other device/service on the WAN. You’re never going to be routed through a default gateway if the network is already known and accessible.

IOW, use of the default gateway implies a lack of knowledge about where some network/ip resides, and is for the purposes of resolving it. But in the example I’ve given, this isn’t the case, the network for the DNS server *is* known, it’s right there on the WAN!

And THAT is how you can end up w/a DNS leak, and your ISP being able to see/track your DNS queries. You’ve configured your network in such as way that the default gateway is never referenced for DNS, and therefore the DNS requests are never fed over the VPN.

So let’s imagine an alternative. Suppose the client uses a static DNS reference, say to Google (8.8.8.8 ). Now THAT should be sent over the VPN because that IP can only be tracked down via the default gateway (it’s not a network known to the router on any of its own network interfaces).

There may be other ways DNS could leak as well, but that’s certainly one way.
frunbee
DD-WRT Novice


Joined: 09 Apr 2013
Posts: 4

PostPosted: Thu Apr 11, 2013 22:11    Post subject: Reply with quote
eibgrad wrote:
This is a tough one to explain, esp. if you’re not familiar w/ some basic networking concepts. But I’ll try.

When you establish the VPN connection, it creates an encrypted session (tunnel) between the endpoints. From the perspective of your ISP or anyone else who might be eavesdropping on your traffic, it appears like any other TCP/IP session, with source and destination IPs, and of course, the encrypted data. So instead of being only on your local network, you’re also established on some remote network. And now you can reference devices on that remote network too.

But now you want to have the VPN act as your default gateway. So how does that happen? Either the VPN has to provide that option (some do, some don’t), or else you have to do it yourself. Either way, it requires manipulating the routing tables (of the router in this case) so the default gateway is changed to that of the VPN rather than that of the ISP (see iptables).

Hopefully that makes sense so far, but the obvious question is, why then would DNS requests be different than other traffic? Why would DNS requests sometimes leak but everything else not leak? Because not everything that appears to require use of the default gateway, necessarily does.

Suppose the DNS server(s) provided by your ISP reside on the same network as the WAN (e.g., 221.192.16.x). Because this network is KNOWN to the router, it does NOT require use of the default gateway! The default gateway is only required for UNKNOWN networks. Same thing would be true if you tried to PING or reference any other device/service on the WAN. You’re never going to be routed through a default gateway if the network is already known and accessible.

IOW, use of the default gateway implies a lack of knowledge about where some network/ip resides, and is for the purposes of resolving it. But in the example I’ve given, this isn’t the case, the network for the DNS server *is* known, it’s right there on the WAN!

And THAT is how you can end up w/a DNS leak, and your ISP being able to see/track your DNS queries. You’ve configured your network in such as way that the default gateway is never referenced for DNS, and therefore the DNS requests are never fed over the VPN.

So let’s imagine an alternative. Suppose the client uses a static DNS reference, say to Google (8.8.8.8 ). Now THAT should be sent over the VPN because that IP can only be tracked down via the default gateway (it’s not a network known to the router on any of its own network interfaces).

There may be other ways DNS could leak as well, but that’s certainly one way.

It'll take me a while to investigate your points and suggestions, but in the meantime - thanks for taking the time to respond to my clearly neophyte question.
Djee
DD-WRT Novice


Joined: 17 May 2013
Posts: 2

PostPosted: Fri May 17, 2013 16:30    Post subject: Reply with quote
Hi Frunbee,

When setup correctly your data traffic is encrypted and will always be routed via the tunnel using the VPN providers IP address.

Altough by default when you boot your router it will try to get the DNS servers of your ISP. This allowing your ISP to see which sites you have visited.

To fix this you must force your DD-WRT router to only use the google DNS servers.

Setup > Basic Setup
Section: Network Setup > Network Address Server Settings (DHCP)

Static DNS 1: 8.8.8.8
Static DNS 2: 8.8.4.4
Static DNS 3: 10.0.0.0 (when left blank it will use the ISP DNS servers)

Enjoy!
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum