Posted: Wed Apr 10, 2013 13:24 Post subject: DNS Leak - How is it even possible?
I connect to my VPN using OpenVPN on my router, which is running DD-WRT, and it does change my ip. Although DNS leaks occur (I have one) I don't see how they're even possible. Obviously I'm new to this but I've started reading TCP/IP For Dummies, so I'm trying.
My limited understanding of a vpn is that the entire bit stream that my modem would (without a VPN) be transmitting/receiving is instead encrypted, with some sort of non-encrypted header that has only as much info as my isp needs to maintain the connection with my VPN. Everything else (literally) should be gobbledegook to them. If this were true, however, my isp wouldn't even know when my browser is trying to connect to a new website, much less what the domain name it's trying to find to ip address for. Yet when I connect with DNSLeaktest somehow my isp uses their own DNS. I don't see how they're able to do that for anything other than my VPN connection.
Any help to get my head around this would be greatly appreciated.
This is a tough one to explain, esp. if you’re not familiar w/ some basic networking concepts. But I’ll try.
When you establish the VPN connection, it creates an encrypted session (tunnel) between the endpoints. From the perspective of your ISP or anyone else who might be eavesdropping on your traffic, it appears like any other TCP/IP session, with source and destination IPs, and of course, the encrypted data. So instead of being only on your local network, you’re also established on some remote network. And now you can reference devices on that remote network too.
But now you want to have the VPN act as your default gateway. So how does that happen? Either the VPN has to provide that option (some do, some don’t), or else you have to do it yourself. Either way, it requires manipulating the routing tables (of the router in this case) so the default gateway is changed to that of the VPN rather than that of the ISP (see iptables).
Hopefully that makes sense so far, but the obvious question is, why then would DNS requests be different than other traffic? Why would DNS requests sometimes leak but everything else not leak? Because not everything that appears to require use of the default gateway, necessarily does.
Suppose the DNS server(s) provided by your ISP reside on the same network as the WAN (e.g., 221.192.16.x). Because this network is KNOWN to the router, it does NOT require use of the default gateway! The default gateway is only required for UNKNOWN networks. Same thing would be true if you tried to PING or reference any other device/service on the WAN. You’re never going to be routed through a default gateway if the network is already known and accessible.
IOW, use of the default gateway implies a lack of knowledge about where some network/ip resides, and is for the purposes of resolving it. But in the example I’ve given, this isn’t the case, the network for the DNS server *is* known, it’s right there on the WAN!
And THAT is how you can end up w/a DNS leak, and your ISP being able to see/track your DNS queries. You’ve configured your network in such as way that the default gateway is never referenced for DNS, and therefore the DNS requests are never fed over the VPN.
So let’s imagine an alternative. Suppose the client uses a static DNS reference, say to Google (8.8.8.8 ). Now THAT should be sent over the VPN because that IP can only be tracked down via the default gateway (it’s not a network known to the router on any of its own network interfaces).
There may be other ways DNS could leak as well, but that’s certainly one way.
It'll take me a while to investigate your points and suggestions, but in the meantime - thanks for taking the time to respond to my clearly neophyte question.
When setup correctly your data traffic is encrypted and will always be routed via the tunnel using the VPN providers IP address.
Altough by default when you boot your router it will try to get the DNS servers of your ISP. This allowing your ISP to see which sites you have visited.
To fix this you must force your DD-WRT router to only use the google DNS servers.
Hi, found this thread when searching for help about my router leaking DNS.
I am connected via an VPN and I've configured static DNS in my router but still DNS requests are made via my ISP. My firmware build is "DD-WRT v24-sp2 (03/25/13) std" on a "d-link dir-825".
The company providing the VPN gave some suggestions how to solve this (static DNS among some) but no...