OS is leaking DNS

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

OS is leaking DNS

Adam Smith
Hi,

Relevant info:

1. OpenBSD-amd64 snapshot (install59.iso) with sha256sum of 5e8020ce150e0fba17b1eef7acc8c27d10845288b9d8c82315bd6826dc94669d and dated March 27, 2016
(installed OpenBSD as desktop OS)
2. openvpn-2.3.10
3. firefox
4. enabled DHCP during installation of OS
5. edit /etc/resolv.conf.tail to include my preferred public DNS servers
6. computer connects directly to cable modem supplied by ISP, meaning my machine receives dynamic IP addresses from my ISP
7. computer is standalone, not part of network

After my computer is connected to VPN tunnel, I start Firefox and surf to https://www.dns-oarc.net/oarc/services/dnsentropy where I click on the button that says "Test My DNS".

The IP address of my ISP appears in the results. It means that OpenBSD operating system leaks DNS.

How to fix the problem, please?

Regards.

Adam
http://www.DCpages.com

Reply | Threaded
Open this post in threaded view
|

Re: OS is leaking DNS

Michael McConville-3
Adam Smith wrote:

> Relevant info:
>
> 1. OpenBSD-amd64 snapshot (install59.iso) with sha256sum of
>    5e8020ce150e0fba17b1eef7acc8c27d10845288b9d8c82315bd6826dc94669d and
>    dated March 27, 2016
>    (installed OpenBSD as desktop OS)
> 2. openvpn-2.3.10
> 3. firefox
> 4. enabled DHCP during installation of OS
> 5. edit /etc/resolv.conf.tail to include my preferred public DNS servers
> 6. computer connects directly to cable modem supplied by ISP, meaning
>    my machine receives dynamic IP addresses from my ISP
> 7. computer is standalone, not part of network
>
> After my computer is connected to VPN tunnel, I start Firefox and surf
> to https://www.dns-oarc.net/oarc/services/dnsentropy where I click on
> the button that says "Test My DNS".
>
> The IP address of my ISP appears in the results. It means that OpenBSD
> operating system leaks DNS.
>
> How to fix the problem, please?

See resolv.conf.tail(5). Its contents are *appended* to
/etc/resolv.conf, so if your DHCP lease suggests a DNS server, your
system will try that one before those listed in /etc/resolv.conf.tail.

Reply | Threaded
Open this post in threaded view
|

Re: OS is leaking DNS

Sebastien Marie-2
In reply to this post by Adam Smith
On Sun, Mar 27, 2016 at 11:12:38PM -0700, Adam Smith wrote:

> Hi,
>
> Relevant info:
>
> 1. OpenBSD-amd64 snapshot (install59.iso) with sha256sum of 5e8020ce150e0fba17b1eef7acc8c27d10845288b9d8c82315bd6826dc94669d and dated March 27, 2016
> (installed OpenBSD as desktop OS)
> 2. openvpn-2.3.10
> 3. firefox
> 4. enabled DHCP during installation of OS
> 5. edit /etc/resolv.conf.tail to include my preferred public DNS servers
> 6. computer connects directly to cable modem supplied by ISP, meaning my machine receives dynamic IP addresses from my ISP
> 7. computer is standalone, not part of network
>
> After my computer is connected to VPN tunnel, I start Firefox and surf to https://www.dns-oarc.net/oarc/services/dnsentropy where I click on the button that says "Test My DNS".
>
> The IP address of my ISP appears in the results. It means that OpenBSD operating system leaks DNS.

I tend to saying that OpenBSD does what you ask for :)

> How to fix the problem, please?

without seeing any configuration files it is a bit complex to be sure...

with my magic hat, my interpretation is:
  - you don't configure specific options in dhclient.conf, so when your
    ISP send to you the DNS list, dhclient(8) adds it to /etc/resolv.conf

  - you added your preferred public DNS servers in resolv.conf.tail, so
    these addresses will be *at bottom*

  - your /etc/resolv.conf should look like:

nameserver ISP-DNS-address
nameserver preferred-public-DNS-address

  - so when a program asks for resolving an address, libc works as
    documented in resolv.conf:

    "If there are multiple servers, the resolver library queries them in
    the order listed".

    as resolv.conf.tail is at bottom, these DNS addresses are used when
    the first (ISP DNS) addresses failed.


I think what you want is to override the DNS addresses provided by your
ISP. It could be done using dhclient.conf, with the following line for
example:

   supersede domain-name-servers 8.8.8.8;

Take a look at dhclient.conf(5) man page for more information.

  supersede option option-value;
    Use option-value for the given option, regardless of the value
    supplied by the server.

I hope it helps.
--
Sebastien Marie

Reply | Threaded
Open this post in threaded view
|

Re: OS is leaking DNS

Adam Smith
In reply to this post by Adam Smith
>From:
> Adam Thompson <[hidden email]>
>To: [hidden email]
>Received-On: Today 08:43
>Subject: Re: OS is leaking DNS
>More...
>
>dhclient(8) is writing the ISP-supplied nameservers into resolv.conf
>*before* your local options in resolv.conf.tail.

Thanks for your explanation. I did consult the man page on dhclient.conf and owing to my lack of IT knowledge and English not being my native language, I have difficulty in understanding what it states.

>You can override this behaviour in dhclient.conf(5).  See the example in
>the manpage for a way to prepend or override "domain-name-servers"
>instead of using resolv.conf.tail.

I read the man page on dhclient.conf (URL: http://man.openbsd.org/OpenBSD-current/man5/dhclient.conf.5) and I am still clueless.

Based on the example given on that webpage, I adapted it into two samples which are the following:

Sample #1

backoff-cutoff 2;
initial-interval 1;
link-timeout 10;
reboot 0;
retry 10;
select-timeout 0;
timeout 30;

interface "em0"
 {
  prepend domain-name-servers 127.0.0.1;
  request subnet-mask,
          broadcast-address,
          routers,
          domain-name,
          domain-name-servers,
          host-name;
  require routers,
          subnet-mask,
          domain-name-servers;
 }


Sample #2

backoff-cutoff 2;
initial-interval 1;
link-timeout 10;
reboot 0;
retry 10;
select-timeout 0;
timeout 30;

interface "em0"
 {
  prepend domain-name-servers 50.116.40.226 107.170.95.180;
  request subnet-mask,
          broadcast-address,
          routers,
          domain-name,
          domain-name-servers,
          host-name;
  require routers,
          subnet-mask,
          domain-name-servers;
 }


My questions:

(A) Sample #1 is essentially the same as resolving DNS requests via DHCP, isn't it? For a standalone computer, 127.0.0.1 resolves via the DNS resolver of my ISP, yes?

(B) In Sample #2, how is my computer able to connect to 50.116.40.226 without first going through my ISP's DNS resolver? I am sorry if my question is somewhat noobish. I have very limited knowledge of networking and DNS resolution.

>I don't know what the OpenVPN client does to resolv.conf, but likely
>something similar.

The source code for OpenVPN client (Community Edition) is available for inspection. The URL to download it is https://swupdate.openvpn.org/community/releases/openvpn-2.3.10.zip

>But I know its config files let you override DNS
>server settings, too, because I've had to do so myself.

Please show me how you do it. Thanks in advance.

>Override instead of appending to get the
>desired behaviour.  (Netflix, I assume?  <grin>)

Wrong assumption. From time to time my job requires me to work for a few weeks in an authoritarian regime where even a cursory visit to a website can get me in trouble with their laws, the penalty for which is jail time or deportation.

>Any two machines
>connected to each other (e.g. your PC and your cable modem) constitute
>"a network".

See what I mean? You yourself have shown that I am null where IT knowledge is concerned.

>Given the complexities you are causing yourself, I would suggest running
>something like dnsmasq (in ports, IIRC) as your local recursing
>nameserver, then having all three of the above components merely point
>to 127.0.0.1.  Then configure dnsmasq correctly.  If you have dbus (also
>in ports, *sigh*) installed and dnsmasq built with dbus control option,
>you can dynamically change its behaviour on the fly (e.g. what upstream
>nameserver to forward queries to). Or you could just restart it manually
>each time.

Terms like "local recursing nameserver" are technical jargon to me. Even if I understood what it meant, I wouldn't know how to configure the three components to point to 127.0.0.1

By the way, which three components were you referring to? I saw only two: dhclient, nameservers

Would you be so kind as to show me how to do the stuff you described above, viz.:

- run dnsmasq as my local recursing nameserver
- three components point to 127.0.0.1
- configure dnsmasq correctly
- how to tell if my dnsmasq is built with dbus control option
- how to dynamically change its behaviour on the fly

Thanks in advance.

Adam
http://www.DCpages.com

Reply | Threaded
Open this post in threaded view
|

Re: OS is leaking DNS

Adam Smith
In reply to this post by Adam Smith
Thanks for your explanation, Michael.

Regards.

Adam

--- [hidden email] wrote:

From: Michael McConville <[hidden email]>
To: Adam Smith <[hidden email]>
Cc: [hidden email]
Subject: Re: OS is leaking DNS
Date: Mon, 28 Mar 2016 03:02:12 -0400

Adam Smith wrote:

> Relevant info:
>
> 1. OpenBSD-amd64 snapshot (install59.iso) with sha256sum of
>    5e8020ce150e0fba17b1eef7acc8c27d10845288b9d8c82315bd6826dc94669d and
>    dated March 27, 2016
>    (installed OpenBSD as desktop OS)
> 2. openvpn-2.3.10
> 3. firefox
> 4. enabled DHCP during installation of OS
> 5. edit /etc/resolv.conf.tail to include my preferred public DNS servers
> 6. computer connects directly to cable modem supplied by ISP, meaning
>    my machine receives dynamic IP addresses from my ISP
> 7. computer is standalone, not part of network
>
> After my computer is connected to VPN tunnel, I start Firefox and surf
> to https://www.dns-oarc.net/oarc/services/dnsentropy where I click on
> the button that says "Test My DNS".
>
> The IP address of my ISP appears in the results. It means that OpenBSD
> operating system leaks DNS.
>
> How to fix the problem, please?

See resolv.conf.tail(5). Its contents are *appended* to
/etc/resolv.conf, so if your DHCP lease suggests a DNS server, your
system will try that one before those listed in /etc/resolv.conf.tail.
http://www.DCpages.com

Reply | Threaded
Open this post in threaded view
|

Re: OS is leaking DNS

Adam Smith
In reply to this post by Adam Smith
>From:
> Sebastien Marie <[hidden email]>
>To: Adam Smith <[hidden email]>
>Cc: [hidden email]
>Received-On: Today 09:17
>Subject: Re: OS is leaking DNS
>More...
>

Hi Sebastien,

>without seeing any configuration files it is a bit complex to be sure...

Did you mean the configuration file of *.ovpn? Well, the contents of my *.ovpn file are as follows:

----start of config file------
remote 50.149.115.121 1194 tcp-client
client
tls-client
dev tun
auth-user-pass auth.txt
resolv-retry infinite
mute-replay-warnings
nobind
persist-key
persist-tun
ns-cert-type server
verb 1
remote-cert-tls server
setenv CLIENT_CERT 0
<ca>
-----BEGIN CERTIFICATE-----
{{{suppressed on request by VPN vendor}}}
-----END CERTIFICATE-----
</ca>

----end of config file------

>with my magic hat, my interpretation is:
> - you don't configure specific options in dhclient.conf, so when your
>   ISP send to you the DNS list, dhclient(8) adds it to /etc/resolv.conf

Thanks for telling me that. I know it now.

> - you added your preferred public DNS servers in resolv.conf.tail, so
>   these addresses will be *at bottom*

I see....

>  - your /etc/resolv.conf should look like:
>
>nameserver ISP-DNS-address
>nameserver preferred-public-DNS-address

According to your above example, my ISP will handle DNS resolutions and if it is unable to do it, then my preferred DNS resolvers will take over the job, is that correct?

>I think what you want is to override the DNS addresses provided by your
>ISP. It could be done using dhclient.conf, with the following line for
>example:
>
>  supersede domain-name-servers 8.8.8.8;

My question: if I override/supercede my ISP's DNS servers, how will I be able to surf or ping websites the very first time I try to connect to the internet? You know, as in, for example, like after booting up OpenBSD, I launch Firefox browser and try to surf to www.unhcr.org

>Take a look at dhclient.conf(5) man page for more information.
>
> supersede option option-value;
>   Use option-value for the given option, regardless of the value
>   supplied by the server.

I did read that man page at least three times and am still clueless. I wish to let you know that I don't have formal training in IT and English is not my native language.

Regards.

Adam
http://www.DCpages.com

Reply | Threaded
Open this post in threaded view
|

Re: OS is leaking DNS

Adam Smith
In reply to this post by Adam Smith
>--- [hidden email] wrote:
>
>From: Christopher Zimmermann <[hidden email]>
>To: "Adam Smith" <[hidden email]>
>Subject: Re: OS is leaking DNS
>Date: Mon, 28 Mar 2016 21:58:09 +0200
>
>Hi Adam,

Guten Tag, Christoph

>I am Christopher from Tübingen, Germany.

Tübingen? Wow... it used to be the place where most avant-garde theologians of the (Christian) Bible hail from and whose views the Vatican and ultra-conservative Protestants have consistently labeled as heresies.

I wonder if the Tübingen of the 21st century still produces eminent theologians?

>What you need to fix the "DNS
>leakage" to your ISP is a line like this in dhclient.conf:
>
>supersede domain-name-servers 8.8.4.4, 85.214.20.141, 213.73.91.35;

Danke schoen fur Ihre Hilfe.

>But note that DNS traffic is usually not encrypted; so if you mistrust
>your ISP, you'll need a proxy. Since you list openvpn, you are probably
>using it to connect to a proxy?

I don't know the differences between a proxy and a VPN gateway/server. Some use the two terms interchangeably.

I bought a subscription from a commercial VPN vendor. A comparative chart of the various VPN vendors can be found at https://docs.google.com/spreadsheets/d/1FJTvWT5RHFSYuEoFVpAeQjuQPU4BVzbOigT0xebxTOw/htmlview?pref=2&pli=1&sle=true#gid=0

The contributor's username on Reddit is ThatOnePrivacyGuy

Regards,

Adam
http://www.DCpages.com