0

I'm using minimal Antergos linux with i3wm, with all packages being up to date and the laptop rebooted. Using Firefox as a browser, I'm experiencing DNS leaks when visiting websites such as ipleaks.net, https://www.dnsleaktest.com or https://browserleaks.com/ip.

The VPN is set up with the nm-applet using an ovpn file provided by my VPN provider. I'm have used the same ovpn files on a KDE bells-and-whistle distro, and have not experienced any DNS leaks.

My /etc/resolve.conf when connected to the VPN:

nameserver 192.168.1.1

I have disabled WebRTC in Firefox by toggling media.peerconnection.enabled to false.

How can I find out what the cause of my DNS leak is and how can I go about fixing it?

jasonwryan
  • 73,126
pandita
  • 783

2 Answers2

2

It was a systemd-resolved issue; see here. In order to have all traffic being pushed through the VPN, you need to install the update-systemd-resolved script and add dhcp-option DOMAIN-ROUTE . to the ovpn file.

I'm stunned that this is not seen as a serious issue with the default settings by the systemd-resolved crew...

pandita
  • 783
1

Have a look at your routing table:

ip route

I expect you have an entry for 192.168.1.0/24 to go out your local interface, as your nameserver is in that subnet the DNS traffic is not being routed down the VPN tunnel.

You could change your nameserver to a public one, like google: 8.8.8.8, your DNS traffic should then be routed down your VPN tunnel rather than using your local nameserver.

rusty shackleford
  • 2,415
  • I do have that entry. Is there another way than choosing a puclic DNS server? – pandita Jun 22 '18 at 13:22
  • @pandita Other than choosing a Public DNS server you could take a page out of my book and use a local bind9 or similar DNS server instance as a recursive resolver, and set it to use a Public DNS server as its 'forwarder' destination. This does, however, require you to alter your local system so that all DNS requests route through this local resolver. You would also have to configure your firewall to block external DNS requests to the system from other non-local systems if you haven't already done that, though, because you don't want others to use your computer as a DNS server. – Thomas Ward Jun 22 '18 at 13:56
  • (note that the solution in my other comment is technically OS-agnostic so long as you have a Linux system that can run bind9 or similar; it does, however, have its own caveats and configuration headaches depending on what networking / DNS management software is in use on your system) – Thomas Ward Jun 22 '18 at 13:57
  • So I tried changing the DNS nameserver using dnsmasq to 8.8.8.8, yet the entry still shows up, and the leak prevails... I set no-resolv and no-poll in dnsmasq.conf. journalctl -u dnsmasq confirms that 8.8.8.8#53 is used as the nameserver... any ideas for further debugging? – pandita Jun 29 '18 at 11:42
  • I also change my DNS nameserver directly on my router. This time browserleaks only sees the google DNS server, however it is still not routed via my VPN... – pandita Jun 29 '18 at 12:34