Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 30

Thread: DNS Leaking

  1. #11
    Untangler malvivent7's Avatar
    Join Date
    Jan 2012
    Location
    Ferrara, Italy
    Posts
    48

    Default

    I dont know if my experience can help but anyway this is my config on Untangle for avoid dnsleak:
    all my roadwarriors Openvpn clients belong to the default group in witch i checked "FullTunnel" and "PushDns" like in the screenshot that i attach Cattura.PNG and than i have modified openvpn advanced config client section like second screenshot that i attach Cattura2.PNG with this config dns is tunneled into vpn and no dnsleak happens.

  2. #12
    Untangler malvivent7's Avatar
    Join Date
    Jan 2012
    Location
    Ferrara, Italy
    Posts
    48

    Default

    I see that thread is about tunnelvpn my example is for openvpn sorry in advance for my mistake.

  3. #13
    Master Untangler ctaranto's Avatar
    Join Date
    Feb 2017
    Location
    MA
    Posts
    114

    Default

    Quote Originally Posted by sky-knight View Post
    The thing is by default all DNS requests aren't routed through Untangle, they are routed TO Untangle.
    That makes sense. When I use the VPN Client on my linux box, the VPN Client will change resolv.conf when starting the VPN to the DNS IP of the VPN tunnel (and change it back to the internal IP of the Untangle box when shutting it down). Untangle doesn't change/modify DNS when it's being pushed over the Tunnel because traffic is already encrypted before it reaches Untangle.

    Quote Originally Posted by sky-knight View Post
    DNSMasq will then answer those requests based on its configuration, and it's configuration is determined by various factors. Every DNS source is added to the list, so the service given a list of DNS servers to choose from, simply picks one on every request. How to dynamically control this behavior is beyond me at the moment. As I said, I have a few crazy ideas but I don't have v13.1 to test with and I'd rather not send anyone off on wild goose chases. The forums are forever, and I'm getting too old and cranky to be correcting my own bad information years from now!
    While I am competent is general networking, changing DNSMasq settings/options is not my strong suit. All my devices point to the internal IP of the Untangle box for DNS, so there aren't any specific DNS servers being passed to Untangle. All devices rely on Untangle to figure it out. And it does by using one of the two DNS servers I have configured on the WAN side of Untangle. Because Untangle controls the internal-to-external (and vice versa) communications, as well as the Tunnel, it should be able to figure out the traffic that is destined for the Tunnel, hijack the DNS request, and push it over the Tunnel.

    Perhaps I'm trivializing this.
    Last edited by ctaranto; 10-09-2017 at 01:32 PM.
    Untangle 13.1
    Protectli "Vault" Firewall Micro Appliance
    Intel J1900, 120GB mSata, 8GB RAM, 4 x Intel NICs

  4. #14
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    21,643

    Default

    You are to a degree trivializing it. But if you dig into Untangle, you'll see why things get a little crazy.

    resolve.conf isn't set to any DNS server out in the world, it's set to local host. DNSMasq has server directives that point it at the servers in the world it forwards to. Which is where we get the confusion, because Untangle isn't working like your Linux endpoints do.

    So at this point we have to figure out how to build a DNS resolution path for your clients that can be forced to use the tunnel while it's online, but falls back to something else when necessary.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  5. #15
    Untangler
    Join Date
    Mar 2017
    Posts
    63

    Default

    I'm not using TunnelVPN so I'm shooting without aiming. Wouldn't it be possible to tag hosts routed through the tunnel and then block any traffic to UDP 53 but the VPN provider DNS for so tagged hosts? My VPN provider clearly states which naming servers to use, one with a public IP address and another with a private - through OpenVPN - one. Since they are known, I can preset a rule for tagged hosts.

  6. #16
    Master Untangler ctaranto's Avatar
    Join Date
    Feb 2017
    Location
    MA
    Posts
    114

    Default

    Any suggestions from the Untangle support crew?

    Is it possible to not leak DNS with TunnelVPN?

    Is is possible to add a "force DNS over tunnel" to TunnelVPN?
    Untangle 13.1
    Protectli "Vault" Firewall Micro Appliance
    Intel J1900, 120GB mSata, 8GB RAM, 4 x Intel NICs

  7. #17
    Master Untangler
    Join Date
    May 2010
    Posts
    416

    Default

    If you want a definite answer from Untangle, I highly suggest submitting a support ticket instead of handling in the forums. They will probably chime in at some point on this thread, but official answers from Untangle are better gotten through official support tickets.

  8. #18
    Master Untangler ctaranto's Avatar
    Join Date
    Feb 2017
    Location
    MA
    Posts
    114

    Default

    Thanks for the suggestion. I filed a ticket and referenced this thread.
    Untangle 13.1
    Protectli "Vault" Firewall Micro Appliance
    Intel J1900, 120GB mSata, 8GB RAM, 4 x Intel NICs

  9. #19
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Carlos, CA
    Posts
    16,489

    Default

    You can configure your host to use whatever DNS you like, through the tunnel or otherwise.

    Untangle itself has no capability to dynamically reconfigure its own DNS settings based on a tunnel being up or down.
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  10. #20
    Master Untangler ctaranto's Avatar
    Join Date
    Feb 2017
    Location
    MA
    Posts
    114

    Default

    Thanks for getting back to me. Though I'm disappointed this isn't possible.

    It makes the TunnelVPN app a bit less useful, as it becomes less transparent to users and puts the burden of device configuration up to the user of the device. It also complicates the Windows use case since DNS on Windows has a terrible implementation.

    While technically a solution, the problem with configuring the device to use the tunnel DNS is what happens if the tunnel goes down. Since it is entirely out of the purview of the user, the experience is less than ideal (ie. no internet access for an unknown reason).

    Thanks again...
    Untangle 13.1
    Protectli "Vault" Firewall Micro Appliance
    Intel J1900, 120GB mSata, 8GB RAM, 4 x Intel NICs

Page 2 of 3 FirstFirst 123 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2