Page 1 of 5 123 ... LastLast
Results 1 to 10 of 49

Thread: DNS Leaking

  1. #1
    Master Untangler ctaranto's Avatar
    Join Date
    Feb 2017
    Location
    MA
    Posts
    142

    Default DNS Leaking

    Just upgraded to 13.1 and love it so far.

    I configured the TunnelVPN app to work with my VPN provider (AirVPN) and it works nicely. I set up a rule for it to route a single device and that works fine.

    When using the AirVPN client, there is an option to route all DNS through the tunnel to prevent DNS leaking (virtually *all* traffic is routed through the VPN).

    When using TunnelVPN, the DNS calls leak to non-VPN sources. This can be seen by using any of the various DNS leak sites (http://dnsleak.com, https://www.dnsleaktest.com, etc).

    Is there a current way to tunnel DNS calls? If not, is this something I should put into the feature request section?

    DNS leaking while using a VPN is a serious thing if privacy is of any concern.

    Thanks...
    Untangle 13.1
    Protectli "Vault" Firewall Micro Appliance
    Intel J1900, 120GB mSata, 8GB RAM, 4 x Intel NICs

  2. #2
    Master Untangler TirsoJRP's Avatar
    Join Date
    Oct 2010
    Posts
    380

    Default

    Using Windows 10? AFAIK the only way is with aggressive Firewall rules.

  3. #3
    Master Untangler ctaranto's Avatar
    Join Date
    Feb 2017
    Location
    MA
    Posts
    142

    Default

    If using a client VPN solution, true. If using the TunnelVPN on Untangle, I would imagine Untangle should be able to control DNS, not the client.

    On my Win10 laptop, DNS points to the Untangle internal IP. Untangle should be able to tunnel DNS over the VPN.

    I also tested on my Mint 18 Linux server. Same result - DNS leaks.
    Last edited by ctaranto; 10-08-2017 at 01:41 PM.
    Untangle 13.1
    Protectli "Vault" Firewall Micro Appliance
    Intel J1900, 120GB mSata, 8GB RAM, 4 x Intel NICs

  4. #4
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    21,806

    Default

    Untangle uses the DNS you tell it to use. If you didn't create a firewall rule on Untangle to block use of all Internet based DNS sources, how exactly do you expect Untangle to redirect DNS?

    If you want lock down, you have to configure lock down. All the Tunnel VPN app does is setup a tunnel, it's up to you to enforce the use of it.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: [email protected]

  5. #5
    Master Untangler ctaranto's Avatar
    Join Date
    Feb 2017
    Location
    MA
    Posts
    142

    Default

    Quote Originally Posted by sky-knight View Post
    Untangle uses the DNS you tell it to use. If you didn't create a firewall rule on Untangle to block use of all Internet based DNS sources, how exactly do you expect Untangle to redirect DNS?

    If you want lock down, you have to configure lock down. All the Tunnel VPN app does is setup a tunnel, it's up to you to enforce the use of it.
    That's correct. It does use the DNS I told it to use. My question is if there is an ability in the current 13.1 release to force the tunnel of DNS calls. Of, if not, should I add it as a request.

    If I insinuated that the feature isn't working properly, I apologize.

    How would one configure "lock down" of DNS only for devices that connect to the VPN, and only if the VPN is up?
    Last edited by ctaranto; 10-08-2017 at 02:17 PM.
    Untangle 13.1
    Protectli "Vault" Firewall Micro Appliance
    Intel J1900, 120GB mSata, 8GB RAM, 4 x Intel NICs

  6. #6
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    21,806

    Default

    Fully? I'm not entirely certain. For starters you're going to need to create a firewall rule that blocks everything destined to port 53. That won't impact Untangle at all, but it will prevent anything from getting to a DNS server through Untangle. Note once again, it doesn't prevent access to Untangle, or Untangle's ability to access remote DNS servers.

    Now the second step is a bit murkier... You can override your External interface DNS to the IP address of the DNS server at the VPN host, however should you do so DNS resolution when the tunnel is down dies. This may also permanently disable the tunnel if the tunnel itself uses a DNS name. If you leave External aimed at the ISP, Untangle will use the ISP DNS, assuming the VPN provider adds another DNS when the VPN connection is made, that's great... but the way the DNS resolver works on most OS's is that any and all DNS servers can be used. So all that does is add the VPN provider's DNS to the list. So Untangle is just going to use whatever DNS server the resolver decides to use.

    I don't have v13.1 on my unit yet, and I have some crazy ideas that might work around this little catch but without v13.1 to play with yet I cannot test, and I don't want to send you off on some wild goose chases. I just wanted to put out there earlier that the behavior you want is A, not easy, and B not default.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: [email protected]

  7. #7
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    21,806

    Default

    P.S. The entire use case of being "private" via a VPN provider might just be moot:

    https://www.bleepingcomputer.com/new...-with-the-fbi/

    So everyone can now state with certainty that PureVPN and WANSecurity aren't private.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: [email protected]

  8. #8
    Master Untangler ctaranto's Avatar
    Join Date
    Feb 2017
    Location
    MA
    Posts
    142

    Default

    Quote Originally Posted by sky-knight View Post
    I just wanted to put out there earlier that the behavior you want is A, not easy, and B not default.
    Yep, that's what I thought based on the TunnelVPN interface. I was asking in case someone already knew and could suggest something I didn't think of yet.

    I would imagine all DNS request from a client device are routed through Untangle. If the TunnelVPN had an option to "route DNS through the tunnel", the would solve the problem I would imagine. The setting needs to follow the TunnelVPN app as opposed to the overall Untangle firewall for the exact issues you mentioned.

    For the time being, I will continue to use TunnelVPN, but without DNS also being tunneled, it's a bit less useful for my intended use.
    Untangle 13.1
    Protectli "Vault" Firewall Micro Appliance
    Intel J1900, 120GB mSata, 8GB RAM, 4 x Intel NICs

  9. #9
    Master Untangler ctaranto's Avatar
    Join Date
    Feb 2017
    Location
    MA
    Posts
    142

    Default

    Quote Originally Posted by sky-knight View Post
    P.S. The entire use case of being "private" via a VPN provider might just be moot:

    https://www.bleepingcomputer.com/new...-with-the-fbi/

    So everyone can now state with certainty that PureVPN and WANSecurity aren't private.
    It is very important to pick a proper VPN service that takes security seriously.
    Untangle 13.1
    Protectli "Vault" Firewall Micro Appliance
    Intel J1900, 120GB mSata, 8GB RAM, 4 x Intel NICs

  10. #10
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    21,806

    Default

    Quote Originally Posted by ctaranto View Post
    Yep, that's what I thought based on the TunnelVPN interface. I was asking in case someone already knew and could suggest something I didn't think of yet.

    I would imagine all DNS request from a client device are routed through Untangle. If the TunnelVPN had an option to "route DNS through the tunnel", the would solve the problem I would imagine. The setting needs to follow the TunnelVPN app as opposed to the overall Untangle firewall for the exact issues you mentioned.

    For the time being, I will continue to use TunnelVPN, but without DNS also being tunneled, it's a bit less useful for my intended use.
    The thing is by default all DNS requests aren't routed through Untangle, they are routed TO Untangle.

    DNSMasq will then answer those requests based on its configuration, and it's configuration is determined by various factors. Every DNS source is added to the list, so the service given a list of DNS servers to choose from, simply picks one on every request. How to dynamically control this behavior is beyond me at the moment. As I said, I have a few crazy ideas but I don't have v13.1 to test with and I'd rather not send anyone off on wild goose chases. The forums are forever, and I'm getting too old and cranky to be correcting my own bad information years from now!
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: [email protected]

Page 1 of 5 123 ... LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2