Stop DNS Leak

General discussions and other topics.
10 posts Page 1 of 1
by richrose » Sat Oct 07, 2017 5:17 am
DNS Leak

When your browser or other program loads a link, image, file, or whatever, it needs to resolve the DNS address of it in order to load it. That DNS query, in the default state, is to your ISP, your Internet Service Provider. That's whomever you get your internet from, whether Comcast or AT&T or Time-Warner or whomever. Undobtedly they can and do log every DNS query you make, thereby allowing anyone to see what you were looking, where, and when. That's your entire browser and email history available to any yahoo with a warrant or not, even if you use the VPN for 100% of your traffic (hence the name "DNS Leak"). Congress was even going to mandate logging and tracking everything, recently. The workaround? Go into your adapters and your router advanced settings and point DNS to 3rd parties such as Google (8.8.8.8/8.8.4.4) or OpenDNS (208.67.222.222/208.67.222.220). Google doesn't save the log of your DNS queries for longer than 48 hours, thus it's harder to track you. And if they do get a warrant to see your activity, they try to tell you, perhaps except a FISA warrant you little terrorist you. OpenDNS is owned by Cisco, so...
by Info » Tue Oct 10, 2017 8:53 pm
richrose wrote:
DNS Leak

Google doesn't save the log of your DNS queries for longer than 48 hours, thus it's harder to track you.


This is not quite correct.

Google Public DNS saves temporary (24-48 hours) and permanent logs. A random subset of temporary logs are saved permanently. Temporary logs store the user's full IP address, however permanent logs do not.

Here is the info that is saved to Google's permanent log.

    Request domain name, e.g. http://www.google.com
    Request type, e.g. A (which stands for IPv4 record), AAAA (IPv6 record), NS, MX, TXT, etc.
    Transport protocol on which the request arrived, i.e. TCP, UDP, or HTTPS
    Client's AS (autonomous system or ISP), e.g. AS15169
    User's geolocation information: i.e. geocode, region ID, city ID, and metro code
    Response code sent, e.g. SUCCESS, SERVFAIL, NXDOMAIN, etc.
    Whether the request hit our frontend cache
    Whether the request hit a cache elsewhere in the system (but not in the frontend)
    Absolute arrival time in seconds
    Total time taken to process the request end-to-end, in seconds
    Name of the Google machine that processed this request, e.g. machine101
    Google target IP to which this request was addressed, e.g. one of our anycast IP addresses (no relation to the user's IP)

Full details about Google Public DNS privacy:
https://developers.google.com/speed/public-dns/privacy
by richrose » Wed Oct 11, 2017 1:11 pm
Thank you for the clarification.
by sysops » Fri Oct 13, 2017 11:57 am
Also note that DNS requests are sent over the internet non-encrypted, so any ISP/router in between you and your DNS server can see the source IP, and site that is being looked up. So even if you switch DNS to Google/whomever, your ISP will still see every request you make.

I'm also not sure why Google would be worth trusting with your DNS requests, but chances are they already know all the sites you're looking at anyway because Google Analytics tracking code is installed on most sites, or Google AdWords advertising code (same goes for Facebook w/ Like buttons, Twitter with Tweet buttons etc).

Best best *is* to use a VPN, and use Sonic's Recusrive DNS servers or just drop regular DNS altogether and use DNSCrypt on your computers and mobile phones.
by richrose » Fri Oct 13, 2017 12:43 pm
Thank you. I'll do that. Thanks again.
by sysops » Fri Oct 13, 2017 1:13 pm
Most definitely. Good luck! See also Tor Browser if you haven't yet.

In the not so distant future I hope to share a comprehensive block list of advertisers, data analytics and mining companies, and all around dangerous marketers who collect and correlate all kinds of information between your home, work, and mobile devices. It's still a work in progress.
by danielg4 » Fri Oct 13, 2017 1:29 pm
sysops wrote:
Best best *is* to use a VPN, and use Sonic's Recusrive DNS servers or just drop regular DNS altogether and use DNSCrypt on your computers and mobile phones.

NO!
If you click that page, you will see it links to this page:
https://wiki.openwrt.org/inbox/dnscrypt
On this page you will see this prominent text:
If you are using it for privacy, it might do the opposite of what you are trying to achieve. If you are using it to prevent VPN "leaks", this isn't the right tool either: the proper way to prevent VPN "leaks" is to avoid sending data to yet another third party: use a VPN service that operates its own DNS resolvers.

What you want to do instead is run Unbound over the VPN.
by sysops » Mon Oct 16, 2017 12:46 pm
danielg4 wrote:
sysops wrote:
Best best *is* to use a VPN, and use Sonic's Recusrive DNS servers or just drop regular DNS altogether and use DNSCrypt on your computers and mobile phones.

NO!
If you click that page, you will see it links to this page:
https://wiki.openwrt.org/inbox/dnscrypt
On this page you will see this prominent text:
If you are using it for privacy, it might do the opposite of what you are trying to achieve. If you are using it to prevent VPN "leaks", this isn't the right tool either: the proper way to prevent VPN "leaks" is to avoid sending data to yet another third party: use a VPN service that operates its own DNS resolvers.

What you want to do instead is run Unbound over the VPN.


I guess I should be more clear on that statement. The goal is to stop leaking DNS requests over the internet with or without VPN.

Best bet is to:
A) Use Sonic's VPN and Sonic's recursive DNS servers (the default for Sonic OpenVPN)
or
B) drop regular DNS on non-VPN clients and use DNSCrypt (and have some trust for your DNSCrypt resolver).

Unbound is still just a normal, caching DNS resolver, meaning when it gets a request it doesn't have the answer to (e.g. pretty much all of them), it still needs to look it up from somewhere in plain text over the internet over your ISP's link (unless the unbound server is on a VPN).
by richrose » Mon Oct 16, 2017 3:02 pm
I found I couldn't log on to the VPN if the adapter was Sonic's recursive DNS. Thanks for the clarification.
by danielg4 » Mon Oct 16, 2017 8:21 pm
sysops wrote:
Unbound is still just a normal, caching DNS resolver, meaning when it gets a request it doesn't have the answer to (e.g. pretty much all of them), it still needs to look it up from somewhere in plain text over the internet over your ISP's link (unless the unbound server is on a VPN).

I specifically said "Unbound over the VPN," where Unbound's plaintext travels only over the VPN's encryption. Using DNSCrypt would add authentication to the encryption, requiring extra trust in the resolver provider that you don't need to give anyone when using the Unbound method.
10 posts Page 1 of 1

Who is online

In total there are 2 users online :: 0 registered, 0 hidden and 2 guests (based on users active over the past 5 minutes)
Most users ever online was 422 on Sat May 26, 2012 5:28 am

Users browsing this forum: No registered users and 2 guests