Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


OpenVPN - DNS Enquiry
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

OpenVPN - DNS Enquiry

Hello, people.

So... I've been a visitor to LET for a while, and have learnt an incredible amount over the last several years - so thanks! Now for a question of my own - I'm hoping that somebody can help, or at the very least point me in the right direction.

So, here's the situation. I'm pretty new to the entire concept of OpenVPN - I was made aware of the script that @nyr developed a while ago, but wanted to give the whole installation process a go from scratch so over the weekend started the (somewhat long) task on an idle server. Surprisingly, the majority went well (I can totally ping remote hostnames and everything!), but there are a couple of questions that I haven't been able to figure out the answers to.

During the process of carrying out some research into the Community edition of OpenVPN, it came apparent that several guides suggested that for additional security, a local resolver in the shape of dnsmasq should be installed. From then on, the user could manually define a set of DNS servers that dnsmasq could use to resolve hostnames, and then point the OpenVPN server config at the local interface that dnsmasq is listening on. In theory, does this method mean that when connected to the VPN that no client requests would be seen by external DNS servers, and that only the IP of the VPN would send requests? What would be the difference (if any at all) of pushing a set of resolvers to the client directly, rather than providing them with the dnsmasq local interface in the server config?

Now, for the big one. :) Currently, I have my OpenVPN config set to push me Google's DNS resolvers upon a successful connection. My home network is currently set to use OpenDNS, and I've verified that these are in fact being pushed by heading to DNSLeakTest. My network is currently setup using a Netgear router, which is one of the models that responds to a DNS request of RouterLogin.net by returning the client its local gateway IP.

Now... for the thing that in my eyes makes no sense. When connected to the VPN and when issuing the RouterLogin.net URL from my address bar, the login page for my router is displayed. At first glance, this would seem to indicate that my router is somehow able to see the DNS requests that I'm querying, despite the fact that I'm connected through a VPN. I understand the concept of local vs public networking, but how in theory is it possible for my networking equipment to intersept my DNS requests while a VPN connection is active? Since the RouterLogin.net address is prefixed with "http://", surely no internal DNS requests should be sent, and my router shouldn't even know that a DNS query is being requested due to the fact that I'm sending encrypted data?

As mentioned above, it is entirely likely that I'm missing something really obvious - either way, I'd appreciate feedback!

Thanks, LETsperts.

«1

Comments

  • jemaltzjemaltz Member
    edited February 2016

    Do you try clearing your local DNS cache?

    Thanked by 1vpnuser
  • @jemaltz said:
    Do you try clearing your local DNS cache?

    Thank you for the suggestion - I've tried this on several devices, several of which have never accessed that particular domain and therefore wouldn't actually have that domain cached.

  • Can you do 'dig router login.net' (in Mac/Linux) or nslookup on Windows?

  • @tehdan said:
    Can you do 'dig router login.net' (in Mac/Linux) or nslookup on Windows?

    Sure - with nslookup, I get the following when connected to the VPN:

    Server: UnKnown
    Address: 10.8.0.1
    *** UnKnown can't find routerlogin.net: Query refused

  • NyrNyr Community Contributor, Veteran

    vpnuser said: for additional security, a local resolver in the shape of dnsmasq should be installed

    dnsmasq is not a local resolver per se (not a recursor) just a cache, among other features. Generally speaking, it doesn't affect security at all.

    Privacy could maybe be considered since queries are cached, but you would want a full recursive resolver if you really care about not using external NS.

    I wouldn't suggest setting up dnsmasq if you don't specifically need it (and you likely don't).

    vpnuser said: Now... for the thing that in my eyes makes no sense. When connected to the VPN and when issuing the RouterLogin.net URL from my address bar, the login page for my router is displayed. At first glance, this would seem to indicate that my router is somehow able to see the DNS requests that I'm querying, despite the fact that I'm connected through a VPN.

    routerlogin.net isn't up for me so I can't really check, but it shouldn't have anything to do with DNS at all. Any website can get your internal IP address under normal circumstances even while connected to a OpenVPN, this is not unexpected.

  • GM2015GM2015 Member
    edited February 2016

    Anything else except than webrtc?

    Some javascript that scrapes content from known hosts/network interfaces file location?

    Nyr said: Any website can get your internal IP address under normal circumstances even while connected to a OpenVPN, this is not unexpected.

  • Thanks for the suggestions.

    @Nyr said:
    dnsmasq is not a local resolver per se (not a recursor) just a cache, among other features. Generally speaking, it doesn't affect security at all.

    Privacy could maybe be considered since queries are cached, but you would want a full recursive resolver if you really care about not using external NS.
    I wouldn't suggest setting up dnsmasq if you don't specifically need it (and you likely don't).

    I realise that dnsmasq is mainly intended for the purpose of caching, but wasn't sure of any possible benefits over pushing resolvers to the client directly. Would using dnsmasq in this way mean that the client's public IP is never sent to DNS, or am I misunderstanding this altogether?

    routerlogin.net isn't up for me so I can't really check, but it shouldn't have anything to do with DNS at all. Any website can get your internal IP address under normal circumstances even while connected to a OpenVPN, this is not unexpected.

    Was going to ask the exact same question as @GM2015 - this particular router was manufactured way before WebRTC was a thing, so what are these other methods! The things you learn...

  • GM2015GM2015 Member
    edited February 2016

    file:///etc/network/interfaces

    vpnuser said: Was going to ask the exact same question as @GM2015 - this particular router was manufactured way before WebRTC was a thing, so what are these other methods! The things you learn...

  • NyrNyr Community Contributor, Veteran

    vpnuser said: Would using dnsmasq in this way mean that the client's public IP is never sent to DNS, or am I misunderstanding this altogether?

    When directly pushing public resolvers to the client, all queries are made via the VPN, so the resolver sees the server IP: exactly the same as using dnsmasq.

    GM2015 said: Anything else except than webrtc?

    Nothing common that I know of.

    Thanked by 1GM2015
  • @Nyr said:
    When directly pushing public resolvers to the client, all queries are made via the VPN, so the resolver sees the server IP: exactly the same as using dnsmasq.

    Thanks for the clarification - in that case, I see no sense in continuing to use dnsmasq. On the upside... I guess that equals slightly more free memory for me! :)

    That said, the question still remains - how is it possible for any local devices to see the DNS queries that a client on the same network is sending if they're behind a VPN?

  • NyrNyr Community Contributor, Veteran

    vpnuser said: how is it possible for any local devices to see the DNS queries that a client on the same network is sending if they're behind a VPN?

    They don't if the client sends them trough the VPN. Additionally, you don't need to see the queries to reveal the client's internal IP, in case it wasn't clear to you.

  • @Nyr said:
    I wouldn't suggest setting up dnsmasq if you don't specifically need it (and you likely don't).

    What about performance? Better to get DNS results from your VPN endpoint than to start the journey to some other DNS servers from that endpoint. No?

  • @Nyr said:
    They don't if the client sends them trough the VPN. Additionally, you don't need to see the queries to reveal the client's internal IP, in case it wasn't clear to you.

    That's what I assumed - if that is the case though, how is my router able to intercept my request to the RouterLogin.net hostname through its own DNS server and redirect me to the local IP gateway?

  • @tehdan said:
    Can you do 'dig router login.net' (in Mac/Linux) or nslookup on Windows?

    After reconfiguring my config to push me the OpenDNS resolvers directly, after performing an nslookup I'm now being shown that queries are being sent through OpenDNS. So... how can this be possible!

  • NyrNyr Community Contributor, Veteran

    jemaltz said: What about performance? Better to get DNS results from your VPN endpoint than to start the journey to some other DNS servers from that endpoint. No?

    Caching with dnsmasq provides faster but older queries. Personally, I don't cache my DNS at the server and go directly with some reliable public recursors.

    vpnuser said: That's what I assumed - if that is the case though, how is my router able to intercept my request to the RouterLogin.net hostname through its own DNS server and redirect me to the local IP gateway?

    No idea about how routerlogin.net works, it doesn't resolve for me.

  • vpnuservpnuser Member
    edited February 2016

    The following link should give you an idea of how it works.

    http://www.network-builders.com/www-routerlogin-net-t109982.html

    The site itself appears down from here as well - it's the local traffic that I@m interested in, however.

    @nyr

  • NyrNyr Community Contributor, Veteran

    Looking at that, if you could reach routerlogin.net, it would likely mean a DNS leak.

  • Nyr said: No idea about how routerlogin.net works, it doesn't resolve for me.

    I'm guessing that this is in a hosts file on the router and gets added to all requests.

  • NyrNyr Community Contributor, Veteran

    Ole_Juul said: I'm guessing that this is in a hosts file on the router and gets added to all requests.

    Seems like it's intercepted by the router one way or another. Still, shouldn't happen if DNS aren't leaking and are used only through the VPN.

  • Nyr said: Seems like it's intercepted by the router one way or another. Still, shouldn't happen if DNS aren't leaking and are used only through the VPN.

    I use a VPN and I put a hosts file in my outward facing router which gets queried on all requests. This is necessary so that I can talk to the other computers on the lan without stopping the VPN on this computer which would cause major havoc because of all the live connections. Frankly, I don't understand why someone wouldn't do this. It's the simplest solution, and to my mind the safest and easiest to administer.

  • AbdussamadAbdussamad Member
    edited February 2016

    vpnuser said:

    Now... for the thing that in my eyes makes no sense. When connected to the VPN and when issuing the RouterLogin.net URL from my address bar, the login page for my router is displayed. At first glance, this would seem to indicate that my router is somehow able to see the DNS requests that I'm querying, despite the fact that I'm connected through a VPN. I understand the concept of local vs public networking, but how in theory is it possible for my networking equipment to intersept my DNS requests while a VPN connection is active? Since the RouterLogin.net address is prefixed with "http://", surely no internal DNS requests should be sent, and my router shouldn't even know that a DNS query is being requested due to the fact that I'm sending encrypted data?

    A few possibilities:

    A) Cached results as @jemaltz suggested. Clear your browser DNS cache and your OS level cache.

    B) Check what resolving DNS server you are using on your system. It may be you have your system configured to forward queries to the router and are disregarding the DNS servers pushed by OpenVPN.

    C) Check your OS routing table to ensure that all traffic is going through the VPN. You most likely have an exception for the router's IP address which is ok. But that coupled with A. is probably why you are seeing your router login page for that domain name.

    D) Check your hosts file. If you have a static mapping there then no DNS server is queried at all.

  • Thank you for all of your suggestions, people - I knew the LETsperts would be ready, as always. :)

    @Nyr said:
    Looking at that, if you could reach routerlogin.net, it would likely mean a DNS leak.

    At first glance, I agree - that would be the most plausible explanation. However, when connected to the VPN and an nslookup is performed, I get OpenDNS returned as the current resolver in use.

    @Ole_Juul said:
    I use a VPN and I put a hosts file in my outward facing router which gets queried on all requests. This is necessary so that I can talk to the other computers on the lan without stopping the VPN on this computer which would cause major havoc because of all the live connections. Frankly, I don't understand why someone wouldn't do this. It's the simplest solution, and to my mind the safest and easiest to administer.

    I understand this approach. Maybe I'm being too specific with the RouterLogin.net example - if you're always behind a VPN, however, how is it even possible for your router to see the DNS requests you're making on the LAN? I have no local entries present in my operating system's individual hosts file, which is why this entire situation makes no sense... to me, at any rate.

  • vpnuser said: if you're always behind a VPN, however, how is it even possible for your router to see the DNS requests you're making on the LAN?

    Do you have some special way to circumvent your router for your DNS requests? You didn't mention any - or did I miss that? I'm pretty sure what is happening is it is intercepting DNS port requests (UDP 53) and adding routerlogin.net. Believe me, that works. I do it here. That is why I can access my local lan from my computer at the same time as running it through a VPN. If I don't do it that way, I can't access other local computers.

    If your DNS requests are not encrypted. Anybody can grab them. In fact your ISP (or some unknown actor) could rewrite some of them without you knowing. As you now see, you can't even trust your router. :)

  • Ole_Juul said:

    Do you have some special way to circumvent your router for your DNS requests? You didn't mention any - or did I miss that? I'm pretty sure what is happening is it is intercepting DNS port requests (UDP 53) and adding routerlogin.net. Believe me, that works. I do it here. That is why I can access my local lan from my computer at the same time as running it through a VPN. If I don't do it that way, I can't access other local computers.

    If the openvpn client is running on his PC then the router only sees encrypted packets and can't intercept or MITM anything. But nowadays most routers can also act as openvpn clients. So the question is whether he's running openvpn on his PC or his router? Care to enlighten us @vpnuser?

  • tehdantehdan Member
    edited February 2016

    any chance your router is giving out IPv6 and/or itself as An IPv6 DNS server?

  • tehdantehdan Member
    edited February 2016

    edit:oops

  • Abdussamad said: If the openvpn client is running on his PC then the router only sees encrypted packets and can't intercept or MITM anything.

    1/ I am not running OpenVPN on my router.

    2/ I'm running OpenVPN on this machine.

    3/ My router intercepts UDP port 53.

    4/ I can ping and connect locally using the entries I put in a file on the router.

    5/ :)

  • Ole_Juul said:

    1/ I am not running OpenVPN on my router.

    2/ I'm running OpenVPN on this machine.
    3/ My router intercepts UDP port 53.
    4/ I can ping and connect locally using the entries I put in a file on the router.
    5/ :)

    Then you have one of A to D going on that I listed in my previous comment. For example it could be B and you've willingly set the router as the DNS resolver on your system.

    However as I pointed out before if all traffic is being routed over the VPN connection and the connection is between a PC and a remote system then nothing can MITM that connection because all the packets are encrypted. Data packets pass through many routers on the internet not just your home router. If somehow these routers could change the data then there would be no point to this whole VPN business.

  • Once again, thank you for all of your comments. Just to clarify several aspects about my setup:

    I'm running my OpenVPN daemon on a Ubuntu-based machine that's not connected to my LAN (I'm connecting directly to its IP). I have no entries in either my local hosts file, and nothing whatsoever in my router.

    In terms of DNS, performing an nslookup on routerlogin.net whilst connected to my VPN's tunnel produces the following output:

    Server: resolver2.opendns.com
    Address: 208.67.220.220

    Name: routerlogin.net

    As you can see, this appears to show the query passing directly to OpenDNS; performing the same lookup whilst disconnected from my VPN shows, as expected, my router's default gateway as the resolver.

    As @Abdussamad rightly pointed out, my current understanding is that if a set of resolvers is explicitly pushed to the client via OpenVPN's server config the router should not be able to see any traffic that passes through it. @Ole_Juul - do you perhaps have your current config set to not push any DNS to the client?

    @nyr - it would appear that you know your stuff on this... any further insights that you can offer?

    Once again, I really appreciate the response so far - it's just this final issue that I'm somewhat confused with. It may seem trivial, but I'd like to understand how certain queries appear to be bypassing my VPN if all possible.

    Thanks. :)

Sign In or Register to comment.