DNS Leaks

What is it? What this means is that unfortunately some applications and operating system functions use your local DNS resolver in certain configurations. What does it mean to you? It means that while all your content is passing through an encrypted connection, some of your DNS lookups could be going to your ISP's resolver. This means they could potentially tell which sites you visit by the dns request and they could even block access to certain sites by blocking the DNS resolution for those sites. What is affected? VPN servers Socks proxies What is not affected? CGI Proxies HTTP Proxies via ssh Who is affected? This is mainly an issue for older versions of Windows (XP/2k), but it can also happen with other operating systems in some situations. The test just shows it is possible. Socks users may find it happening because the app being used through a socks proxy may be performing local lookups even with v5 checked. Change apps or try privoxy. Can I test for it and see if it affects me? There is a test you can run here (You can ignore everything but the IP address/Server name (this is a test for a specific dns vulnerability that may not be relevant to you at all, but it will also show dns leaks and that is what we are looking for here)). The IP addresses and names are the only things you need to note. If one of those is your local resolver, you have the potential for DNS leak) What can you do about it? You can set your DNS to use our DNS servers. By using our servers to handle DNS for you the requests would not be logged by your ISP's dns servers. You can use someone else's DNS servers, like OpenDNS or Google's (it's probably a given that Google logs all and keeps it near forever for them to keep their finger on the "pulse" of the Internet). However, no matter what you choose for DNS, if you are affected by a DNS leak then the requests will still be traveling plaintext over the Internet. So they could be seen by an admin looking for them. The best option (for VPN) is to adjust the bindings in XP/2k or if it happens in Vista/Win7 to set a static IP (and in the most extreme instances additionally remove the DNS servers from the main interface.) Fixes: WindowsXP/2k (you should be able to make this registry change to resolve the issue, if it does not work, follow steps for Vista/Win7) Taken from MS TechNet Click Start, click Run, type regedt32 in the Open box, and then click OK. Click the following registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Linkage In the right pane, double-click Bind. In the Value data box, select the \Device\NdisWanIp item Press ctrl+x click the top of the list of devices, and then press ctrl+v Click OK, and then quit regedt32 and reboot. If you add or remove adapters, you'll need to do this all again. XP and 2000 users stop and retest here, you may not need to go further. If retest still fails, proceed to Vista/Win7 instructions: Vista/Win7 First connect to the VPN. This is very important if you have not entered the ip and name for the VPN server in your hosts file. Once connected, continue: Get to an elevated command prompt Click Start, type cmd into the search box, when you see it listed above, right click on it and choose Run as administrator. Find your primary interface name (we refer to it below as primaryinterface), ip address, subnet mask, and default gateway. You'll need this information to continue. Type ipconfig /all Create a quick backup of your settings Type netsh interface ip dump > c:\netbackup.cfg Set your primary Interface IP to a static one if you are using DHCP (You can skip this if you are already using a static IP). Type: netsh interface ip set address "primaryinterface" static <ipaddress> <subnetmask> <default gateway> 1 If you don't set the IP static, DNS will just auto renew via DHCP after we blank it below. Flush your DNS cache Type ipconfig /flushdns Stop and retest here, you may not need to go further. If retest still fails, proceed: Set the DNS server to none for the active interface (replace primaryinterface with your actual interface name, most often "Local Area Connection", but use whatever it said when you made it static) Type netsh interface ip set dns name="primaryinterface" source=static addr=none Leaks definitely stopped by here, we just disabled dns on the main interface. To go back: For DHCP Type: netsh interface ip set address name="primaryinterface" source=dhcp netsh interface ip set dns name="primaryinterface" source=dhcp For static just reset DNS: netsh interface ip set dns name="primaryinterface" source=static addr=x.x.x.x primary Note: If you have multiple active network adapters you may need to perform the above for each of the active adapters. If you messed up completely and need to restore Type netsh exec c:\netbackup.cfg Those advanced can create .bat files for this. You should also add hosts file entries for addresses you must resolve local even if connected to the VPN, for example the VPN address in case it disconnects and you want to immediately reconnect. Edit hosts file As always the “host” file is under C:\windows\system32\drivers\etc\ or %systemroot%\system32\drivers\etc\ and hence cannot be edited by normal users. To edit the host file, Click Start – search for Notepad, right-click and select Run as administrator. This should launch notepad with elevated privileges. Now, open the host file from the File menu, edit and save. You'll want to enter the VPN's IP and name here so you can reconnect if it drops. For questions on IP or name, contact helpdesk.