Thread
Login to reply
Replies ()
I donβt really understand what DNS is. How is it connecting before my VPN?
DNS is name resolution. The internet doesnβt know what Google.com is. It only knows IP addresses. So when you go to a site the request has to go to a resolver to figure out what the IP address is and then direct you to it.
When half of the internet breaks because cloudflare is down, thatβs DNS.
DNS doesnβt reveal content but it does reveal intent. Where are you going? Gmail? Porn Hub?
When you connect to WiFi a lot of things happen in the background in order. Gets network settings. System processes and apps immediately start resolving domains. Finally your VPN app finish starting and take over routing.
If DNS is not explicitly forced into the VPN, those early lookups go to whatever DNS the WiFi handed out. Hotel. Airport. That is the leak.
How do I make sure that DNS is going through my VPN? I have Mullvad
DNS leak test sites. Load the site with and without VPN to confirm it saw different IP and DNS.
Easy peezy
I would not trust my VPN providers leak tester.
Nothing against mullvad just a matter of principle to separate testing from the service itself.
Where else can I test it?
I donβt think you are hearing me. That test is telling you the status NOW. Not at connection. Leaks happen:
- During network join
- During captive portal checks
- During OS service startup
- Before the VPN hooks routing and DNS
By the time youβre connected and run this test, the damage may already be done.
So how do I find out or make sure the DNS is going through my VPN first?
I ran an extended test but donβt understand what these results mean. 6 queries. Progress just says β¦β¦. for all of them. Servers found is 1 for all queries. Host name says none.
- Enable VPN kill switch so it blocks all traffic when the tunnel is down
- Set the VPN as default route before network comes up (always on VPN)
- Disable OS fallback DNS and captive portal probes if possible
- Push DNS through the tunnel explicitly (VPN provided DNS or your own over the tunnel)
- Possibly overkill but useful for peace of mind. Block port 53 outside the tunnel with firewall rules
If DNS canβt reach anything unless the VPN interface is up, then itβs working.
Iβve covered this a couple of times but the confusion is making me think this is one of those times when I think Iβm being clear but Iβm actually not. I might have to write a guide just for this question.
You have to compare connected and unconnected to VPN. Every single result should be different. Any matching address is a leak.
Make sure to shut down every naughty VPN only thing before disconnecting.
just don't incriminate online unless you have a p2p personal code & even then deependz*\*ya
You can run a local dns resolver or use a cloud based one like next dns. You should have it in your router and phone settings, not just vpn service.
Yeah a lot of this is going over my head. A guide would be helpful because idk what most of these things are.
Naughty vpn?
Anyone here speak english?
Meaning the kind of things you definitely don't want your ISP to see. For example don't forget to turn off your torrents before disabling your VPN.
You can goto nextdns website and test their free service. All setup options on their website for each device. Without enxrypted dns, you share with google each website you visit.
I run NextDNS inside Mullvad inside Tailscale, that'll fuck you up π
Seriously though, DNS isn't that important in the scheme of things.
But if you want to understand part of the Internet, you can run your own DNS server on a Raspberry Pi.
PiHole is a good start, you can then evolve to Unbound to see under the hood.
But also not caring is an option.
Yeah I'm not following. Are there any guides or resources/video tutorials on this subject that explain this from the beginning? I've heard about DNS problems and how cloudflare is evil before but it's time I actually learn about it.
Why do you recommend not caring? Why is DNS not that important? Is it because they still can't see what you do on the website but just know that you accessed that website?
All your data is being collected and automatically analysed by the 14 eyes.
If you want to obfuscate that you can and you can go to ever greater and greater lengths to achieve that. But for most people they are just un-retrieved data in the worlds largest data set.
If you become of interest, even Tor can't stop a co-ordinated surveillance. Like most security (physical and digital) the rabbit hole is infinite and it's best to balance usability with security.
You could secure your home with 20 locks on your front door every time you leave home and while that would give you more protection than one simple Yale lock, it doesn't stop a determined intruder, but it does make it extremely difficult for you to come and go from your house.
Understanding Internet security can be deeply interesting, but, if you are simply worried about being tracked and logged, don't be, you are tracked and logged as is everybody. By increasing your security, you're just making your neighbour an easier target than you.
Also, this AI summary of TLS / SSL usage is broadly true, meaning that even on regular Internet traffic only meta data is analysable:
See I wanna try to strike that balance well because I tend to obsess and go paranoid over the tiny details. To the point where it negatively affects my life.
This reminds me of something. Sometimes my browser blocks websites that don't have https. But it is random. If I enter the website despite the warning, it ends up redirecting to https anyway. Is that a malicious decision by the website owner?
As a driver, it's better to understand the mechanics of how an engine works than not. But if you don't it doesn't really matter.
Normally browsers only warn if a site doesn't employ HTTPS.
Most browsers, however, actively block access if the site has an expired or self signed certificate.
You can normally bypass this on the advanced tab shown on the browsers window.
It is common for self hosted sites to use self signed certificates.
Yeah that's how I would bypass it using advanced but after I bypass, it says https. Never understood why that happened and just assumed the website was retarded. But this DNS talk makes me think maybe they're trying to find a leak or something.
A central issued certificate is using trusted private keys from an organisation like:
A self signed certificate is like your NOSTR set of keys, completely secure encryption, but you're trusting an unknown signer.
N.B. On NOSTR, you are using your keys to sign your posts. But nobody knows who you are on a website SSL certificate.
As for DNS, apart from the idea of using DNS servers NOT supplied (and therefore monitored) by your ISP. There are two security layers available:
1. Encrypted DNS, just under 50% of DNS traffic is encrypted
2. DNSSEC, or signed DNS, meaning the information provided has been signed by the DNS authority to be valid, meaning it can't be spoofed by a man in the middle attack.
This has a very low adoption rate, as you can see below at less than 5%, as reported by my NextDNS control panel.
Let's Encrypt
Let's Encrypt is a free, automated, and open Certificate Authority brought to you by the nonprofit Internet Security Research Group (ISRG). Read al...
Most of that went over my head but zapped anyway for the effort
Now imagine a car mechanic explaining how an engine works to me π
DNS over HTTP only if have right software / browser
yup always - if u go unknown places may find provider ip/dns blocked
I want to try again with the explanation.
i.e. If you can't understand, it's my fault.
DNS encryption ensures nobody, but you, can see your traffic.
DNS signing proves the data you receive is the same that was sent.
A central key issuer, like LetsEncrypt is considered more trusted than an individual key issuer, like you, because their keys can be verified against a known organisation. So a company with a reputation has verified you are valid.
For the last part, I'd say it's more like this:
The server needs a public/private key pair to set up the key exchange for HTTPS.
Before DNSSEC+DANE (which no one implements... ugh), there was no secure way to know if a public key of a server is really that server, or a malicious actor in the middle pretending to be them.
So, certificate authorities (CA) were created, which try to do secure checking of you owning the domain name before giving you a certificate saying "This public key is trusted for this domain".
And your OS vendor trusts a certain set of CAs that they know is good and reliable, but not just anyone, because any trusted CA could spoof any website they want, like google.com.
With newer CAs like Let's Encrypt the ownership checking is automated and they check your DNS from multiple random points on the internet to ensure there is no one tampering.
I was trying to make it simpler, not more difficult, now you've ruined it again π
Or, even simpler, it is similar to this:
You want to talk to John Doe on Nostr. The problem is anyone can pretend to be John.
So, someone says "I will check your ID that you are John Doe, and I will give you a badge that I checked".
Your client implements a list of trusted checkers, and when you search for John Doe, only the verified npub appears. The others get a big scary warning "This may not be John Doe".
The client only trusts checkers that adhere to a given standard and have reputation, to prevent bad actors from being able to issue fake badges for anyone.
This is how HTTPS works but instead of npubs it is servers' public/private keypairs, and instead of people it is domain names, and badges are certificates
I realized that after posting and posted a less shittier one above π€£
So when a website requires you to do the cloudflare check, thatβs what itβs doing? Making sure that the key pairs match and are valid?
Cloudflare π± π
They are mostly checking that you are human and not using a VPN.
no this is httpsβ¦
ama @MAHDOOD dO;.;Od*\*ya
paid wifi is not free also - providers has follow certain basic kyc rules
but more dangerous only which collect biometrics just access few hours browsing internet - becos they r told of anon misuse.