DD-WRT: DNS Leak Detection w/ VPNs

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking
Author Message
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 8034

PostPosted: Sat May 11, 2019 21:49    Post subject: DD-WRT: DNS Leak Detection w/ VPNs Reply with quote
DD-WRT: DNS Leak Detection w/ VPNs

Enjoy!


Last edited by eibgrad on Thu May 16, 2019 16:31; edited 2 times in total
Sponsor
ATHF
DD-WRT Guru


Joined: 14 Dec 2015
Posts: 688
Location: 127.0.0.1

PostPosted: Sun May 12, 2019 6:55    Post subject: Reply with quote
That's awesome, I haven't tried it yet.
But thank you in advance!

_________________
Tutorial for flashing WRT series
WRT Installation,Upgrade & Basic Setup–Cliff Notes
DD-WRT Firmware: r40890: WRT3200ACM, WRT1200ACv1, WRT1900ACv1
Velop:3 WHW0101, RE6500, RE9000
TWC/Spectrum - 300/25
SysLog Watcher 5, Security Onion on Virtual Box, Fingboxes, PiHoles
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 4415
Location: Netherlands

PostPosted: Sun May 12, 2019 7:41    Post subject: Reply with quote
Nice !

Added it to my toolbox Very Happy

_________________
Routers:Netgear R7800, Netgear R6400v1, Netgear R6400v2, Linksys EA6900 (XvortexCFE), Linksys E2000 (converted WRT320N), WRT54GS v1.
Install guide Linksys EA6900: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=291230
OpenVPN Policy Based Routing guide: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN Server Setup:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Wireguard Setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1183135
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 8034

PostPosted: Sun May 12, 2019 16:34    Post subject: Reply with quote
I do believe it can be improved. I just wanted to get something out there. At least now there's a framework from which to make refinements.

As I say in the documentation, although the script detects DNS leaks, it's not very helpful when it comes to diagnosis. And there are several reasons you could have a DNS leak. The most common being the use of PBR.

We also have the issue of local clients who may NOT being using the router's DNS server, but instead configured directly w/ their own public DNS servers, either because the user configured the router's DHCP server w/ exceptions for that client, or perhaps the local client is just using public DNS servers for its own reasons (e.g., IOT devices).

Consider the following scenario.

Suppose PBR is being used in the OpenVPN client (which takes the router itself off the VPN), but this has NOT caused a DNS leak because fortunately the user is using a Kong build, which unlike a BS build, reconfigures DNSMasq w/ the DNS server(s) pushed by the OpenVPN server, and it happens that those servers are only accessible over the tunnel (most likely because they have *private* IPs in the same address space as the tunnel itself). So no DNS leaks.

However, consider that local client configured directly w/ public DNS servers; they are causing a DNS leak! Or is that really the case? What if PBR has excluded them from the VPN? Then it probably isn't a DNS leak.

That's just an example of how difficult it can be determine what is an isn't a DNS leak. It's not always obvious or clear. While I could perhaps scan the GUI's PBR list for exceptions, that creates a dependency on that particular VPN and how it handles PBR. We may have users creating their own PBR scripts (like mine), or using PPTP, which necessarily requires manual configuration of PBR.

To eliminate this VPN dependence, perhaps the script should provide an exclusion list so it can reduce these false positives. Then again, maybe these are just outliers, and it's just something we accept as a limitation. Or perhaps we include the source IP of the client in the reporting so it's more obvious what's happening. But then that probably requires we report *all* such occurrences within a given pass through the conntracks. Right now, as soon as I detect one DNS leak, I quit the pass and simply report "dns leak detected".

That's why this stuff gets so complicated. Lots of variables. And the more variables, the more permutations.

Anyway, that's the kind of stuff I'm still pondering at the moment. The current script is sufficient in terms of its ability to find "a" DNS leak, but it's not much more than a red flag. As I say in the documentation, it's not very helpful in providing the details that lead to that conclusion. Or preventing false positives in some cases.

Btw, I provide a lot of generic installation details in the documentation. Eventually I'll move that information into its own document, probably called DD-WRT: Basic Script Installation Guide (or similar), thus not having to repeat the same information from script to script. But for now, I just dumped it all in this particular script for reasons of expediency.

_________________
DD-WRT: DNS Leak Detection w/ VPNs (updated 6/5/19)
NEW SCRIPT!: ddwrt-mount-usb-drives.sh
NEW SCRIPT!: ddwrt-blacklist-domains.sh
NEW SCRIPT!: ddwrt-ovpn-remote-access.sh
NEW SCRIPT!: ddwrt-pptp-policy-based-routing.sh


Last edited by eibgrad on Sun May 12, 2019 18:31; edited 2 times in total
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 4415
Location: Netherlands

PostPosted: Sun May 12, 2019 16:52    Post subject: Reply with quote
I think one of the things which must be made crystal clear is what you (and I) are defining as a DNS leak, not only using the "wrong" DNS server but also sending the DNS query out in the open via the WAN interface.

When the VPN provider pushes a private IP address as DNS server and the router is of the VPN, I think that the router does not have sufficient routing information to route that private IP address via the VPN so it will not work in most cases?

A solution in these cases can be if you can use destination based routing and thus can instruct the OVPN client to route that specific IP address via the VPN

The longer I think about it the more questions arise (this is a fun problem though Smile )

_________________
Routers:Netgear R7800, Netgear R6400v1, Netgear R6400v2, Linksys EA6900 (XvortexCFE), Linksys E2000 (converted WRT320N), WRT54GS v1.
Install guide Linksys EA6900: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=291230
OpenVPN Policy Based Routing guide: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN Server Setup:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Wireguard Setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1183135
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 8034

PostPosted: Sun May 12, 2019 18:58    Post subject: Reply with quote
egc wrote:
I think one of the things which must be made crystal clear is what you (and I) are defining as a DNS leak, not only using the "wrong" DNS server but also sending the DNS query out in the open via the WAN interface.


That's why I defined what the script considers a DNS leak at the top of the "How the Script Works" section.

Quote:
When the VPN provider pushes a private IP address as DNS server and the router is of the VPN, I think that the router does not have sufficient routing information to route that private IP address via the VPN so it will not work in most cases?


It should. That's the tunnel's network. It's in the routing table. Perhaps you're thinking about PBR and the alternate routing table. But the router itself is NOT using PBR. It remains on the WAN/ISP and uses the main/default routing table.

Quote:
A solution in these cases can be if you can use destination based routing and thus can instruct the OVPN client to route that specific IP address via the VPN


*All* routing is destination IP based. Even when using PBR, it remains destination IP based. Only you're jumping between different routing tables using IP rules (or markups) to change which routing table applies to the current packet.

To complicate matters further, as you know, the use of route-noexec not only takes the router off the VPN, but it will no longer processes any route directives in Additional Config! That's why I suggested using pull-filter ignore "redirect-gateway" for your own PBR scripts, which allows the route directives to be processed. However, now you don't get a gateway IP from the VPN server, and are forced to use the (iirc) $ifconfig_local variable from the OpenVPN scripting engine, or else pick it off by parsing ifconfig.

It's like whack-a-mole; soon as you change one thing, another problem pops up, which leads to yet another problem. It seems endless at times.

Quote:
The longer I think about it the more questions arise (this is a fun problem though Smile )


Yep. It's complicated. Just too many variables and "if this, then that" scenarios. There is no perfect solution. Particularly when we're trying to assess DNS leaks from the perspective of the entire network. I haven't even raised the issue of split tunneling *within* a single source IP! That's another can of worms.

_________________
DD-WRT: DNS Leak Detection w/ VPNs (updated 6/5/19)
NEW SCRIPT!: ddwrt-mount-usb-drives.sh
NEW SCRIPT!: ddwrt-blacklist-domains.sh
NEW SCRIPT!: ddwrt-ovpn-remote-access.sh
NEW SCRIPT!: ddwrt-pptp-policy-based-routing.sh
Redback813
DD-WRT Novice


Joined: 10 Nov 2015
Posts: 29

PostPosted: Sun Sep 08, 2019 22:37    Post subject: Reply with quote
Thank you for this script , it has been a blessing and a curse at the same time please allow me to explain , with my old ISP provider I had lan->lan connection for NBN connection and the setup was WAN Connection Type: Static IP which worked and showed no dnsleak with your dnsleak test script, great. Now though I have change ISP provider and this time setting are different , LAN->WAN and the WAN Connection Type: Automatic Configuration it's working though dnsleak test script is showing "user.warn ddwrt-ultimate-dns-leak[1166]: dns leak detected" repeatedly , I can't for some reason use the "no-reslov" in dnsmasq config section as this block internet browser usage but connection to the internet show in the log. There does not seem to be and issue with non vpn connection however VPN connection is a real problem.
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum