ISP Dns Leak?

[Ainatar]

Hi. I have been testing the last beta this days, using the original toml config and also trying several scenarios (all servers, 1 server, 2 servers, 3 servers, 4 servers, only ipv4 servers, only ipv6 server, both ipv4+ipv6, the 3 require_* set to true and/or false, etc...). On all the cases, visiting this url https://ipleak.net/, at some point, it leaks to my ISP. I don't know if it have something to be with the way dnscrypt-proxy try to handle the 100+ connexions that the site does, or what. Any idea? Thanks in advance.

[jedisct1]

It means that you have more than one DNS resolvers configured on your system. Not just the IP of the proxy.

[Marco-vW]

Try checking (manual) WAN dns-settings, VPN settings etcetera. I've been using it since one of the first betas continuously and if your system is configured correctly (i.e. no other resolvers) it absolutely won't leak. Tested it dozens of times over the past few weeks, not a single leak. Using it on an Asus RT-AC68U, running Asuswrt-Merlin btw.

[iWARR]

I also have some kind of IPv6-leak problem in betas. In v1.9.5 it was all right.

• block_ipv6 = true

• https://ipleak.net shows me that I have additional IPv6 (!) address, but all IPv6 connections are turned off in my system through the years, plus they are restricted by Firewall... IPv6, ISATAP, Teredo 6to4 tunnels (IPv6 through IPv4) are turned off completely. I don't ubderstand at all, how it could happen.

• If I check "this" IPv6-address with nslookup command, I can see that it's NOT exactly belongs to the resolver of my choice (IPv4): servername. It belongs to the neighbour name (if I look into dnscrypt-resolvers.csv file) as my reslover, but with IPv6 support: servername-ipv6.

• I have many restricted queries in the Firewall logs on the Port: 53. All IPs going to usual ROOT DNS Servers over world. And these IPs (IPv4) are relative to IPv6. I have examples, if you want (but nothing intersting).

All DNS queries are restricted in my system globally by Firewall, except DNSCrypt IPs (local and for the resolvers of my choice, plus one (new) usual DNS 9.9.9.9).

I have a number of Firewall logs for the blocked regular (non-encrypted) DNS. Especially, when I starting my browser. (I know that browser also have integrated DNS, but all public UDP queries for the browser are blocked also, except Port: 53 and local addresses for dnscrypt-proxy. It's not a browser, but it can really start to provoke such flooding DNS queries).

• Now this IPv6 leak (or whatever) persists all the time. Please, help.

[jedisct1]

If you don't have IPv6 connectivity and that website says you have IPv6 leaks, don't trust that website.

[iWARR]

But this IPv6-address is really from the dnscrypt-resolvers.csv file. Same name as my resolver, but it is neighbour name - IPv6-server (resolver). I didn't choose IPv6-server from the list.

For example:

cisco cisco-ipv6

It's like I'd choose 208.67.220.220, but it shows me 208.67.220.220 + [2620:0:ccc::2]

Understand?

[iWARR]

And real problem №2 - queries to usual ROOT DNS Servers over world. (My Firewall rules blocking this flood). But what if user don't have Firewall and never look at logs? (If I didn't set hard custom rules+logs, even me never knew about it).

[iWARR]

In v1.9.5 I never saw any IPv6 adresses in my results.

Of course it's too complicated problem and may be relevant to wide number of system settings. But if I have IPv6 turned off globally and see real DNSCrypt address in the leak test, my questions goes to you...

I'll check the leak on other test-sites, then will say to you.

[jedisct1]

Google and Cisco send a copy of your real network address to other companies (edns-clientsubnet mechanism). This solves some issues with content distribution networks, but if you are concerned about leaks, these are not the best choices.

Anyway, maybe your system has been configured to use the address of the proxy for IPv4 but not for IPv6. On Windows, these are two different settings if I remember correctly.

[jedisct1]

But if I have IPv6 turned off globally and see real DNSCrypt address in the leak test, my questions goes to you...

Err... no.

[jedisct1]

As the same issues will keep coming, answering this should be done as a wiki page about how to change the DNS settings, especially on Windows.

[iWARR]

DNS Leak Testing

test-ipv6.com..................................................No leak dnsleaktest.com..............................................No leak perfect-privacy.com/dns-leaktest/..........No leak grc.com/dns/dns.htm...................................DNS Nameserver Spoofability (Anti-Spoofing Safety): Excellent en.conn.internet.nl/connection/...............No leak. IPv6 not reachable, DNSSEC validated

---

ipleak.net...........................................................What is it !? (IPv6 exist, but IPv6 test not reachable)

[iWARR]

Google and Cisco ... these are not the best choices

Well, I don't use any of this two. And I'm Google-hater. Thanks for info about Cisco also.

maybe your system has been configured to use the address of the proxy for IPv4 but not for IPv6

• I don't use proxy in my OS Auto-proxy settings are restricted in Network settings and Group Policies.
• I use IPv4 only
• dnscrypt-proxy + block_ipv6 = true
• IPv6: turned off in OS (number of settings) + restricted in the Firewall

[jedisct1]

Their test doesn't work with block_ipv6=true.

[iWARR]

Yes, you are right. They check any possibility of connection.

I can't guess where this all DNS-flood from... Ok. I'll try show you some IP-examples. Just a minute...

[jedisct1]

Also, resolvers can send queries over IPv6. They can contact any authoritative name server, over any transport. The response will be the same, and it has nothing to do with your network.

[iWARR]

All of this IPs are "IPv6-relative" (don't know how to name right this my discovery)

128.63.2.53 .................. IPv6 -relative ... 2001:500:1::803f:235 ... root server .... (USA, Belcamp) 192.36.148.17.............. IPv6 -relative ... 2001:7fe::53 ...................... root server ... (Sweden) 199.7.91.13 .................. IPv6 -relative ... 2001:500:2d::d ................. root server ... (USA, Maryland)

and many, many others with queries on Port: 53 blocked by Firewall (I don't use Windows Brandmauer)

You can check IPs here: https://myip.ms/

[iWARR]

Resolvers can send queries over IPv6

This is much closer... (This can explain the result of ipleak.net test)

But all this strage queries generated from my OS, not by remote resolvers/transport. Right? They are OUTGOING queries generated inside my system... That's a big question - "Why"?

Sadly, I've found this behaviour only since beta 9. Then I've found this thread. That's it. I can't say for sure if the problem didn't exist earlier.

[iWARR]

Well, now I don't think this DNS-flood problem comes from dnscrypt-proxy...

May be I've found something new and very unwanted in the Windows behaviour. Never read about issue like that... And starting browser in some case provoking this...

Unfortunallely, my Firewall can't show the source of this logs. Just a fact of the blocking + IPs/Ports. Will see later...

[iWARR]

It was HARD investigation, but I've found the source!

The source of DNS-flood to "usual" ROOT DNS servers caused DANE (DNSSEC and TLSA validator)

1) Installed in the OS Windows:

C:\Program Files (x86)\CZ.NIC\Chrome DNSSEC Validator\DNSSECcore-windows-x86.exe C:\Program Files (x86)\CZ.NIC\Chrome TLSA Validator\DANEcore-windows-x86.exe

https://www.dnssec-validator.cz/pages/download.html#package

2) Istalled two DNSSEC and TLSA extensions for the chromium browser, that shows (in the icons - green/red/grey) if some site support DNSSEC.

https://chrome.google.com/webstore/search/DNSSEC

---

If I'll turn off both parts, there will no DNS-flood any more. So, I have to decide, leave DANE validation indicators in the OS/browser or not.

• From one side, the DNSSEC support is very important itself.
• From other side, we can easily got unwanted DNS-flood to "usual" servers with this indicators installed.

Seems like this checking methods are obsoleted and not too compatible with DNSCrypt ideology? What is your advisory about their presence in the system?

Thank you.

[iWARR]

Seеms like DANE validator talk to different "usual" ROOT DNS Servers what site I've opened. Looks like DNS leak, isn't it?

[jedisct1]

Yes, this extension installs a local resolver. Which is why you were seeing queries to root servers, queries for DNSKEY, etc. Nobody's using DANE, don't make your life more complicated that it should.

[iWARR]

Uninstalled. Thanks.

[iWARR]

In case this thread about leaks, I'll let leaking this info here :)

PROOF of the chromium Browser DNS leaks problem in Windows

Time-to-time the chromium browser can initiate built-in DNS for connection to Google servers.

For example:

They all (for now) calling on remote Port: 443 and going to Google Inc, USA, Mountain View :

64.233.161. 172.217.16. 172.217.20. 108.177.119. 216.58.213.*

There is no any reason to play with such IPs or dnscrypt-proxy target blocking. They can be blocked automatically within Firewall - Global + Browser rules principle.

Оnly necessary IPs from dnscrypt-proxy settings are used (as draft example).

---

Rules from Top -> Bottom (First -> Last):

• DNS (UDP) - DNSCrypt+Fallback ................ ALLOW

  Outgoing (UDP) to : Remote ports: 53,Port(s) of Resolver address(es) Local ports: 1024 - 65535 Remote addresses: 127.0.0.XX1,127.0.0.XX2,fallback_resolver IP,Resolver address IP(s)

• DNS (UDP) ............................................................. BLOCK All Outgoing/Incoming (UDP) queries for Public Network (Internet)

---

Notes:

• Top -> Bottom - Firewall applies all rules from top to bottom direction. Depends on vendor. • Resolver address IP or Port of the static server of your choice coming from dnscrypt-resolvers.csv • (s) - if you are using more than one resolver and listen_addresses = 127.0.0.XX1,127.0.0.XX2, etc.

[jedisct1]

I didn't follow everything, but don't break the Google Chrome self-update mechanism. Using outdated versions of web browsers is almost always a bad idea.

[iWARR]

Browser automatic updates working 100%. As expected, using dnscrypt-proxy. Also I have logs about these events in dnscrypt-proxy.

Of course, I have additional rules for the Browser also (for all Group at once with programs inside, including installer/updater too). It's not about global rules for all system (as I described above), but for the Browser only.

Rules have priority (from higher to lower): Program -> Group -> Global

Group Rules from Top -> Bottom (First -> Last):

• DNS (UDP) 53 - Out (DNSCrypt) ........ ALLOW Outgoing from Remote Port: 53 to Local Ports: 1024 - 65535 For addresses: 127.0.0.XX1,127.0.0.XX2 (listen_addresses) - I keep 2 resolvers working

• Public (UDP) ................................................... BLOCK All Outgoing/Incoming queries for Public Network

• Internet (TCP) - Out .................................... ALLOW Outgoing for Any address

So, nothing can use any other DNS, only those I want: dnscrypt-proxy + fallback resolver. Even such 3-rd party resolvers as DANE (or any other) will be blocked for sure using this settings. They are confirmed by time and positive experience.

[iWARR]

:flags options for chromium browsers are also important

Search by keywords:

[Disable]

preconnect / predictor / preresolve / prefetch / suggestions / Google / SendBeacon / USB / sensor / credit card ... autofill / WebRTC / network (if you don't need web-net queries)

[Enable]

reduce ... 'referer' ... granularity / disable ... auditing / memory coordinator / isolation / AppContainer Lockdown

---

As you will see, overall bias of Google web-core is reducing user safety and privacy. Most of unwanted options are turned on, instead there are very few useful options are turned off by default.

[jedisct1]

Or just use Brave.

[iWARR]

Or just use Brave.

600 Mb of garbage about new way of monetization.