search

Windscribe / Desktop-App

Windscribe 2.0 desktop client for Windows, Mac and Linux
https://windscribe.com
GNU General Public License v2.0
561 stars 78 forks source link

ISP DNS leaks when switching VPN servers #140

Open ltguillaume opened 3 months ago

ltguillaume commented 3 months ago

Configuration

Steps to reproduce

  1. Be connected
  2. Open ipleak.net and start testing
  3. Switch VPN servers
  4. See your ISP's DNS servers pop up

Remarks

Sources

Ivantheallknowing commented 3 months ago

Hi there! I'm one of the QA guys at Windscribe. The scenario you mentioned can only happen if the following conditions are met

  1. The system DNS is set to a local one (i.e Your router) or the system DNS is set to same one as in-app
  2. Allow LAN Traffic is enabled with a local DNS is set on your system.

There are two options available right now that can help with this.

  1. Set the system DNS to something else besides a local one or
  2. Turn off Allow LAN Traffic
ltguillaume commented 3 months ago

Then this looks like the local DNS (my router) is a fallback option at all times. In other words, why wouldn't this happen during an active VPN connection, e.g. when the Windscribe DNS doesn't respond (in time), which at times has been the case, instead of just when switching between servers?

Ivantheallknowing commented 3 months ago

It doesn't happen during an active VPN connection as our app only whitelists a single DNS server (10.255.255.1 - 10.255.255.4). If for some reason the DNS fails in the tunnel it will appear that you don't have any internet.

During a re-connection this whitelist is dropped so the app can configure itself again. During this time since the tunnel is down any DNS servers that are allowed through the firewall can communicate. And since Allow LAN Traffic is enabled, the locally configured DNS server can respond to queries. As it's in the whitelisted LAN range.

We've discussed a way to work around this, but the ideas don't work for all platforms.

ltguillaume commented 3 months ago

Thanks for explaining, but this is rather confusing nonetheless: I have set up a different internal app DNS (ControlD), so why wouldn't it only whitelist that DNS during (re-)connection, especially if the firewall is set to always-on? It seems that makes both of those settings rather obsolete and misleading under these conditions.

ltguillaume commented 2 months ago

v2.10.2

So I've set the network adapter's DNS IPs to my ISP's servers, the same as my router's settings.

I can see that the DNS leaks are indeed now gone, even with "Allow LAN traffic" enabled.

A new problem arises, though: there's a 20s delay on first start-up now before

Windscribe helper connected ok

Also, the start of WireGuardService takes 20 seconds, often even on reconnects/server switches, where there previously was no such delay.

[040424 0:23:54:658     43.086] [firewall_controller]    firewall enabled with ips count: 181
[040424 0:23:54:924     43.352] [xxx]    Starting "WireguardService"
[040424 0:24:15:170     63.597] [xxx]    Opened and mapped the wireguard service log file

Edit So, this is when using ControlD or OpenDNS set for the App internal DNS. If I set it to System default, there's no such delay.

What I don't understand either is that I don't see the OpenDNS or ControlD DNS pop up on ipleak.net during a server switch/reconnection, but I DO see my ISP's IP pop up there if I set App Internal DNS to OS default. Why wouldn't I see the OpenDNS/ControlD IPs?

ltguillaume commented 2 months ago

@Ivantheallknowing Is there anything I can do to resolve the extreme times it currently takes before I get connected after following your first advice ("Set the system DNS to something else besides a local one") without setting the App Internal DNS to OS Default?