Load ROBERT, API and Assets after a secure connection is established

[laserjobs]

Sometimes ROBERT is loaded before the secure connection is established (at least with WireGuard)

Describe the solution you'd like It would be nice to have everything load after the secure connection is established (including the API and assets if possible) to keep DNS queries from leaking information when using the OS DNS.

Describe alternatives you've considered Blocking everything from port 53 except for DoH address

Additional context When attempting to start the app several DNS queries happen over port 53 (both IPv4 and IPv6) go.microsoft.com <-- ROBERT redirect link api.windscribe.com (+various others) assets.windscribe.com (+various others) ipv6.msftconnecttest.com www.msftconnecttest.com

[jaxu]

I've read this several times now and I'm afraid you've lost me. Perhaps you have a misunderstanding of ROBERT, or I am just not comprehending the issue.

It's impossible for ROBERT to be "loaded" before the secure connection is established, because ROBERT is on a 10.255.255.x address that's only available after the VPN is connnected.

You also specify specifically WireGuard, but then you talk about seeing DNS queries when the app launches. The DNS requests to api and assets.windscribe.com can't be avoided because this is how the app finds information about the servers it needs to connect to. If you want to use different DNS servers than the OS default, you can pick one in the Advanced Options page of the preferences.

If I'm not understanding your post correctly, I apologize. Please clarify.

[laserjobs]

I was just trying to figure out a way so the App does not use port 53 since it is unencrypted and reveals the IP so I did some experimentation blocking everything except for the DoH address in the DNS. With that setup it does connect so I am not sure why the assets and API are called before the connection is secure since they seem to be resolved. When I block port 53 DNS it does seem that ROBERT sometimes does not load and I took that for the request at go.microsoft.com.

Here is the strange thing you say ROBERT is available only after the secure connection is established, I have found the opposite.

[jaxu]

It does not seem like we're on the same page here. You are looking at ROBERT preferences. These are just settings that are enabled after you connect. It does not indicate whether it is active or not.

I still don't know what exactly is the problem you're trying to solve. The app will ALWAYS do DNS queries for Windscribe servers, so we can reach them. Without this, you can't log into Windscribe, the app doesn't know what locations are available, the credentials for the locations, or anything else. The fact that you are logged in with locations available means this must have already happened.

If you are saying this DNS query should be DoH rather than 'legacy' port 53 -- I don't disagree, and this is probably something we can do in the future.

Otherwise, please describe step by step what you are trying to accomplish.

[laserjobs]

What I think I am seeing is when WireGuard does not connect fast enough and ROBERT is retrieved before a connection is secured. I agree the DNS should be done over an encrypted channel so it can not be snooped.

[jaxu]

I don't think you're understanding what I'm saying. EVERYTHING comes from api.windscribe.com or assets.windscribe.com, including the very WireGuard configuration that you are using to connect. You can not even connect without reaching this endpoint.

We will considering using DoH for pre-connection DNS in the future.

[laserjobs]

As you said the config comes from api.windscribe.com or assets.windscribe.com. Okay I see what is happening, blocking port 53 the app was connecting to the DoH server with the Control D DNS daemon before the secure connection was attempted and would pull the ROBERT configuration files

[jaxu]

No. I don't understand why you are so hung up about ROBERT, but the only time the ROBERT preferences are pulled is when you click the preference page. Otherwise, the client knows nothing about ROBERT, because ROBERT is strictly a server-side concept, AFTER you connect the VPN.

What it pulls from api.windscribe.com and assets.windscribe.com are the list of locations and the WireGuard configurations etc necessary to connect to them.

[laserjobs]

"It's impossible for ROBERT to be "loaded" before the secure connection is established, because ROBERT is on a 10.255.255.x address that's only available after the VPN is connnected."

NOT connected to a secure connection I am getting ROBERT preferences connecting to two Cloudflare servers at 104.20.x.x and if go.microsoft.com is DNS blocked it is two linode servers. The only other connection is to no-mans-land.

[jaxu]

DNS requests before connection have nothing to do with ROBERT. Please read these two sentences repeatedly until you understand:

ROBERT preferences only determine what happens after you connect, and do not take effect until this happens. ROBERT preferences are only loaded when you click the preference page.

[laserjobs]

Clearly I have no clue then.