What am I doing wrong with DNS?

I was wondering if someone could help me in this area I’m really weak in.

I signed up with “BigBudgetVPN,” and naively assumed my DNS was going through them. I’m using Linux Mint, and connect via OpenVPN. DNSLeaktest and other services have reported no leaks, and report that my DNS is calling the VPN’s servers; however, I see now that I should have known to set up DNS manually when using OpenVPN.

I see that the Network Manager on Mint lets me add additional DNS servers to a Connection, but there is no option to eliminate my ISP’s.

Despite the fact that no leaks are reported, I mistyped in a domain today and got my ISP’s “dns error” page. Creating the horrible feeling that all along, all my requests have been going through that channel.

I tried some Ubuntu instructions to edit resolv.conf but the ISP’s catch-all page remains.

Does anyone know how to cut them out of the loop? What am I missing here?

Ah, one of the problems here might not be the DNS itself.

I know links are not permitted but I found a possible solution on the website Hacker Codex, article titled “How to Stop Your ISP from Hijacking Your DNS Servers.”

I know links are not permitted …

R 2 :slight_smile: - i think there’s just a probation period for new members - i couldn’t post links either at first

someone else can surely tell you more than i can since i’m no DNS expert at all, but i think the problem may be caused either by your modem or router if you have one - if you have a router, grab the manual for your modem and see if you can run it in ‘bridge’ mode, then setup the router with your PPPoE connection (or whatever) and user/password to connect to your ISP and setup DNS up properly in your router - your VPN should have a guide if they’re worth their salt (you may be able to run OpenVPN on your router too if it supports it, or if you can load custom firmware - if you do that, all devices connected to the router will use the VPN)

if you don’t have a router, you may need to get into the control panel for your modem and setup DNS there

What is in your resolv.conf ?

My resolv.conf is kind of perplexing, actually … it says:

# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
#     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
# 127.0.0.53 is the systemd-resolved stub resolver.
# run "systemd-resolve --status" to see details about the actual nameservers.

nameserver 127.0.0.53
search [USstate].rr.com

How this came to be, I’m not sure … however I just tried an extended dnsleaktest again through FF and it only shows my VPN. Still, I’m sure I’d be better off hard-coding Nord’s DNS into the system. The magical Ubuntu instructions so far didn’t work out; either operator error or a difference in Linux Mint.

12bytes, you’ve got me thinking about running openVPN through the router (if that turns out to be possible), although maybe split tunnelling would be be needed, because some financial sites will not allow log ins with it on.

it looks like DD-WRT can do this maybe??? i’m really bad with networking, but i found this and this while looking through this

Might be your router.

What does:

systemd-resolve --status

Say?

Can’t believe I missed this.
This is your problem.
It’s telling the dns resolver to redirect unknown queries to the [query].rr.com page (rr = spectrum = your provider).

try change in Network Settings to Automatic (DHCP) addresses only, then you can manually add and save DNS server(s). resolv.conf is a rpita, so much so that I dropped concern if DNS leaked around VPN and just give one manual local address and force system to use dnscrypt-proxy for everything then manually edit resolv.conf to nameserver 127.0.2.1 (what i run dnscrypt-proxy on) and lock file from changes, elsewise the 127.0.0.53 gets auto-added back overwriting my edit.
(edit to add: i’m running/ruining LM19.1 cinnamon here)

^^ reference this: https://github.com/jedisct1/dnscrypt-proxy/wiki/Installation-linux#if-the-content-of-etcresolvconf-doesnt-stick

12bytes, by good luck the router happens to be running DD-WRT, so maybe that is possible!

el0, thank you for the clarification on Network Manager! I think it worked perfectly; resolv.conf no longer lists spectrum’s DNS.

BTW, I looked at the dns-crypt page, and wondered … if you set it up, does this partly obscure your network traffic from your own VPN?

i didn’t back-read this whole thread so maybe i’m off track, but if you’re using a VPN you and they provide a DNS service, then you might want to use theirs - this way DNS lookups are encrypted - TOTALLY not sure that’s the best way to go since no VPN can be trusted, but whether it’s acceptable depends on who you’re trying to hide from, ya know? :slight_smile:

yes, in that dnscrypt-proxy encrypts all DNS (system wide) queries and if it routes through VPN then VPN provider only see’s HTTPS traffic from their exit (when using DNSoverHTTPS = DoH) and queries resolve with the list of DNS servers I allow. both ignoring, and ignored by, my VPN DNS (if provided)

I do this for number of reasons, primarily so that any DNS leak outside VPN (usually controlled by iptables, but may be complicated to setup and manage) is more privacy assured (DoH)

Do I need to run dnscrypt-proxy? no, I could manage it better with iptables and scripts but i’m not very competent on linux, and since I change which VPN provider I use in a day sometimes quite often (4 currently for different case use) and I switch to Tor very often, and have local network to manage I prefer to just give all DNS to the proxy and no matter what I am doing I know at least my DNS isn’t giving me away to anyone because it’s encrypted via DoH…

1 Like