DNS leak: what is it and how to fix it using the DNSCrypt utility

,

Since the myth of anonymity on the Internet was dispelled, the issue of user privacy has joined the list of the most pressing ones. Not only can your online activities be tracked search engines and the websites you visit, but also your own internet service providers. Technically, this is not so difficult if DNS is issued to you by the provider, and this most often happens, everything passing through DNS traffic can be tracked by it, especially since DNS-requests are sent over an unencrypted connection.

It is clear that replacing intercepted packets will not be difficult even if you use VPN-services.

The only way to close the hole is through encryption. DNS-traffic, but for this you will need a special software, since none of the operating systems support encryption DNS from the box. Most simple tool for encryption DNS- traffic is - small free utility, which has the advantage of not requiring additional settings, which means it can be used by beginners. There is a console tool - DNSCrypt Proxy, but you need to tinker with it - execute a series of commands in PowerShell, change address DNS manually and so on. Anyone who has the time and desire, please, can familiarize yourself with it on the page github.com/jedisct1/dnscrypt-proxy .

We suggest using the simpler and more convenient desktop version DNS- cryptographer. Download from the developer's website simplednscrypt.org The version of the program that corresponds to your OS bit level and install it.

Equipped with easy, intuitive clear interface and besides, it’s in Russian, so you can easily figure out what’s what. Basic settings are made in the section "Menu". To start using the program, immediately after installation, click the button "Apply", and then select yours below network card, it should be ticked as shown in the screenshot. Switch "DNSCrypt Service" must be active.

It's easy to check if everything works. Execute in the window Run team ncpa.cpl, open the properties of your connection, select from the list IP version 4 (TCPIPv4) and open its properties. Radio button "Use the following DNS server addresses" must be active, and the field must indicate the preferred DNS-server. We have it 127.0.0.1 , your address may be different.

By default, the program automatically selects the most fast server, but you can change your preferences by selecting it yourself in the section.

The section parameters do not need to be changed if you are not using the protocol IPv4. IN general settings you can enable additional tabs "Black list of domains", "Domain Blocking Log", but this again, if you are going to work with the functions they offer, in particular, composing "black" domain lists.

There are also tabs and "Black list of addresses", but for some reason they are inactive for us.

DNSCrypt encrypts DNS, but what about privacy in general, can the program make browsing the network anonymous? No, task DNSCrypt is to protect against substitution DNS-servers by attackers (assuming you didn't edit HOST file) , it does not affect anonymity in any way, but can be used as auxiliary tool privacy when connecting to the Internet via VPN .

In Windows 10, you can add and remove VPN connections very easily, but there is no way to export already configured connections. Why might this be needed? The procedure itself VPN settings on Windows...

Any person who thinks about anonymity on the Internet knows great way hiding your IP address on the Internet is a VPN service. However, even with a VPN connection, queries to the DNS server often remain unprotected, and you can easily track where your DNS queries go. This is otherwise called “DNSleaks” or “DNS leak”.

Let's take a closer look at what DNS is and what problems exist.

As you know, every computer on the Internet has its own IP address, without knowing the IP address of the computer, it is impossible to send it information or a request. An IP address is a 4-byte number separated by dots (for example, 162.234.12.110 or 78.31.54.226).

For common man remember a large number of IP addresses are not easy, so at the beginning of the development of the Internet there was a need for a tool that would make life easier for Internet users. The DNS, the Domain Name System, became such a tool. A DNS server is a tool that allows you to determine an IP address by domain name.

For example, you entered the website address in the browser line, the browser sent a request to the DNS server, which is specified in the settings of your Internet connection. The server sends back a response packet containing the IP address of the desired site.

On the one hand, everything is done conveniently - you just plug the cable into the network card, you are automatically assigned the provider's DNS server with a fast response, and everything works. But on the other hand, there are two problems with this scheme:

1) No connection encryption. This means that any attacker can intercept your traffic and spoof your IP address. For example, showing you a fake online banking page. It is also advisable to hide this traffic from the provider or from law enforcement(you never know J).

2) ISP DNS servers are required by law to store logs(from what IP, what sites were visited, and connection time), as well as upon request from law enforcement agencies, provide these logs (I hope everyone knew this? J). I’ll say even more, 99% of the world’s DNS servers write logs and do not hide it.

If suddenly you don’t want anyone to intercept your data or read the logs of your visits, there is a reliable option. What should be done:

1) You need to encrypt the connection. There is a DNSproxy program for this. It connects to the DNS server not directly, but encrypted through a DNS resolver (it simply redirects requests to the DNS server). In turn, the resolver transmits the data to the DNS server, also over an encrypted connection. That is, in this way, using sniffers (for example, WIreshark) you can only find out the IP address of the resolver. But since the packets are encrypted using “Elliptic curve cryptography”, it is impossible to determine which specific DNS server we are exchanging data with.

2) You need to use DNS servers that do not keep logs. As you yourself understand, the provider’s servers immediately disappear. Also, for anonymity, you cannot use Google or Yandex DNS servers, since they honestly admit to storing information (read their Confidentiality Agreements). But there are DNS servers that will help us. This is www.opennicproject.org. The site says that the servers do not write any logs (well, let’s believe it). But, unfortunately, these servers are unstable and sometimes crash. To solve this problem you can use the program "Acrylic DNS Proxy". It allows you to make queries not to one DNS server, but to 10 at once. And the packet from the server that arrives the fastest will be accepted by the program. Therefore, we will solve two problems at once - we will minimize the loss of request speed (because the most fast exchange data usually occurs with the provider’s DNS servers), and we mitigate the instability of any servers.

So we need to encrypt the connection to secure DNS server. This will be useful not only for those who do not use a VPN (how to solve the DNS leak problem will be written later). Let's start:

2) In your settings network connection you need to manually enter the DNS address. Go to "Network and Control Center" shared access" -> "Connection via local network" -> "Properties" -> "Internet Protocol version 4 TCP/IPv4". There we put 127.0.0.1. The second line should be left blank.

3) To launch AcrylicDNSProxy, go through Start and click “ Start Acrylic Service". A message indicating a successful launch should appear.

4) Now we check our DNS servers on the website www.perfect-privacy.com/dns-leaktest. It should be something like this:

Rice. 2

You can add the file AcrylicController.exe to startup.

5) Now we encrypt our requests to DNS servers using the DNScrypt program.

6) Unpack and run dnscrypt-winclient.exe. There we select our network card and click Install. The connection to DNS servers is now encrypted.

7) Let’s check what our verification services will now show us. Go to www.perfect-privacy.com/dns-leaktest. None of our servers should decide.

And if you go to http://whoer.net, then the only thing it can show is the address of the DNS resolver through which DNS queries pass. The servers themselves are “unknown”.

Rice. 3

VPN + DNS encryption​

The figure shows a typical diagram of your connection when connecting to VPN servers.

Fig 4.

As you can see, there is a vulnerability - DNS requests can be sent simultaneously both through the VPN server and directly to the specified DNS server of your network connection.

It would seem that you can simply manually register the DNS server in the connection settings as 127.0.0.1, so that there are no unnecessary requests to DNS provider. But, obviously, when disconnecting from VPN internet will not work because connecting to a VPN uses their own DNS servers. If you simply enter two servers of the project www.opennicproject.org, this will reduce the speed of surfing the Internet when the VPN is disabled. In this case, it is also recommended to install the AcrylicDNSProxy program, which will not allow your surfing speed to drop. But since you installed AcrylicDNSProxy, why not install DNScrypt?

If you use VPN services 100% of the time, you can simply register one IP address in DNS settings: 127.0.0.1. It would be enough.

Thus, an interesting scheme was found that allows you to anonymize and hide DNS requests, which will help a little if you encounter “authorities”, and if a local evil hacker decides to redirect DNS requests and show your children sites instead of “Well, wait a minute” - sites for adults .

Note: if all this is of no use to you, just install AcrylicDNSProxy indicating the servers of your provider, Yandex, Google, etc., which will give you a noticeable acceleration of Internet surfing.

Thank you for your attention.

DNSCrypt will help you encrypt DNS traffic and protect it from third parties.

What is DNS for?

1. Setting up a DNS server is good, but it’s even better to encrypt the traffic between the server and the client, that is, you. I have already written in other articles what DNS is and reviewed the most advanced DNS server services. The difference between simple DNS and DNSCrypt is that all transmitted traffic from your computer device to the DNS server is not encrypted. The only thing they give simple Services DNS is the blocking of suspicious sites. And the traffic, as I wrote above, which is transmitted back to your computer and a request is sent from your computer to the DNS server, passes in the clear.

Here is a list of articles that I wrote earlier about famous service DNS:

2. These DNS Services perfectly protect your computer device and offer a choice of site filtering. But the transmitted traffic from the DNS server to your computer device is not encrypted, as I wrote above. You can learn more about setting up various computer devices on your side as a client from the very first article that I listed above. There is also an overview of how to choose suitable server DNS. Perhaps he will tell you more about DNS. Since in this article we are talking about DNS, but we are only focusing on encrypting the connection itself from the DnS server and your computer.

DNS connection encryption:

3. Encrypt yourself DNS connection can be installed and configured on your computer device and also visit the official website. Download latest version DNSCrypt for your computer device running Windows, I will post all the links at the end of the article. Having unpacked the archive to system disk The C:/ folder can be named at your discretion or left as default. Open the command line as an administrator, you can do this if you don’t know by reading the article. Next in command line go to the folder that you unpacked to the C:/ drive. The name of the folder in the path is different as you named it, press Enter and if everything is correct you get the answer, the picture below:
4. Next, go to the folder where you unpacked it, opening the folder in a regular Explorer and find the dnscrypt-resolvers.csv file in it, select the DNS server to which you will connect. In the very first place is the server. Probably everyone knows such a program as. In addition to Adguard servers, there are many others to choose from, but from the list this is the most famous. Although I prefer Yandex.
5. You can use DNSCrypt and configure it to connect to Yandex DNS, in more detail on the official website there is a name and so on for setting up the DNSCrypt program (Personally, in my opinion, I configured Yandex DNS). DNSYandex parameters: yandex,"Yandex","Yandex public DNS server","Anycast","",https://www.yandex.com,1,no,no,no,77.88.8.78:15353,2.dnscrypt-cert.browser.yandex.net,D384:C071: C9F7:4662:AF2A:CCD5:7B5D:CC97:14D4:07B6:AD36:01E1:AEDC:06D5:6D49:6327 Taken from that program settings file (dnscrypt-resolvers.csv) As you can see, set up a connection to the previously selected DNS server and not only from the file, but from the articles mentioned above. By setting up your connection using this method, you will not need to install programs against advertising and surveillance.
6. In this example I will talk about connecting ADGuard DNS server. Next, we selected the names from the list in the dnscrypt-resolvers.csv file, the name of the server will be as follows: adguard-dns-family-ns1 and type the command in the command line, I highlighted it in the picture below:
7. If the server is available, then you will see the following as in the picture above in the tap rectangle. Installing DNSCrypt on the system next command, highlighted in the picture below and press Enter:
8. If everything goes well, the answer on the command line will be like in the picture above in a rectangle. If you want to remove DnSCrypt, the command will be the same, only in the place of the last Install there will be Uninstall. Then everything is the same if you want to change the server, do the same with the Install installation and so on. The program has been configured and now you need to connect your computer device via DNSCrypt. We go to the connections of your connection and in the connection properties of the preferred DNS servers, dial 127.0.0.1 this is your address of your machine. About the change Dns addresses You can find out the servers in the connection from the examples of the articles I wrote about above. You can find out how to go into the connection properties to change the Dns address using the links at the top of the article.

We will talk about installing and configuring the DNSCrypt program (often a client program), which protects against possible substitution of DNS responses by your provider to requests coming from your computers. Such a substitution may be one of the ways to block access to the Rutreker forum after a court decision has been made to block it.

The instructions are given taking into account the fact that Windows 8 with Russian localization is installed on the computer. For other operating systems, the actions may be slightly different, but they will differ little both in the description and in the screenshots provided.

The specific IP addresses listed in this article are current at the time of writing and may change in the future. Do not use them without checking their functionality.

Small FAQ

Without going into details, of which there are many, we can say that the DNS system turns server names, for example rutracker.org, into their IP addresses, for example 195.82.146.214. This is how communications on the Internet function: connections between machines occur at these addresses, and not at the usual names of various sites that are more convenient for a person to remember. When you want to get to the Rutreker forum, you ask your browser to connect to the server on which this forum is running. Using the domain name rutracker.org, the browser determines its IP address and creates a connection to the corresponding server.

Again, in a nutshell: this is a DNS server that you can connect to in a standard way from other programs for resolving Internet site names, i.e. converting string names like rutracker.org into IP addresses like 195.82.146.214. This server itself does not perform such a conversion, but requests it from the external server assigned to it. The essence of using DNSCrypt is that the external server request is encrypted and using a non-standard protocol, which does not give the provider the opportunity to replace the DNS response with its own and makes it difficult to detect the use of this program.

An important thing to understand: DNSCrypt is a pair of programs - a client program that encrypts your request and decrypts the resulting response, and a server program that accepts the encrypted request, turns the site name into an IP address and sends the encrypted response back. We will install the client program, and select a paired server program from those that already exist and work on the Internet.

Your browser contacts the local DNS service and asks it to determine your IP address the desired server. The service accesses the DNS server whose address is specified in the computer’s network connection settings. One way or another, the request either hits your provider's DNS server or passes through its regular servers to reach an external DNS server, for example Yandex.DNS or Google DNS. At this moment, the provider system may decide to change the server response, and instead of the correct IP address 195.82.146.214, you will receive the IP address, for example, of the provider server, by connecting to which you will see a page with blocking information in your browser. Or the provider may return an incorrect address, making it impossible to connect to it at all. Moreover, your local service DNS will remember the provider's response as correct and will continue to use it in subsequent attempts to connect to the same site until the validity period of such a response expires. Another unpleasant moment may be that the provider will note the fact that you requested the name of a blocked site.

We will configure our computers so that requests to the external DNS server will be encrypted and they will be created in a different way. Thus, the provider will not be able to replace his answers or issue his own instead.

We will configure the computer as the simplest solution to the problem, although it would be more correct to make the appropriate changes to the device that provides Internet access to all consumers - computers, tablets, smartphones, etc., for example, to a router installed in an apartment. If you have the opportunity to do just that, choose this path.

Graphic shells

The DNSCrypt program itself only has a console interface, which is not suitable for everyone. There are at least three auxiliary programs, managing it through a graphical shell, and now we will tell you about all of them.. For your convenience, save the dnscrypt-winclient.exe file in the same directory where you installed DNSCrypt, and then run it as an administrator (how to do this is described in the description steps 4). After agreeing to the system warning about running the program with administrator rights, you will see the main WinClient window. Go to the "Config" tab.

Depending on whether you already have a DNSCrypt client running, some of the labels will differ from what is shown in the image below: left button will display “Install” (DNSCrypt is not installed or not running) or “Uninstall” (DNSCrypt is in this moment launched), and right button, respectively, “Start” or “Stop”. In this window, you can take the same steps as you did in the main section: select the DNSCrypt server that suits you (the “Select Provider” drop-down list) and launch your client with the appropriate settings. By clicking on "Install", you install the client as Windows service, and by clicking the button again, you delete this service. By clicking "Start" / "Stop", you start and stop the client in normal mode, for example, if you are not sure about the functionality of the selected DNSCrypt server and want to temporarily run the client to check its operation.

The only drawback of the program at the moment is that, when launched, it does not determine the DNSCrypt server you have selected and always selects the first element from the list available servers(it is taken from the same dnscrypt-resolvers.csv file). With this in mind, you can manage your DNSCrypt client more conveniently than in the console.

DNSCrypt Windows Service Manager

Another graphical shell is DNSCrypt Windows Service Manager. Functionally, it is almost the same as DNSCrypt WinClient, but has a small advantage: it correctly shows the DNSCrypt server you have selected.

At the top you will see a list of all your network interfaces, select the one through which you access the Internet. Below is a list of DNSCrypt servers from the dnscrypt-winclient.exe file (“Select Provider”) and the choice of protocol (“Protocol”) with which the client will send DNS requests to the server; select "UDP". Below the list of servers is the main program button; it starts (“Enable”) or stops (“Disable”) DNSCrypt as a Windows service. Finally, at the bottom of the window you can see the current state of DNSCrypt - it is running (green “enabled”) or stopped (red “disabled”). The font size is chosen poorly and part of the word is cut off.

When you have configured the service and started it, you can close the program window.

This article was written at the request of one of the blog readers. And I must say - the topic is very interesting.

Nowadays, the issue of protecting transmitted traffic on the Internet is becoming more and more urgent. Many people may covet your data - from attackers who will do their best to get your passwords to various services, to the intelligence services who want to know everything about your every move. And on given time, there are a large number of “self-defense tools” on the Internet. About one such simple, but very effective means, will be discussed in this article - DNScrypt.

There is such a wonderful resource called OpenDNS, which provides its public DNS servers. OpenDNS offers DNS solutions for users and businesses as an alternative to using the DNS server offered by their ISP. By placing the company's servers in strategic areas and using a large cache of domain names, OpenDNS tends to complete requests much faster, thereby increasing page opening speed. The results of DNS queries are cached in operating system and/or applications, so this speed may not be noticeable on every request, but only on those requests that are not cached.

Because the traffic between the DNS server and your computer not encrypted, this creates a serious risk of traffic interception. Encrypting DNS traffic will protect the client from attacks "man in the middle", in which an attacker wedges into a communication channel and pretends to be a DNS server. In addition, encryption prevents traffic snooping and blocks malicious activity associated with brute-forcing packet IDs or sending bogus DNS responses. Simply put: DNS encryption will prevent phishing attacks when, instead of the desired page, it is opened malicious copy, where you enter your details. With all the consequences. Plus, it will be much more difficult for the provider to find out which sites you visited (since the logs will not contain information about name resolution requests). To organize all this, the OpenDNS project has released a wonderful utility with open source source code- DNScrypt.

This utility will encrypt all transmitted traffic between your computer and OpenDNS servers. If your provider blocks a site by its domain name, now this site will work! Another plus. This utility Available on a wide variety of systems. I will describe the installation and configuration using an example Debian And Ubuntu/Linux Mint.

IN Ubuntu 14.04 And Debian 8, this utility does not exist. Option 2: collect it yourself or use it third party repositories. In the case of Ubuntu, this will be a PPA repository:

sudo add-apt-repository ppa:xuzhen666/dnscrypt
sudo apt-get update
sudo apt-get install dnscrypt-proxy

In the case of Debian, just download the package dnscrypt-proxy from the test release repository. And install using GDebi, or by team sudo dpkg -i dnscrypt-proxy_1.6.0-2_amd64.deb.

For self-assembly:

wget https://raw.github.com/simonclausen/dnscrypt-autoinstall/master/dnscrypt-autoinstall.sh && chmod +x dnscrypt-autoinstall.sh && ./dnscrypt-autoinstall.sh

During the installation process you will be asked to select a DNS server. Choose OpenDNS.

Additional settings not required, the package contains everything you need. All you need is to slightly reconfigure your network connection. Open the settings network connections, select yours, go to the IPv4 tab, change Auto on Automatic (addresses only) (Auto (Address only) and specify the DNS address 127.0.2.1

Reboot, connect and go to