Author Topic: DNS, needs to be fixed and unified.  (Read 4290 times)

Offline Indingo

  • BolehVPN Subscriber
  • Boatswain
  • **
  • Posts: 85
DNS, needs to be fixed and unified.
« on: January 14, 2015, 08:17:04 PM »
I have brought the issue up before but it needs to be re-addressed. BolehVPN needs to figure out what they are going to do for DNS and stick with it. I frequent multiple servers for testing and general use, I find some OpenDNS, some GoogleDNS, some OpenNIC, and some just random DNS IP's that I cant seem to figure out where they go to. I notice also with server re-sets and re-starts the DNS servers get flipped to something else, Netherlands going from its servers own DNS -> GoogleDNS "bad". I have studied what most VPN providers do and how they set up their services to improve my understanding of this problem and find most VPN providers will host DNS on the same server that the clients connect on for the OpenVPN service. Firstly to increase DNS speed and for security because the servers are run by the staff that run the VPN and can be protected from outside influence. GoogleDNS/OpenDNS are probably the worst for security reasons, OpenDNS due to logging and GoogleDNS due to matching a clients VPN IP and their normal IP to email accounts and logins including cookies on their services, basically allowing them to tie a VPN user to his real IP. I have brought this issue up before as well. I guess what I'm saying is BolehVPN needs to stick to one single plan for DNS servers so its not all over the place with levels of trust being given to third parties. In my personal preference, I would like to see BolehVPN start doing what other big VPN's do, which is have the IP & DNS server come from the same server and same IP address. One for increased security as the only level of trust remains with BolehVPN, and two because its just faster and more logical to host both on the same server without having to involve any third party.

Thanks.
« Last Edit: January 14, 2015, 08:20:26 PM by Indingo »

Offline Indingo

  • BolehVPN Subscriber
  • Boatswain
  • **
  • Posts: 85
Re: DNS, needs to be fixed and unified.
« Reply #1 on: January 16, 2015, 07:37:08 AM »


OpenDNS USA on a Luxembourg server is slow in terms of DNS speed, and bad in terms of security. OpenDNS for one has a logging policy, and two its an American DNS, not even close to Luxembourg. I guess what I'm trying to point out is for speed and security reasons you should really host your own DNS on the servers that OpenVPN is running on or at least in the same IP range/provider.

Offline PitBoss

  • Administrator
  • Admiral
  • *****
  • Posts: 1250
Re: DNS, needs to be fixed and unified.
« Reply #2 on: January 16, 2015, 01:20:52 PM »
We are taking steps to implement our own dns. This should be implemented slowly over the next few days. We will start with EU servers and then to USA/Canada and Asia. UK/Swiss is now using on our own DNS. No logging whatsoever is on the DNS.
We will be monitoring the resources before proceeding to other servers.
 
Thank you for your feedback.

Co-Founder / Administrator

Offline Reuben

  • Chief Doraemon
  • Administrator
  • Admiral
  • *****
  • Posts: 6878
*If you like my service/support, please consider posting a positive feedback here*<3



Co-Founder/Administrator

Offline Indingo

  • BolehVPN Subscriber
  • Boatswain
  • **
  • Posts: 85
Re: DNS, needs to be fixed and unified.
« Reply #4 on: January 16, 2015, 05:35:58 PM »
You beautiful human beings.

Thanks for taking great care and looking into it. I know I somewhat nag about issues I find but honestly this is the reason BolehVPN is the only VPN service for me, you guys are great at listening and helping us get the best protection we need. You implemented the lock down feature when I asked for it, and now your implementing your own DNS, could not ask more from your customer service. You guys are great.  ;D

Offline fredsanford

  • Newbie
  • *
  • Posts: 19
Re: DNS, needs to be fixed and unified.
« Reply #5 on: February 08, 2015, 10:57:48 AM »
For Linux clients connecting manually via OpenVPN, do we need to manually specify the boleh DNS servers?  (I have not seen any change take place in my DNS when connecting.)

Offline Slacker

  • BolehVPN Staff
  • Admiral
  • *****
  • Posts: 716
Re: DNS, needs to be fixed and unified.
« Reply #6 on: February 08, 2015, 02:01:28 PM »
fredsanford, when you say you're using OpenVPN manually, what do you mean?

Are you using the NetworkManager, or from the command line?

If you are not seeing the DNS change when you connect, then they are not getting pushed to you, and you'll need to manually add them in your Network Client or Router.

You need to ask support if they have it set up to push to Linux the DNS...
« Last Edit: February 08, 2015, 02:09:02 PM by Slacker »

Offline fredsanford

  • Newbie
  • *
  • Posts: 19
Re: DNS, needs to be fixed and unified.
« Reply #7 on: February 09, 2015, 12:45:41 AM »
I'm using a script run from the command line to connect and set up firewall rules.  I'm not seeing any change in /etc/resolv.conf.  Has boleh announced the DNS server ip addresses? With those I could just have my connection script set up the necessary changes.

Offline Slacker

  • BolehVPN Staff
  • Admiral
  • *****
  • Posts: 716
Re: DNS, needs to be fixed and unified.
« Reply #8 on: February 09, 2015, 08:41:58 AM »
You'd have to speak with BolehVPN on the DNS, this I'm not aware of.

Also for DNS, you might want to take a look at this from Arch;

https://wiki.archlinux.org/index.php/OpenVPN#DNS

That actual update-resolv-conf.sh script might work for you, I haven't tested it, but this is how you typically do it in Linux...

Offline fredsanford

  • Newbie
  • *
  • Posts: 19
Re: DNS, needs to be fixed and unified.
« Reply #9 on: February 11, 2015, 02:17:38 AM »
I worked with Boleh support and they had me add entries for update-resolv-conf to the OpenVPN config files. Although the script executed it did not actually update resolv.conf. What I wound up doing is a hack job on update-resolv-conf so instead of calling /sbin/resolvconf it just directly clobbers the resolv.conf file with the DNS info. Not very elegant, but it works.

Offline Slacker

  • BolehVPN Staff
  • Admiral
  • *****
  • Posts: 716
Re: DNS, needs to be fixed and unified.
« Reply #10 on: February 11, 2015, 02:12:50 PM »
The script the last time I tired it didn't work either and I reported it to the Author...

Not sure what the problem is, but I use DNS in a router, or the adapaters, so I don't care about it...

Please show us what you did to fix this?

Did you try the script listed at the Arch Wiki?

https://raw.githubusercontent.com/masterkorp/openvpn-update-resolv-conf/master/update-resolv-conf.sh

Glad to hear you got it worked out...
« Last Edit: February 11, 2015, 02:15:46 PM by Slacker »

Offline fredsanford

  • Newbie
  • *
  • Posts: 19
Re: DNS, needs to be fixed and unified.
« Reply #11 on: February 12, 2015, 08:42:52 AM »
Quote
Please show us what you did to fix this?"

I added the following lines to the end of the .ovpn file:

Code: [Select]
script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf

(Actually since I don't bother saving the original resolv.conf the "down" line is probably not needed.)

Then I then modified part of the "up" section in /etc/openvpn/update-resolv.conf:

Code: [Select]
up)
        cp /dev/null /etc/resolv.conf  ###############
        for optionname in ${!foreign_option_*} ; do
                option="${!optionname}"
                echo $option
                part1=$(echo "$option" | cut -d " " -f 1)
                if [ "$part1" == "dhcp-option" ] ; then
                        part2=$(echo "$option" | cut -d " " -f 2)
                        part3=$(echo "$option" | cut -d " " -f 3)
                        if [ "$part2" == "DNS" ] ; then
                                IF_DNS_NAMESERVERS="$IF_DNS_NAMESERVERS $part3"
                                echo nameserver $part3 >>/etc/resolv.conf  ###############
                        fi

The changes are marked by "###############":
1. Blank out resolv.conf
2. Add name server(s) to /etc/resolv.conf by brute force

Since the resolv.conf is regenerated on bootup I don't do a save/restore on the original configuration. (I almost never work without Boleh active anyway.)

The problem with the original script seems to be that /sbin/resolvconf, which is called to do the actual dirty work,  is not working. It was easier to do this quick and grotesque hack than to figure out the actual problem. :-) I'm working with Xubuntu and have not tried the Arch script.


Offline Slacker

  • BolehVPN Staff
  • Admiral
  • *****
  • Posts: 716
Re: DNS, needs to be fixed and unified.
« Reply #12 on: February 12, 2015, 05:08:16 PM »
Ok, be sure to go to GRC, this a good test for DNS;

https://www.grc.com/dns/dns.htm

Even though it's listed as Spoofability it will test to see all the DNS it can query.

Just click the button at the bottom of the page; 'Initiate...

Offline fredsanford

  • Newbie
  • *
  • Posts: 19
Re: DNS, needs to be fixed and unified.
« Reply #13 on: February 13, 2015, 03:50:06 AM »
The GRC test comes up with a single DNS server located in the geographic area of the Boleh VPN remote endpoint. Spoofability is listed as "moderate" overall (all aspects were rated "Excellent" except for Stuck Bits) with the following summation:

Code: [Select]
Spoofability Mitigation Note: Even though one or more of the individual “spoofability” parameters
shown above does indicate a worrying spoofability grade of “Moderate”, our attempt to directly query
this server from the Internet failed. Therefore, “Kaminsky-style” cache poisoning attacks will be either
more difficult or impossible to conduct.  As long as this nameserver remains inaccessible to Internet
queries, there is little danger of it becoming a victim of Kaminsky-style cache poisoning attacks.

Looks like it should be OK.

Offline Slacker

  • BolehVPN Staff
  • Admiral
  • *****
  • Posts: 716
Re: DNS, needs to be fixed and unified.
« Reply #14 on: February 13, 2015, 01:28:16 PM »
If it's showing as you said a BolehVPN DNS then this is good, if as example there are 2 DNS, but you only get one, that's ok too.

You just don't want a leak and see other DNS, like from your ISP...