Luxembourg ~ Google DNS.

[Indingo]

I have noticed over the last few days that BolehVPN's servers hosted in the Luxembourg region have had their DNS servers changed to Google DNS. Normally this would not be a concern as Google is a good DNS company, but their blatant logging policy's which come with all their services should heed warning against using Google DNS as the DNS for a VPN services servers. I'm not sure if the changes were implemented by BolehVPN yourselves or if their server farms made the change but I thought I would bring it up anyway. I also noticed a reduced speed in DNS lookup since the servers have been changed over what they were before, which is also not a good thing.

Could I get any information on why the changes were made and if you are going to change them back? It poses a security risk due to DNS lookup/ JAVA/FLASH exploits and the way Google does GEO resolving. In simple, Youtube/Google Services can figure out who users are due to browser security holes and DNS lookup through their servers and match the  browser fingerprints to the DNS lookup.

[Chris]

We changed over to Google DNS as the privacy foundation DNS goes offline sometimes. We chose Google DNS because it provides better speed and reliability compared to OpenDNS, and also because Google DNS has a better privacy policy than OpenDNS. You can compare them here, https://developers.google.com/speed/public-dns/privacy http://www.opendns.com/privacy-policy/


A DNS query is just a DNS query, the browser security holes and fingerprinting are done at the website level such as www.whatismyipaddress.com.  DNS query will only show the IP who requested DNS, which is our VPN server.

However, cookies in your browser may give away your IP, which is why we always recommend clearing the cache, cookies, and using an anonymous browsing session to make sure there's no tracking.

[Indingo]

There are so many reasons why using Google DNS is a privacy risk which is insane for a VPN company. I agree OpenDNS is bad as well. I would strongly urge you to find another DNS provider or you could do what so many other VPN services do and host your own DNS server for your clients, mullvad being one of these companies. I won't use servers connected to Google DNS and its a shame so many other users will without knowing the privacy risks. Google has been well known in the past and through experimentation to use Browser Geo-Location and DNS queries/fingerprints to actually match users who use VPN's. I was part of a whole discussion trying to figure out why someone who was using a VPN kept having their real location shown in GMAIL. We eventually found out it was because GoogleDNS servers were being matched on GMAIL with browser fingerprinting bypassing the VPN to discover the identity of the user.

Please can you guys look into changing this? I also notice you use Google DNS on your Canadian servers. I understand you do it for convenience but its really not in the best interests for your customers.

Thanks

A DNS query is just a DNS query,

Come on now, I know you know better then that Chris.

[Reuben]

Sure we will look into this.

If you're using Gmail and concerned about privacy...Did you confirm that as long as Google's DNS servers were used (and not from a DNS leak) the Gmail would report your true location? Or were there other things such as cookies or profile info? Would be interested if you could share such results. It's boggling to think why Google would go to such extents to match fingerprints just from their DNS. Sounds like something else was leaking

Was the browser in Incognito mode?

[Reuben]

Btw hosting your own DNS server is not so simple. It becomes a constant battle to maintain it against vulnerabilities which pop up all the time. Or if someone somehow breaks into our DNS server...it becomes a single failure point and we frankly don't have the resources to continue performing security audits in a timely manner as opposed to a large DNS provider. It's all fine and dandy to say "Yes let's host our own DNS server" and to do that is easy but do they really really check how vulnerable their DNS is? DNS poisoning is not a trivial risk to mitigate.

As you can see even the Privacy Foundation's own DNS servers have lagged behind and gone down in certain instances.

[Reuben]

We also note that it's been recommended that we use the ISP's own DNS servers which we feel is also insecure since not all ISPs are upfront about their policies. Same can be said about Google I suppose but at least they have a clear and unambiguous privacy policy.

Would be interested to hear what DNS servers you have in mind. Looking at OpenNIc

[Reuben]

We have decided to go with OpenNIC servers and Privacy Foundation and just keep them updated. This may mean less reliability but better privacy.

[Indingo]

We have decided to go with OpenNIC servers and Privacy Foundation and just keep them updated. This may mean less reliability but better privacy.

Thanks Reuben,

That's good to hear, I'm sure other members will be glad that your using OpenNIC/PrivacyFoundation servers now despite the slightly less reliability. I understand that some people just use a VPN for Netflix/Iplayer but at the core it should still be focused on privacy as a main-stay for its consumers. I appreciate you looking into the issue for me, its one of the reasons I love you guys, we have a problem and you fix it for us, your great like that.

I am not sure about google, but about a year and a half ago we were locating ourselves in GMAIL and some other Google services after we locked our systems down for testing, we went through heavy testing and eventually found that by changing our DNS server the location look-up failed. We never could find a clear reason why this happened or what caused it, only knowing that a DNS change fixed it. We came to the conclusion somehow that there was some DNS/Browser fingerprinting going on which stored your "Real" location on Gmail's servers and when connecting with a VPN checked your browser and found out they were the same and displayed your previous country/IP so Gmail was in the correct language. I don't know why they do this, they just seem to do so, which is why i brought the issue up as a privacy concern.

I personally recommend GermanPrivacyFoundation/SwissPrivacyFoundation DNS servers myself. I believe they have the best track record.

Thanks again guys, I appreciate your help looking into the matter 

[Reuben]

No problem, the nightmare begins for us Some of Germany Privacy Foundation's DNS servers are not active anymore. OpenNIC's Canada servers are also totally down Grrrr

[Indingo]

No problem, the nightmare begins for us Some of Germany Privacy Foundation's DNS servers are not active anymore. OpenNIC's Canada servers are also totally down Grrrr

If you can't use the German Privacy Foundation, there is always their Swiss Privacy Foundation. Both of these should be fine for most of Europe, only needing to find an OpenNIC solution in the Asia's and North America/Canada. I thank you for your hard work, it pays off in the end. I am the most obsessive compulsive VPN user in existence and I stick with you guys because you show us you care, which is important and I would not trade it for a VPN company all the 1GB/s servers in the world.

Peace guys, thanks again for all your hard work. Hopefully everything will go well and fit into place nicely! 

[Chris]

Quick update: Lux servers should have been off Google DNS since this morning.

[Indingo]

Quick update: Lux servers should have been off Google DNS since this morning.

Yep, I am getting " ns3.ezdns.it" which is an OpenNIC DNS server I believe.

Thanks again.

[userjame]

Back to google dns again?

Lux server xxx.xxx.176.3:

IP              Hostname     ISP          Country
74.125.73.17    none    Google    United States
74.125.73.19    none    Google    United States
74.125.73.20    none    Google    United States
74.125.73.16    none    Google    United States
74.125.73.18    none    Google    United States

Same on new swiss server

[Indingo]

Back to google dns again?

Lux server xxx.xxx.176.3:

IP              Hostname     ISP          Country
74.125.73.17    none    Google    United States
74.125.73.19    none    Google    United States
74.125.73.20    none    Google    United States
74.125.73.16    none    Google    United States
74.125.73.18    none    Google    United States

Same on new swiss server

Yeah, I noticed and posted about that. I am sure they are just busy with the IPT thing. If you want to use Lux without Google DNS you can make a copy of the Luxembourg config, You then go to it and remove everything between # Server List & remote-random and just leave the server named #New lux , as this one does not have Google dns on it, thankfully. Just save it and on next launch it should show up, I recommend naming it differently so your normal lux config shows up.

[userjame]

Thanks Indigo.

Im using the BRLU01 (LUX) now

IP                     Hostname                   ISP                    Country
62.141.38.230    none    myLoc managed IT AG    Germany


Reuben, Chris, will be you be changing the USA Google DNS soon on the new swiss and some of the lux servers?