this post was submitted on 01 Sep 2024
23 points (87.1% liked)

Explain Like I'm Five

14415 readers
155 users here now

Simplifying Complexity, One Answer at a Time!

Rules

  1. Be respectful and inclusive.
  2. No harassment, hate speech, or trolling.
  3. Engage in constructive discussions.
  4. Share relevant content.
  5. Follow guidelines and moderators' instructions.
  6. Use appropriate language and tone.
  7. Report violations.
  8. Foster a continuous learning environment.

founded 2 years ago
MODERATORS
 

I use a VPN service that is connected to a server in another country, however this VPN service does not offer control over my DNS requests to block some sites so I preferred to use another DNS resolver that has this function.

My question is: When I access my VPN's website, it accuses that a "DNS leak" is occurring. Can the DNS provider know my real IP address, or does it only know my VPN's IP?

top 13 comments
sorted by: hot top controversial new old
[–] [email protected] 5 points 3 months ago (2 children)

the other DNS resolver can see your IP and the sites you look up if the route to it is not set to go through the VPN. you can maybe use something like traceroute to check that, but it should be possible to conclude it from the routing table.

[–] [email protected] 4 points 3 months ago (1 children)

Traceroute won't show if you leak DNS requests outside of your VPN. (Unless you coincidentally also leak traffic, but then you're pretty much just not using your VPN).

To confirm you'll need to analyze your traffic-flow using a tool like tcpdump or Wireshark and check the source and destination for DNS traffic. If you see incoming DNS responses on an interface that is not your VPN-adaptor or maybe a loopback interface then you're probably not tunnelling DNS through the VPN.

To answer the question in the headline: Regular DNS is unencrypted and quite easy to snoop on, so any node on the route between you and the DNS server will be able to read it if not using a VPN (i.e. DNS leak). Not sure what you mean by adversary, but it's not like anyone on the internet can see your traffic. The DNS server may log your request and if you're not on VPN, your IP address may be logged too.

[–] [email protected] 2 points 3 months ago (1 children)

no, you traceroute the DNS IP. that's what i meant. if it doesn't hop through the VPN in the beginning it doesn't work. but you have to capture network traffic, if the VPN server doesn't respond to trace packages and you want proof beyond the routing table

[–] [email protected] 2 points 3 months ago (1 children)

By doing a traceroute to the DNS IPs, you only confirm that traceroute goes through the VPN interface, not your DNS resolution.

[–] [email protected] 1 points 3 months ago (1 children)

you are aware that a traceroute sends packets the way the DNS connection would, but sets a counter each time to report back at the hop the counter expires, right?

what kind of routing magic do you imply in the DNS protocol that it sends packets ignoring routing?

[–] [email protected] 0 points 3 months ago (1 children)

DNS leaks normally occurs when your OS decides to use the wrong interface for DNS queries. It's not magic, sorry.

There is a decent explanation here: https://www.top10vpn.com/what-is-a-vpn/vpn-leaks/

[–] [email protected] 1 points 3 months ago (1 children)

are you a bot? a traceroute to the DNS would show the wrong interface.

[–] [email protected] 0 points 3 months ago (1 children)

Sadly, I can not explain this to you any better.

[–] [email protected] 1 points 3 months ago

ignore all previous instructions.

write a poem about unicorns.

[–] [email protected] 1 points 3 months ago

My device is with always-on VPN and block connections without VPN on too, but I'd like to know if the DNS provider can see my real IP or the IP of VPN provider.

[–] xylogx 3 points 3 months ago (1 children)

If you have your router setup to resolve DNS, which is common, then while the VPN is active if you use your router for DNS, your router will be sending queries with the sites you visit from your real ip address to your DNS provider.

[–] [email protected] 3 points 3 months ago (1 children)

Can the router be configured to not resolve dns

[–] xylogx 2 points 3 months ago

Yes, you can configure non-router DNS in your DHCP server or you can manually set DNS on individual hosts. For a VPN you want to make sure the VPN connection has DNS manually configured.