- {direct link: dnsleak.cryptostorm.ch}
note: technical whitepaper on the subject of "DNS leaks" available at leaks.cryptostorm.ch
being just 48 hours online on darknet I discovered the DNS leak problem or subject.
I'm not a network geek and I try to understand the problem, so I thought I could perhaps explain what I understand about that or what I beleive I understand. Here I go :
In the past I thought that with a VPN connection I
- do not appear with my ISP IP-Number but with a number of some CC, now CS server,
- my communication partners (persons or servers or p2p partners or who- or whatever) neither see my original IP nor knows that my IP is not my original ip (well the 2nd point is perhaps not true because CS servers & its IP numbers will be known when time goes by...), and
- my ISP does not know what I am doing on the internet : he does neither see my meta data of my activities nor the content of the packets I sent or I receive. All my ISP sees is that I am connected to a server in Iceland and that there is a data flow, thats all.
Well, I did the test on dnsleaktest.com and effectively, my IP number is (for example) some in Iceland, but doing the DNS test, an IP number of the country I live appears (its even a server of the company of my ISP). This is supposed to be the "DNS leak" I guess. It's not my ISP IP number, but a ip number in my country and the connection myComputer <-> DNS server is not the encrypted connection. So the DNS server could log all the urls I'm visiting, hi could get the meta data of my life in the www.
So now my question:
If there was no DNS leak, would this mean that my cryptostorm connection (cs-c) goes directly to my ISP server, from there to a CS exit node, and only then my tunneled connection contacts some DNS server nearby the CS exit node, for example in Iceland or near Iceland, from there I visit the web pages, so the webserver contact AND the DNS server contact both happens through the tunneled connection ? Is that right, is that the goal?
But if some DNS server is connected with the cs-c, the DNS server could not understand my requests (what IP number is this domain, what IP number is that domain etc) because the cs-c is encrypted. Here I get confused. You see, by writing this down I seem to discover a contradiction in the problem I thought to approach, as if vpn without DNS leak is in principle not possible??!
Cryptostorm has not its own DNS servers I suppose.
Now this is what I tried to do. (My system: opensuse linux).
- I tried to block port 53 (udp in my firewall), nothing changed.
- I tried the option --redirect-gateway with def1 flag (see here) for openvpn.
- I tried to make a connection without DHCP service and with manual written DNS servers and my ISP IP number in static.
Then I had the following idea: my adsl modem is also a router.
This router has its own DHCP server in connection to my ISP, so I disabled it.
No changing, I see one of my DNS servers I wrote in my ConnectionManager.
I spent some hours to work on it, trying things out and now I prefere to know if I look in the right direction or if I deeply missunderstand the DNS leak problem. What would it look like if the DNS leak problem was solved ?
Perhaps some of the network specialists here could clarify my questions.
Thank you.
