How to set DNS correctly?

A core mission of cryptostorm is ensuring consistent, reliable network security with minimal fuss & drama. From DNS-based services like our DeepDNS in-browser native .onion/.i2p site access, through grounbreaking research on IP6 leakblocking, & to firewall-based structures to enable "fail-closed" security, this is where we discuss & develop cryptostorm-style leakblock tech.
Posts: 1
Joined: Thu Jun 29, 2017 9:50 pm

How to set DNS correctly?

Post by savumies » Thu Jun 29, 2017 10:46 pm

I'm running on Debian 9 and am having some light issues and questions related to DNS/DNS leaks/iptables.

I have openvpn 2.4.0 and am setting iptables according to ... but without the hexstring part because I don't know what it does. =]

When I run openvpn from the command line I don't get a new nameserver in /etc/resolv.conf and it doesn't show in either the openvpn logs or /var/log/syslog.

When I connect with gnome's network-manager, though, I can see in syslog that Avahi is triggered and sets a new nameserver that comes from CS. The catch is that it keeps my local router as a secondary nameserver as well. So I wonder: Can it leak DNS sometimes because of that? Does it matter in any way?

Right now I just picked one of the CS DNS servers and set it with a script. Also running openvpn from command line. Everything seems quite smooth and fast but I could not access .onions. So I wondered: Is there a correct DNS server for each CS entry node/location?

And finally, is there a way to get the 'correct' if there is one DNS server address from the openVPN server automatically?

It seems that this is somehow related to viewtopic.php?f=46&t=9356 but I did not understand why I should set nameserver and how dnsmasq comes into the scene. =]

User avatar
Site Admin
Posts: 1275
Joined: Wed Feb 05, 2014 3:47 am

Re: How to set DNS correctly?

Post by parityboy » Fri Jun 30, 2017 4:42 am


Yes. For each given node that you connect to, you must use that node's DNS server in order to connect to .onion/.eth/.i2p/.bit domains. Using another node's DNS (or indeed any other DNS) server will result in failure.

Usually this isn't an issue because the DNS entry is pushed down from the currently connected exit node.

dnsmasq is effectively a DNS proxy which sits on and listens for DNS requests, forwarding them onto to the real DNS server it is configured to talk to. Usually this is your router (which in turn proxies the request to an actual DNS server, like your ISP's) but in the case of a VPN connection, that information is overridden by the VPN server software running on the exit node.

Best thing you can do is let the VPS server handle your DNS entry and check your config against an IP leak test website.