TL; DR: The DNS resolver in Windows 10 sends requests to all DNS server addresses known to the system in parallel, binding the request to the interface, and uses the response that came faster. If you use a DNS server from a local segment, this behavior allows your ISP or an attacker with a Wi-Fi hotspot to spoof DNS records, even if you are using a VPN.
Modern versions of Windows add headaches to active VPN users. The DNS resolver up to and including Windows 7 had predictable behavior, making requests to DNS servers in the order of priority and priority of DNS servers, in general, like all other operating systems. This created a so-called DNS Leak (a DNS query leaked through the external interface when the VPN was connected) only if the DNS server inside the VPN tunnel did not respond in time, or responded with an error, and, in general, was not such a blatant problem.
You can disable this functionality by adding it to the registry branch:
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\DNSClient
A DWORD type parameter with the name:
DisableSmartNameResolution
and any value other than zero that returned the old resolver behavior.
Everything changed with the arrival of Windows 10. Now the OS not only sends a request through all interfaces, but also uses the response that came faster, which almost always allows your provider to redirect you to a stub about a banned site or an attacker to a fake site. Moreover, the way to disable Smart Multi-Homed Name Resolution, which worked in Windows 8.1, does not work on the new version.
The only acceptable (though not the most reliable) way to solve the problem is to install DNS on the Internet interface outside the local segment, for example, the well-known 8.8.8.8, however, it will not help in the case of OpenVPN. For OpenVPN, the only (and ugly) solution is to temporarily disable DNS on the Internet interface with scripts.
UPD: earlier in the article, it was recommended to use redirect-gatewaythe without option def1for OpenVPN. It turns out that Windows returns the default route from the DHCP server every time the IP address is updated, and after a while all your traffic would start bypassing the VPN. At the moment, there is no beautiful solution.
I wrote the:
UPD3: Windows 10, starting with the Creators Update, now sends DNS queries to all known DNS server addresses in order, rather than in parallel, starting with a random interface. To increase the priority of a particular DNS, you need to reduce the interface metric. I made a patch for OpenVPN, I hope it will be included in 2.4.2: https://sourceforge.net/p/openvpn/mailman/message/35822231/
UPD4: The update is included in OpenVPN 2.4.2.
There are several ways to solve the problem, for example, by temporarily adding firewall rules to block port 53 on all interfaces except the VPN interface, or by setting DNS to 127.0.0.1 on all interfaces except the VPN.
However, these methods make changes that can withstand a reboot, so if you accidentally turn off the power while the VPN is running, or the VPN daemon just crashes, you will be left with a broken Internet connection. There's nothing good about it.
However, there is a better way that makes only temporary changes and does not leave the user without Internet.
The kernel-mode driver can view, modify, and log packets and just the data stream, and userspace filters can pass, discard, delay, or route traffic to the kernel driver based on information from the Ethernet frame or IP packet and their headers, as well as (at the ALE level) the source and destination interface, ID, and so on. process, the full path to the exe, and some other information.
The WFP filter can add permanent filters that survive a reboot even if the software that installed them was no longer running, temporary filters that persist after the program ends, but not after a reboot, and session filters that only work when the program that created them is still running.
A user-mode filter with session filters is quite sufficient for our tasks, but we need:
All this resulted in a plugin for OpenVPN, but the source code can also be compiled as a regular executable file.:
github.com/ValdikSS/openvpn-fix-dns-leak-plugin
To use this plugin, download the. dll files from the repository, put them in the config folder next to the configuration file, and add the line:
for a 32-bit system and a 32-bit version of OpenVPN, or
accordingly, for a 64-bit system with 64-bit OpenVPN.
Now you don't have to be afraid to use a VPN on Windows 10 over public Wi-Fi.
UPD: OpenVPN 2.3.9 now has an option to block third-party DNS: block-outside-dns. Use it, not the plugin.
Modern versions of Windows add headaches to active VPN users. The DNS resolver up to and including Windows 7 had predictable behavior, making requests to DNS servers in the order of priority and priority of DNS servers, in general, like all other operating systems. This created a so-called DNS Leak (a DNS query leaked through the external interface when the VPN was connected) only if the DNS server inside the VPN tunnel did not respond in time, or responded with an error, and, in general, was not such a blatant problem.
Windows 8
With the release of Windows 8, Microsoft added a very interesting feature to the DNS resolver, which, as I can tell from Google, went completely unnoticed: Smart Multi-Homed Name Resolution. If this feature is enabled (and it is enabled by default), the OS sends requests to all DNS servers known to it on all network interfaces in parallel, binding the request to the interface. This was probably done in order to reduce the waiting time for a response from the preferred DNS server, if for some reason it cannot respond within its allotted timeout (1 second by default), and immediately, after the timeout expires, give a response from the next priority server. So in Windows 8 and 8.1, all your DNS queries "leak" through the Internet interface, allowing your ISP or Wi-Fi hotspot owner to see which sites you are accessing, provided that your routing table allows queries to the DNS server through the Internet interface. Most often, this situation occurs if you use a DNS server inside the local segment, such DNS raises 99% of home routers.You can disable this functionality by adding it to the registry branch:
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\DNSClient
A DWORD type parameter with the name:
DisableSmartNameResolution
and any value other than zero that returned the old resolver behavior.
Windows 10
Although Windows 8 and 8.1 sent all your requests without your knowledge through the public interface, performing a DNS response substitution in such a way as to redirect you to a fake site was problematic for an attacker, since the OS would only use the spoofed response if it was not possible to get the correct answer from the preferred DNS server. which is the server inside the encrypted tunnel.Everything changed with the arrival of Windows 10. Now the OS not only sends a request through all interfaces, but also uses the response that came faster, which almost always allows your provider to redirect you to a stub about a banned site or an attacker to a fake site. Moreover, the way to disable Smart Multi-Homed Name Resolution, which worked in Windows 8.1, does not work on the new version.
The only acceptable (though not the most reliable) way to solve the problem is to install DNS on the Internet interface outside the local segment, for example, the well-known 8.8.8.8, however, it will not help in the case of OpenVPN. For OpenVPN, the only (and ugly) solution is to temporarily disable DNS on the Internet interface with scripts.
UPD: earlier in the article, it was recommended to use redirect-gatewaythe without option def1for OpenVPN. It turns out that Windows returns the default route from the DHCP server every time the IP address is updated, and after a while all your traffic would start bypassing the VPN. At the moment, there is no beautiful solution.
I wrote the:
UPD3: Windows 10, starting with the Creators Update, now sends DNS queries to all known DNS server addresses in order, rather than in parallel, starting with a random interface. To increase the priority of a particular DNS, you need to reduce the interface metric. I made a patch for OpenVPN, I hope it will be included in 2.4.2: https://sourceforge.net/p/openvpn/mailman/message/35822231/
UPD4: The update is included in OpenVPN 2.4.2.
Getting rid of DNS Leak in Windows 10-your own userspace WFP filter in the form of an OpenVPN plugin
As you may already know, the DNS resolver in Windows 10 sends DNS requests to all interfaces in parallel, which often happens either just inconveniently when the so-called Split Tunneling is used and DNS inside the VPN tunnel gives internal addresses for internal resources, and Windows can not understand what's what, or even creates them at all. a security risk, as in the case of a DNS leak over public Wi-Fi.There are several ways to solve the problem, for example, by temporarily adding firewall rules to block port 53 on all interfaces except the VPN interface, or by setting DNS to 127.0.0.1 on all interfaces except the VPN.
However, these methods make changes that can withstand a reboot, so if you accidentally turn off the power while the VPN is running, or the VPN daemon just crashes, you will be left with a broken Internet connection. There's nothing good about it.
However, there is a better way that makes only temporary changes and does not leave the user without Internet.
Windows Filtering Platform
Starting with Windows Vista, older traffic processing technologies like NDIS, TDI, and LSP are being replaced by WFP — a modern, lightweight, and user-friendly technology that works in both kernel and user mode. Modern versions of the Windows Firewall just use WFP, as do all third-party firewalls and antivirus programs with the ability to check traffic.The kernel-mode driver can view, modify, and log packets and just the data stream, and userspace filters can pass, discard, delay, or route traffic to the kernel driver based on information from the Ethernet frame or IP packet and their headers, as well as (at the ALE level) the source and destination interface, ID, and so on. process, the full path to the exe, and some other information.
The WFP filter can add permanent filters that survive a reboot even if the software that installed them was no longer running, temporary filters that persist after the program ends, but not after a reboot, and session filters that only work when the program that created them is still running.
A user-mode filter with session filters is quite sufficient for our tasks, but we need:
- Prohibit all outgoing packets from all interfaces on port 53 over UDP / TCP and IPv4/IPv6
- Allow any traffic from the OpenVPN TAP interface (s)
All this resulted in a plugin for OpenVPN, but the source code can also be compiled as a regular executable file.:
github.com/ValdikSS/openvpn-fix-dns-leak-plugin
To use this plugin, download the. dll files from the repository, put them in the config folder next to the configuration file, and add the line:
Code:
plugin fix-dns-leak-32.dll
Code:
plugin fix-dns-leak-64.dllNow you don't have to be afraid to use a VPN on Windows 10 over public Wi-Fi.
UPD: OpenVPN 2.3.9 now has an option to block third-party DNS: block-outside-dns. Use it, not the plugin.
