BigDLondon
Occasional Visitor
When I go to Surfshark page and test DNS it says "fail" . But other than that it seems stable.
Using Surfshark on Asus AC1900 with Merlin w/384.13 Have DNS leak .Why ?
- Thread starter BigDLondon
- Start date
eibgrad
Part of the Furniture
I have no idea how Surfshark is making that assessment, but fwiw, here's my general take on the matter.
There are a multitude of ways you can create a DNS leak. In fact, not everyone even agrees on the definition of a DNS leak. For some, it's merely making sure you avoid the ISP's DNS servers. For others (including me), it includes never accessing *any* DNS servers over the WAN, where they can be eavesdropped on and/or redirected. And when it comes to online testing tools, I find them to be notoriously inaccurate when it comes to the router, probably because the client is NOT directly accessing the public DNS servers, but only *indirectly* via the local DNS proxy, DNSMasq.
In my own case, I'm using ExpressVPN, and their own DNS leak testing page always tells me I'm using their DNS servers (even lists them), when in fact I know w/ 100% certainty I'm NOT! I always have "Accept DNS configured" as Disabled, override my ISP's DNS servers in DNSMasq w/ 1.1.1.1, 1.0.0.1, and 9.9.9.9, and bind them to the VPN w/ route directives. The reason ExpressVPN mis-reports it is because the only thing it's doing is noticing I'm connected through the VPN's public IP when I access that page! IOW, it's just an assumption, that in fact is WRONG.
As I said, these online DNS leak testing tools are notoriously unreliable when it comes to the router. IMO, the *only* way to be 100% sure is to monitor connection tracking and actually observe where DNS queries are being routed, in real-time.
All other methods are just educated guesses, which are often wrong. If it happens to be right in its assessment from time to time, it's most likely just coincidental.
There are a multitude of ways you can create a DNS leak. In fact, not everyone even agrees on the definition of a DNS leak. For some, it's merely making sure you avoid the ISP's DNS servers. For others (including me), it includes never accessing *any* DNS servers over the WAN, where they can be eavesdropped on and/or redirected. And when it comes to online testing tools, I find them to be notoriously inaccurate when it comes to the router, probably because the client is NOT directly accessing the public DNS servers, but only *indirectly* via the local DNS proxy, DNSMasq.
In my own case, I'm using ExpressVPN, and their own DNS leak testing page always tells me I'm using their DNS servers (even lists them), when in fact I know w/ 100% certainty I'm NOT! I always have "Accept DNS configured" as Disabled, override my ISP's DNS servers in DNSMasq w/ 1.1.1.1, 1.0.0.1, and 9.9.9.9, and bind them to the VPN w/ route directives. The reason ExpressVPN mis-reports it is because the only thing it's doing is noticing I'm connected through the VPN's public IP when I access that page! IOW, it's just an assumption, that in fact is WRONG.
As I said, these online DNS leak testing tools are notoriously unreliable when it comes to the router. IMO, the *only* way to be 100% sure is to monitor connection tracking and actually observe where DNS queries are being routed, in real-time.
Code:
cat /proc/net/nf_conntrackAll other methods are just educated guesses, which are often wrong. If it happens to be right in its assessment from time to time, it's most likely just coincidental.
eibgrad
Part of the Furniture
P.S. The fact that we're now using things like DoT/DoH, or having the browsers accessing their own preferred DNS servers, is complicating things further, making such declarations even less reliable (which is ironic given the intent of all this was ensure confidence in the prevention of DNS leaks). Frankly, DNS at this time is a mess. I don't know how the average person can, w/ any reliability, determine if they do or don't have a DNS leak, unless, as I said, you bother to dig deeper within connection tracking.
Last edited:
Similar threads
Similar threads
Similar threads
-
Client to client disabled when using static IP on OpenVPN ASUS RT-AC3200
- Started by libertyspike138
- Replies: 31
-
Offload OpenVPN to Raspberry Pi 5 versus using my AXE16000 for site-site?
- Started by sunactive
- Replies: 2
-
-