DNS leak with 3.17.3

[ph202107]

Hi! Version 3.17.2 is working fine but I seem to have a DNS leak with 3.17.3. I'm using Linux Mint 21.3 (based on Ubuntu 22.04) on bare metal, and have tested with Custom-DNS enabled (Cloudflare) and disabled. I tested with IPv6 disabled in grub, and tested with IPv6 disabled in sysctl.conf. The problem persists after reconnecting the VPN and after rebooting the computer.

Steps to reproduce:

• connect to VPN
• visit https://dnscheck.tools/ or https://ipleak.net/
• Nord (or Cloudflare) DNS servers are detected, along with my ISP DNS servers
• my ISP DNS servers show both IPv4 and IPv6 addresses, Nord shows IPv4 addresses
• the site https://test-ipv6.com/ states: "Your DNS server (possibly run by your ISP) appears to have IPv6 Internet access."

When using version 3.17.2 everything works as expected. Only Nord IPv4 DNS addresses are detected on https://dnscheck.tools/ and on https://test-ipv6.com/ it states: "Your DNS server (possibly run by your ISP) appears to have no access to the IPv6 Internet, or is not configured to use it."

With IPv6 disabled in grub (GRUB_CMDLINE_LINUX_DEFAULT="ipv6.disable=1")

$ nordvpn --version
NordVPN Version 3.17.3

$ nordvpn settings
Technology: NORDLYNX
Firewall: enabled
Firewall Mark: 0xe1f1
Routing: enabled
Analytics: enabled
Kill Switch: enabled
Threat Protection Lite: disabled
Notify: disabled
Auto-connect: disabled
IPv6: disabled
Meshnet: disabled
DNS: disabled
LAN Discovery: disabled
Allowlisted subnets:
	192.168.1.0/24
	
$ nordvpn status
Status: Connected
Hostname: us6883.nordvpn.com
IP: 89.187.182.96
Country: United States
City: Chicago
Current technology: NORDLYNX
Current protocol: UDP
Transfer: 0.64 MiB received, 223.27 KiB sent
Uptime: 5 minutes 49 seconds

Mar 29 20:56:11 hp nordvpnd[19704]: 2024/03/29 20:56:11 [Info] Setting the routing rules up
Mar 29 20:56:11 hp nordvpnd[19704]: 2024/03/29 20:56:11 [Info] starting network configuration
Mar 29 20:56:11 hp nordvpnd[19704]: 2024/03/29 20:56:11 [Info] setting dns to 103.86.96.100 103.86.99.100
Mar 29 20:56:11 hp nordvpnd[19704]: 2024/03/29 20:56:11 [Info] set dns for interface [nordlynx] using: resolved
Mar 29 20:56:11 hp nordvpnd[19704]: 2024/03/29 20:56:11 [Info] IPv6 module is not enabled
Mar 29 20:56:11 hp nordvpnd[19704]: 2024/03/29 20:56:11 [Info] IPv6 module is not enabled
Mar 29 20:56:11 hp nordvpnd[19704]: 2024/03/29 20:56:11 POST_CONNECT system info:
Mar 29 20:56:11 hp nordvpnd[19704]: Routes for ipv4:

$ cat /sys/module/ipv6/parameters/disable
1

$ cat /proc/sys/net/ipv6/conf/all/disable_ipv6
cat: /proc/sys/net/ipv6/conf/all/disable_ipv6: No such file or directory

$ cat /etc/resolv.conf
nameserver 127.0.0.53
options edns0 trust-ad
search .

Commands from previous issue if these will help: #243

$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether c8:d3:ff:a3:00:50 brd ff:ff:ff:ff:ff:ff
    altname enp0s31f6
    inet 192.168.1.199/24 brd 192.168.1.255 scope global dynamic noprefixroute eno1
       valid_lft 83848sec preferred_lft 83848sec
4: nordlynx: <POINTOPOINT,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    link/none 
    inet 10.5.0.2/32 scope global nordlynx
       valid_lft forever preferred_lft forever

$ sudo iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -s 192.168.1.0/24 -i eno1 -m comment --comment nordvpn -j ACCEPT
-A INPUT -i eno1 -m connmark --mark 0xe1f1 -m comment --comment nordvpn -j ACCEPT
-A INPUT -i eno1 -m comment --comment nordvpn -j DROP
-A OUTPUT -d 192.168.1.0/24 -o eno1 -m comment --comment nordvpn -j ACCEPT
-A OUTPUT -o eno1 -m mark --mark 0xe1f1 -m comment --comment nordvpn -j CONNMARK --save-mark --nfmask 0xffffffff --ctmask 0xffffffff
-A OUTPUT -o eno1 -m connmark --mark 0xe1f1 -m comment --comment nordvpn -j ACCEPT
-A OUTPUT -o eno1 -m comment --comment nordvpn -j DROP

$ sudo ip6tables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -i eno1 -m connmark --mark 0xe1f1 -m comment --comment nordvpn -j ACCEPT
-A INPUT -i eno1 -m comment --comment nordvpn -j DROP
-A INPUT -p udp -m multiport --dports 4000,5353 -j ACCEPT
-A INPUT -p tcp -m multiport --dports 4000 -j ACCEPT
-A INPUT -p udp -m multiport --dports 5353 -j ACCEPT
-A OUTPUT -o eno1 -m mark --mark 0xe1f1 -m comment --comment nordvpn -j CONNMARK --save-mark --nfmask 0xffffffff --ctmask 0xffffffff
-A OUTPUT -o eno1 -m connmark --mark 0xe1f1 -m comment --comment nordvpn -j ACCEPT
-A OUTPUT -o eno1 -m comment --comment nordvpn -j DROP

$ ip route show table all
default dev nordlynx table 205 scope link 
default via 192.168.1.254 dev eno1 proto dhcp metric 20100 
169.254.0.0/16 dev eno1 scope link metric 1000 
192.168.1.0/24 dev eno1 proto kernel scope link src 192.168.1.199 metric 100 
local 10.5.0.2 dev nordlynx table local proto kernel scope host src 10.5.0.2 
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1 
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1 
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1 
local 192.168.1.199 dev eno1 table local proto kernel scope host src 192.168.1.199 
broadcast 192.168.1.255 dev eno1 table local proto kernel scope link src 192.168.1.199 

$ ip -6 route show table all

$ ip rule
0:	from all lookup local
32764:	from all lookup main suppress_prefixlength 0
32765:	not from all fwmark 0xe1f1 lookup 205
32766:	from all lookup main
32767:	from all lookup default

$ ip -6 rule
RTNETLINK answers: Address family not supported by protocol
Dump terminated

$ sysctl -a 2> /dev/null | grep disable_ipv6

$ nmcli dev show | grep -E 'DNS|DEVICE'
GENERAL.DEVICE:                         eno1
IP4.DNS[1]:                             192.168.1.254
IP4.DNS[2]:                             <ISP DNS>
GENERAL.DEVICE:                         nordlynx
GENERAL.DEVICE:                         lo

Please let me know if more information is required. I will continue to use 3.17.2 for now. Thanks!

[ph202107]

I've been able to test with a second Linux Mint 21.3 computer (bare metal) and can reproduce the same issue. 3.17.2 is working OK but 3.17.3 appears to have a DNS leak, with the website https://dnscheck.tools/ detecting my ISP DNS servers

I also tested on a Ubuntu 22.04 virtual machine. I have the VPN connected on the VM and disconnected on the host, IPv6 is disabled in grub. I could not reproduce the same issue, both 3.17.2 and 3.17.3 seem to be working OK.

[tm4ig]

I confirm, after upgrade nordvpn to 3.17.3 (on ubuntu 22.04) DNS leak appears

[s-n-g]

Confirmed, on manjaro and mx linux
Downgraded to 3.17.2

[groverj3]

Confirmed on manjaro using the most recent AUR, which is based on the current Ubuntu .deb package.

Downgraded to 3.17.2 as well.

[SolitudeX13]

Confirmed on Arch using the latest AUR version based on the .deb package from upstream source.
Downgraded to 3.17.2 to resolve problem

[jrichard326]

Confirmed on fully updated Manjaro xfce Unstable. Downgraded from 3.17.3-1 to 3.17.2-1 as 3.17.2 does not exhibit this behavior. I am using nordlynx (wireguard) and systemd-resolved as DNS resolver.

Version 3.17.3 shows via dns leaktest both nord DNS and my default DNS settings via my router configuration.

[groverj3]

Also confirmed on Ubuntu 22.04.

[Bazza70]

Cannot reproduce on Mint 21.3 running 3.17.3. However, I am forcing all traffic thru Nordlynx via UFW rules. No idea if that should make a difference.

With Nordlynx enabled and killswitch disabled:

sudo ufw default deny incoming
sudo ufw default deny outgoing
sudo ufw allow out on nordlynx from any to any

[paulams]

Thank your for reporting the issue! We are looking into it.

[MyXelf]

Confirming in KDE Neon 22.04 as well.

I guess the issue is related to the fact that NordVPN is not using its own declared DNS Servers. After establishing the VPN it keeps using the "locally" declared DNS for the resolution.

Reverting to 3.17.2 works as expected.

[mariusSincovici]

We've identified the problem and we'll try to release an app update as soon as possible.

Until the release, there are some possible workarounds for this:

1. disable LAN access or remove LAN IP range from Allowlisted subnets.
2. If LAN access is needed then best solution would be to downgrade to 3.17.2 for the moment.

[jfbourdeau]

sorry for that noobie question : how to downgrade to 3.17.2 on Manjaro linux ? I tried sudo manjaro-downgrade nordvpn-bin but it didn't worked.

[s-n-g]

Download this: aur-e4dbfacf758c41a3514702d25779ececc18f1bf9.tar.gz

Extract it in a dir
get in it and

makepkg -si

[jfbourdeau]

tks !
I went into this folder and ran the command and got this
ERROR: PKGBUILD does not exist
https://i.imgur.com/FFeGNA0.png

Noobie mistake I guess
I didn't downloaded your file though.... only the one from github

[s-n-g]

ok, whatever works 😉

[mariusSincovici]

version 3.17.4 is released, please update and let us know in case you still have any issues.
Thanks

[s-n-g]

Not updated yet?

https://github.com/NordSecurity/nordvpn-linux/releases

[s-n-g]

Just updated to 0.17.4 on a mint box and I can confirm it is fixed!
Waiting for other distros to catch up...

Thanks for the update!

[mariusSincovici]

released now also on the github.

[jrichard326]

3.17.4-1 fixed the issue here. Thank you.

[fhdk]

If you setup your ArchLinux based system using systemd-resolved there is no DNS leak.

https://wiki.archlinux.org/title/NordVPN#Setting_systemd-resolved_as_DNS_resolver
https://forum.manjaro.org/t/help-downgrading-an-aur-package/159354/8
https://forum.manjaro.org/t/root-tip-nordvpn-on-manjaro/81016

[jfbourdeau]

I will wait for the new version to be available in AUR (for my manjaro installation).
I tried to follow some git clone package install instructions without success (I am not good at that)

[fhdk]

@jrichard326 what is so special with your system?

I don't have leaking using systemd-resolved

 $ inxi -S
System:
  Host: tiger Kernel: 6.6.25-1-MANJARO arch: x86_64 bits: 64
  Desktop: KDE Plasma v: 6.0.3 Distro: Manjaro Linux

 $ nordvpn --version
NordVPN Version 3.17.3

 $ nordvpn status
Status: Connected
Hostname: dk242.nordvpn.com
IP: 37.120.145.83
Country: Denmark
City: Copenhagen
Current technology: NORDLYNX
Current protocol: UDP
Transfer: 98.40 MiB received, 7.85 MiB sent
Uptime: 59 minutes 53 seconds

 $ nordvpn settings
Technology: NORDLYNX
Firewall: enabled
Firewall Mark: 0xe1f1
Routing: enabled
Analytics: enabled
Kill Switch: disabled
Threat Protection Lite: disabled
Notify: enabled
Auto-connect: disabled
IPv6: disabled
Meshnet: disabled
DNS: disabled
LAN Discovery: disabled

 $ curl https://ipv4.ipleak.net/json/
{
    "as_number": 136787,
    "isp_name": "TEFINCOM S.A.",
    "country_code": "DK",
    "country_name": "Denmark",
    "region_code": "84",
    "region_name": "Capital Region",
    "continent_code": "EU",
    "continent_name": "Europe",
    "city_name": "Copenhagen",
    "postal_code": null,
    "postal_confidence": null,
    "latitude": 55.6802,
    "longitude": 12.5892,
    "accuracy_radius": 20,
    "time_zone": "Europe\/Copenhagen",
    "metro_code": null,
    "level": "min",
    "cache": 1712319773,
    "ip": "45.10.153.168",
    "reverse": "",
    "query_text": "45.10.153.168",
    "query_type": "myip",
    "query_date": 1712319773
}

[jrichard326]

I am not sure, really. I have set up nord with systemd-resolved per your instructions in your excellent tutorial.  I was getting BOTH my default DNS (OpenDNS) as set by router config (forced) and nordvpn DNS. With 3.17.2 and now 3.17.4-1 I only receive nord DNS . The changelog for 3.17.4 indicates it is fixed and other users reported the issue.  The only difference I made to your procedure was the symlink as the original one didn't work for me, IIRC. Yours;sudo ln -sf /run/systemd/resolve/resolv.conf /etc/resolv.conf Mine:sudo ln -sf /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf Manjaro xfce Unstable, always fully updated here.  inxi -S                                                                   System:   Host: Beelink Kernel: 6.8.4-1-MANJARO arch: x86_64 bits: 64   Desktop: Xfce v: 4.18.1 Distro: Manjaro Linux   On Friday, April 5, 2024 at 08:12:34 AM EDT, Frede H ***@***.***> wrote: @jrichard326 what is so special with your system? I don't have leaking using systemd-resolved $ nordvpn --version NordVPN Version 3.17.3 $ inxi -S System: Host: tiger Kernel: 6.6.25-1-MANJARO arch: x86_64 bits: 64 Desktop: KDE Plasma v: 6.0.3 Distro: Manjaro Linux — Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you were mentioned.Message ID: ***@***.***>

[fhdk]

Yours;sudo ln -sf /run/systemd/resolve/resolv.conf /etc/resolv.conf
Mine:sudo ln -sf /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf

Hmm - as I recall it the latter is in the guide as it should be - in my experience the correct - I will check immediately

I am calm again - the guide used the latter - but I recall that in the Arch Wiki on systemd-resolved has a reference to the first - I recall badly.

[MyXelf]

On 3.17.3 the issue will only present if you have LAN Traffice enabled or have any whitelisted networks.

About to install 3.17.4 on KDE Neon 22.04 ... Result: Fixed!

Thanks!

[ph202107]

3.17.4 tested and working, no problems found. Thank You!