DNS leak out-of-the-box

[cpwood]

The problem

I'm slightly out of my comfort zone on this one, but I think that this Docker image is leaking DNS queries out-of-the-box compared to the older bubuntux/nordvpn image.

Evidence

I had been trying to move from bubuntux/nordvpn to bubuntux/nordlynx, was successfully gaining a working connection with an IP address in the country of my choosing, but was still getting geo-blocked by the service I was trying to use. Connecting to the same end point using the older bubuntux/nordvpn image didn't give this problem.

I tried the following two commands from both bubuntux/nordlynx and bubuntux/nordvpn after changing my Docker Compose file to ensure each was connected to the same end point:

curl -X GET "https://httpbin.org/ip" -H "accept: application/json"
curl -X GET "https://httpbin.org/headers" -H "accept: application/json"

These echo the IP address detected by the server and also the headers from the HTTP request (though I couldn't imagine how a VPN would change the latter) . I could see no difference between the output of the two running containers, so was mystified why I could connect successfully without geo-blocking from bubuntux/nordvpn but not from bubuntux/nordlynx.

I eventually reasoned that the host I'm actually trying to connect to is probably using a Content Distribution Network (CDN) and is resolving the target hostname into an IP address that's located close to my real location using my ISP's DNS servers, which would be enough for the service I'm trying to use to say "aha - you're not allowed in!".

I configured Nord VPN's DNS servers using the following addition to the environment section of my Docker Compose file:

      - DNS=103.86.96.100,103.86.99.100 # Stop DNS leaks

Upon doing this, I could connect to the target host successfully again.

Proposal

Assuming my evidence / theory isn't flawed, I propose that the default value for the DNS environment variable should be as above, so that somebody doesn't receive a DNS leak out of the box but can still choose to override their DNS servers when required.

[cpwood]

Just realised that the current configuration was done deliberately as part of this commit last month. Apologies for not finding this before opening the issue!

Should this change be reconsidered? It's inconsistent with what people would expect when using Nord VPN:

I'm also concerned that people will pull the latest bubuntux/nordlynx image and not realise that their DNS queries have started leaking without them having made any other configuration change.

Instead, the documentation could explain how to enable resolution of other containers.

If the current configuration is deemed preferable, can the documentation be updated so that the example Docker Compose YAML includes the DNS environment variable with a comment explaining that it is required if you want to avoid DNS leakage but may cause resolution issues for other containers?

[github-actions]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[cpwood]

Please don't close. I believe it still needs thought and attention when the author has the time available.

[Deathspike]

I stumbled on this as I was attempting to switch from the old docker to the new one, and indeed, and I was expecting the DNS queries to go through NordVPN rather than through my own ISP!

What exactly are these DNS servers? 103.86.96.100,103.86.99.100

[cpwood]

@Deathspike See here.

[Kofl]

+1 for at least documentation update

[bubuntux]

happy to accept MR with a documentation update