Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

dnscrypt and VPN #24

Closed
Couto opened this issue Sep 3, 2015 · 4 comments

Comments

Projects
None yet
3 participants
@Couto
Copy link

commented Sep 3, 2015

I've been a long time user of the streisand project.
I'm also an user of dnsmasq for development purposes (to redirect all *.dev domains to localhost)
So, reading about dnscrypt on your guide, it seemed like an easy addiction to get some extra level of privacy.

Your instructions were crystal clear, and after the setup, everything worked fine... Until the moment that I connected to my VPN using tunnelblick.

Most VPNs override the DNS settings, and therefore they break with dnscrypt.
Has something like this happened to you before? If so, how did you fix it?

@TraderStf

This comment has been minimized.

Copy link
Contributor

commented Sep 3, 2015

@Couto I have the same problem with some VPN, I have subscribed to 3 VPN by very cheap temporary deal/bundles.
For one of them, I must start the VPN then DNSCrypt.

For another VPN, I have extracted some country-servers settings and insert them in Apple Network and activate the 'country' I want through apple vpn icon in the menu bar.

For another VPN, don't use it often, I think it does not change the DNS, so DNSCrypt is launched then the VPN.

You can check your IP and DNS used on http://whoer.net/

@drduh

This comment has been minimized.

Copy link
Owner

commented Sep 4, 2015

It sounds like the VPN software is setting DNS settings, which makes sense. I'm not familiar with tunnelblick but will check it out. You'll probably want to edit the scripts or commands it uses to set DNS to localhost, so your packets take this route:

browser > dnsmasq > dnscrypt client > vpn server > dnscrypt server > upstream resolver(s)

instead of

browser > vpn dns server > upstream resolver(s)
@TraderStf

This comment has been minimized.

Copy link
Contributor

commented Sep 4, 2015

Most VPN are using google DNS which is not a good idea for privacy without mentionning censorship.
8.8.8.8 and 4.4.4.4
2001:4860:4860::8888 & 2001:4860:4860::8844

Some VPN have their own, providing an extra level of privacy.
Up to you to choose another free or paying DNS services but try before to see if it can work along with your VPN.

Up to you to choose another free or paying DNS services.

Perhaps adding a list of alternative of (free) DNS would be helpful.
And all the different commands to flush DNS cache:
http://osxdaily.com/2014/11/20/flush-dns-cache-mac-os-x/

Find the fastest DNS around you with:
https://code.google.com/p/namebench/

To get your IP and DNS IP:
http://whoer.net

To check your DNS:
https://dnsleaktest.com/

To learn DNS:
http://www.zytrax.com/books/dns/

DNS alternatives:
http://censurfridns.dk
http://securedns.dnsbycomodo.com
https://www.opendns.com/home-internet-security/
https://dns.norton.com/homeuser.html

More here:
http://www.greycoder.com/list-free-public-domain-name-services-dns/
THESE SITE IS ABOUT PRIVACY

@Couto

This comment has been minimized.

Copy link
Author

commented Sep 4, 2015

Ok, so I was able to figure out my (specific) problem:

  1. dnscrypt requires the computer to use 127.0.0.1:53 as DNS server (which makes sense)
  2. OpenVPN says that I should use a specific DNS server (and actually pushes the configuration to the client)
    So far, no apparent problem, except that, at least Tunnelblick won't actually change the system DNS settings, if they've been manually changed before (to set dnscrypt)

My solution was simply to manually add the VPN's preferred DNS server to my nameservers list, after the dnscrypt address.

I hope I was clear on my solution, just in case someone needs it.

@TraderStf Thanks a lot for the links. Specially whoer.net, which was quite valuable
@drduh Thanks for the explanation, your diagram actually pointed me to the right direction.

Feel free to close, if you wish so :)

@drduh drduh closed this in e9bc603 Sep 4, 2015

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.