Submitted 8 months ago by salvador@lemmy.world to programming@programming.dev
I connect to a WireGuard installed on my VPS. Then I go to a random VPN service marketing page on which I’ll discover that my DNS leaks. And which is correct because I’ve specified DNS = 1.1.1.1 in [Interface] on my Peer.
In order to avoid DNS leakadge, do I have to a) run DNS server on my VPS along with WireGuard, and b) use this one and only it, instead of 1.1.1.1?
Keep in mind that using your own VPS as a VPN doesn’t bring anonymity. You’re simply replacing one IP tied to your name (your ISP) with another one (your VPS).
You hide your traffic from your ISP, and delegate it to your VPS provider.
This will be the same for your DNS. If you want true anonymity regarding DNS, you should use someone else’s service, preferably over encrypted channels, eg. cyberia.is DoT.
I personally use it as a forwarder from a box inside my home (along with others), and use this box as the local DNS when I’m home. This way I know that all DNS traffic is encrypted, and doesn’t leak anything to my ISP or VPS or whatever.
Keep in mind that using your own VPS as a VPN doesn’t bring anonymity. You’re simply replacing one IP tied to your name (your ISP) with another one (your VPS).
Grass is green. Sky is blue. Keep this in mind – in case you don’t know this.
Or course, you have to trust that third party, which may/may not be prudent.
This will be the same for your DNS. If you want true anonymity regarding DNS, you should use someone else’s service, preferably over encrypted channels, eg. cyberia.is DoT.
I haven’t asked for a hidden advert
Looks like you shouldn’t ask for anything at all, given that you cannot take a single answer without being a condescending jerk. I’m not affiliated to cyberia.is in any mean by the way just proposing a service that you could use to solve your problem if you were not too busy being a douchebag.
DNS is handled by peer - what kind of leak are you experiencing?
Go to whoer[.net]. Under the “DNS” label you’ll see, or should do, your oriingal location
That page gives me varying info, and the only leaks I see are to my forwarders. Also when connected to vpn.
Do you see any NS discovered in a leak-test that’s not upstream from the vpn exit node? My vpn config is basic, with no DNS= setting and 0.0.0.0/0 as allowed-ip
Just use the IP address of your VPS?
You assume that my VPS has a DNS server installed on it?
Use the IP address of your vps instead of a domain name for the wireguard config
It’s not completely clear what you mean, but I’m guessing you’re only routing a subset of your traffic through wireguard, probably only IPv4, and there may be some IPv6 traffic that is not being routed over your wireguard connection.
You can specify any IPs you want for DNS with wireguard, and if your allowed IPs include those addresses, then it should flow over your VPN.
I do this with Pihole at home, and it blocks ads while I’m away.
With whatever test you’re running that says stuff is “leaking,” keep in mind that the website is going to report any traffic that originates from your VPS as “unprotected” because it’s not their system, and even if you run your own DNS server, it’s still got to query upstream to a public DNS. All they’re really doing is demonstrating which upstream DNS server you have configured, and it’s up to you if you want your VPS’s IP to be connected to the query history of that upstream DNS provider.
You will usually need a hostname in DNS for your VPN server to make it easy to find/connect, which will use your normal DNS resolution. Once connected, if you have it set up correctly, new dns queries should route through your VPN connection. Just keep in mind that various results can be cached on your system and in web browsers, so you should quit and reopen your browser after you connect to the VPN before you run your “leak” test.
It’s not completely clear what you mean, but I’m guessing you’re only routing a subset of your traffic through wireguard, probably only IPv4, and there may be some IPv6 traffic that is not being routed over your wireguard connection.
Why would you guess that?
Your question, as best as I could tell, is that you want DNS traffic to exist through your VPS node, rather than your client machine.
I posited one reason this could be happening, and additionally, a similar setup that provably routes traffic through the VPN based on the method I described.
Nobody in here is obligated to help you, I gave you a couple threads to pull on to resolve your question, so maybe consider accepting it graciously, rather than being obstinate.
lemmyvore@feddit.nl 8 months ago
You may want to ask this in a selfhosted community, not in programming. With that out of the way:
I don’t think hosting your own DNS server on VPS will help much, for several reasons:
DNS “leakage” happens in two ways:
To fix DNS leaks you need to do two things:
a) Use a DNS service that has an explicit mission statement of protecting the users’ privacy. Here’s a good start.
b) You need to connect using encrypted DNS. The most widespread form is DoH (DNS over HTTPS) which uses port 443 and is virtually indistinguishable from regular web traffic (aside from the fact it connects to known public DNS servers). You can also use DoT (DNS over TLS) on port 853 (as opposed to unencrypted DNS on 53).
You can set up DoH or DoT with the address of a privacy-respecting public DNS service on a wide variety of apps and devices:
There are also downsides to DoH/DoT. For example, you can’t coerce LAN devices or apps that use a hardcoded DoH/DoT server to use the one you want. You could hijack their name resolution to the server name but you can’t satisfy their TLS certificate, especially if it’s also hardcoded and doesn’t rely on a central store (like the Android or iOS certificate store). This is often the case with Chinese ioT devices who like to phone home. Google has also started to do this with Chrome on mobile, to prevent DNS-based adblocking.
Use www.dnsleaktest.com to test what you leak.