This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

VPN and wireshark

0

as i have been reading , when using a VPN most stuff on wireshark should be basically unreadable.. so.. when it comes to DNS why can i see everything that is happening on the dns side of things? it all comes through in plain text to wireshark eg: google.com or

152755  2108.687994000  192.168.1.2 10.30.0.1   DNS 76  Standard query 0x381f  A dns.msftncsi.com

and so forth i have no dns leaks.. tried on ipleak.net and a few others..dnsleaktest.com n so forth im using Airvpn and cyberghost sepeartly mind you, and it is plain as day the dns requests.. are they scrambled through the vpn tunnel and spat out so only wireshark and my pc can read these or if i can see them so can everybody else? im sorry i dont know how to post a screen dump so maybe ill post on imgur if thats ok thank you

asked 24 Sep '15, 00:43

nitehawk's gravatar image

nitehawk
6113
accept rate: 0%

edited 24 Sep '15, 01:49

grahamb's gravatar image

grahamb ♦
19.8k330206

im going to post to expire box as i cannot work cloudshark. ive posted a snippet of time with vpn running i usew firefox tried another browser..Edge but it gave me the same thing im beginning to think its normal..

Capture http://expirebox.com/download/a17e1b8c95156fda396f24a8989703a8.html

CMD routes http://expirebox.com/download/87b04020f1b69d031c13272bd179ef00.html

(24 Sep '15, 13:29) nitehawk

One Answer:

0

Only traffic sent through the VPN tunnel will be encrypted. Depending on the tunnel configuration it will either scoop up all traffic or only traffic for a particular destination, I'm not familiar with either of the VPN systems you mention so don't know if they can be configured to route all traffic into the tunnel.

It would appear that at least some of your DNS traffic isn't being sent via the tunnel.

This isn't really a Wireshark question, more about your VPN Config. You'll probably get better support on the forums for the VPN's you are using.

answered 24 Sep '15, 01:56

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

hi , thanks for your awnser , im asking if its normal.. all traffic is going through VPN with both.. im on windows 10 with native program for each provider (their vpn program)

so im just trying to figure out why i can see things in wireshark in plain text if its supposed to be encrypted.. unless dns does something diffrent maybe someone else might know.

(24 Sep '15, 02:06) nitehawk

The vpn client will modify your routing table to direct traffic into the tunnel (use route print from a command line prompt).

The network resolver built into Windows just issues DNS requests to the configured DNS servers, then it's up to the network routing as to where those requests are sent.

You'll probably have to post a capture file to get any further, showing this DNS request and some encrypted vpn traffic. You could also post the contents of your routing table when the vpn is running as a comment here.

Can you share a capture in a publicly accessible spot, e.g. CloudShark, Google Drive, Dropbox, and post the link back here?

(24 Sep '15, 07:27) grahamb ♦