This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Unencrypted DNS queries with VPN

0

Hi,

Recently I became a VPN user (Nord VPN). The service sees to be fine, but I wanted to verify it if it is secure.

For that I just wanted to make sure/understand if all of my internet traffic goes through the tunnel. Of coures on the Nord vpn websites it says that I am perfectly secure now, but I wanted to verify that.

For that purpose I decided to use Wire-Shark. After VPN installation I see that in my system there are now two Ethernet cards, one called TAP Windows adapter, which was added by VPN, and other native WiFi card. As I understand all traffic (through the route table) should be directed to TAP card, where it gets encrypted and then all data are send to Internet through my native WiFi card (already encrypted). To check that, I used Wire-shark, and monitored my Internet WiFi card. 98% of packets are of OpenVPN type -which is encrypted -good. But the rest is DNS queries (send to VPN DNS servers) which are in plain text, that I can read. In these it is written which websites I am trying to access.

Please seen screenshot of the Wire-shark results: https://postimg.org/image/4xh0mfqez/

I used a website of: https://ipleak.net/ to check if it is connected with DNS leakage, but NO IP leak is detected.

So for me it seems that DNS queries are not encrypted, send to VPN DNS servers in plain text. If it is a case, then man in the middle or ISP can easily trace my activity and websites I am trying to access. Please let my know if that is true, or if not, how then does it work.

I tried to get descriptive answer at VPN provider, but they only claimed that everything is fine/secure.

Looking forward for you hints.

Best regards John

asked 27 May '16, 06:14

JohnKanaka's gravatar image

JohnKanaka
6112
accept rate: 0%

closed 27 May '16, 06:26

grahamb's gravatar image

grahamb ♦
19.8k330206

This has come up a few times before, here and here and probably others.

(27 May '16, 06:26) grahamb ♦

The difference in this Question as compared to the other ones you've referred to is that here the OP states that the DNS server addresses have been suggested by the VPN provider.

(27 May '16, 06:59) sindy

I wonder why this topic got closed, since in the links you provided there is not specific answer for my question, which is somehow related to Wire-Shark super capabilities of reading encrypted data. Please see my comment below to Sindy answer, maybe you could help to answer.

Best regards, John

(27 May '16, 07:51) JohnKanaka

This is absolutely nothing to do with any hypothetical Wireshark capabilities of automagically decrypting only DNS requests. If Wireshark shows plain text DNS requests, then that is what's being transmitted via the network stack that it's capturing on. Note that's not necessarily what goes on the wire, the only way to be sure of that is capture from an external device.

In the end, this is most likely to be another OS\VPN routing\config issue same as the other questions, Wireshark may be able to show "what's happening", but not why and the best folks to get support for that will be your VPN providers. If they're unable to support you, then maybe you need to look at another VPN provider.

(27 May '16, 08:26) grahamb ♦

Thanks for your answer.

But there is one point that is not clear, which I believe is very important to resolve my question:

"If Wireshark shows plain text DNS requests, then that is what's being transmitted via the network stack that it's capturing on. Note that's not necessarily what goes on the wire."

I thought that wire-shark actually captures what goes on the wire - air in my case :). So does it mean that although this card captures plain text (at network stack) it still will be encrypted?? (where?, when?, how?). I don't see the way, how those packets could be encrypted once again, since they already left TAN (virtual) card and are logged with at physical card.

If you know the answer or give me some directions I would appreciate your help.

Best regards John.

(27 May '16, 09:32) JohnKanaka

Wireshark uses a capture mechanism either provided by the host OS, or a separate installable driver (as in WinPcap on Windows) that is passed the data at some point as it moves through the OS networking stack.

This effect can be easily seen in Wireshark captures on OS's that have IP checksum offloading where the NIC calculates the IP packet checksum so all transmitted packets appear to have an incorrect checksum. This is why Wireshark has protocol preferences to turn off checksum validation.

I've no idea about other OS's, but on Windows it's entirely possible for the capture to be made above the encrypting part of the stack. However, I think that's unlikely in your case, I think what's happening is that the routing sends the DNS packets outside the VPN tunnel.

The only way to be sure of capturing exactly what's transmitted is to not capture on the local machine.

(27 May '16, 09:57) grahamb ♦

I've reopen the question as it seems it is going to become more relevant than the other two if the explanation by Windows 10 creative use of routing table proves to be correct.

(27 May '16, 15:17) sindy

If this is a windows machine, as soon as you are connected to the VPN, restart the DNS Client windows service, this maintains a route for DNS queries since some MS-KB or other. The possibility that it is just Windows 10 throwing DNS queries on all adapters is also there. Windows 10, what can you do.

(01 Jun '16, 04:22) DarrenWright
showing 5 of 8 show 3 more comments

2 Answers:

0

As I understand all traffic (through the route table) should be directed to TAP card, where it gets encrypted and then all data are send to Internet through my native WiFi card (already encrypted).

Your understanding is correct, this would be a secure setup. I cannot see any reason why the VPN client software should set the default route to the tunnel interface but create exceptional routes via the original gateway for the DNS servers. So once the VPN is up and running,

  • use Wireshark to identify the address of the VPN server itself,

  • check the contents of your routing table.

If you find exceptional routes for individual addresses of the DNS servers, removing them should be enough to make the DNS queries be routed through the tunnel as well. But if there is an exceptional route for a whole subnet which covers both the VPN server and the DNS servers, removing such route would make the VPN stop working, as the encrypted packets have to be sent to the VPN server using the original gateway as provided by the WiFi AP. If this is the case, you would have to manually configure some DNS servers outside that subnet, i.e. not belonging to the VPN provider, to allow sending DNS queries through the VPN as well. These DNS servers may be your ISP's ones, as the queries to them would come from the outer address of the VPN server, so they wouldn't disclose it is you who is asking.

I just wonder whether you are sure that it is safer to be spied on by the VPN provider than to be spied on by your ISP.

answered 27 May '16, 06:54

sindy's gravatar image

sindy
6.0k4851
accept rate: 24%

Thank you for your interesting answer.

I will check rooting table today. What do you mean by " use Wireshark to identify the address of the VPN server itself, "

I just wonder about wire-shark why does it make exceptions for DNS queries. Why can it see DNS queries in plain text instead of being encrypted. Below are the answers I got from VPN provider:

Answer 1: "Do not worry the DNS queries are also encrypted, you can see them because you are checking them via Wireshark on the same Host you are using the VPN."

Answer 2: " I am not sure why does the queries appear on the wire-shark, it may have something to do with the wire-shark software itself, it probably directly sees the local queries on the computer, thus they are seen. Though rest assured, the DNS queries going through our DNS servers are encrypted and thus you will be fully secured while using our DNS servers."

I am just wondering if routing table routs everything through TAN encryption card, how the wire-shark is able to still read unencrypted queries, which at this point should be encrypted????

I just wonder if it is not a case of Windows 10, that sends DNS queries using all possible network adapters, waiting for fastest respond: https://medium.com/@ValdikSS/beware-of-windows-10-dns-resolver-and-dns-leaks-5bc5bfb4e3f1#.r1nml3ont

In that case VPN is not secure any more...

Looking for ideas... John

(27 May '16, 07:47) JohnKanaka

"Do not worry the DNS queries are also encrypted, you can see them because you are checking them via Wireshark on the same Host you are using the VPN."

This could be the explanation if you capture simultaneously on both interfaces, i.e. the real (wireless) one and the virtual (TAP) one. By posting a screenshot instead of the pcap file, you've made it impossible to check, so you have to check yourself. But it is quite unlikely, as in such case you would see the other traffic types in the capture as well (i.e. each sent packet would first be seen without encryption at TAP and then encrypted at the WLAN interface).

it may have something to do with the wire-shark software itself, it probably directly sees the local queries on the computer, thus they are seen.

This is not the way how Wireshark works. It captures (using OS-specific libraries and binding points as @grahamb has pointed out) only traffic to/from network interfaces.

I am just wondering if routing table routes everything through TAP encryption card, how the wire-shark is able to still read unencrypted queries, which at this point should be encrypted?

See my comment to VPN provider's Answer 1 above - Wireshark would only be able to see packets sent via the TAP without encryption if it would be capturing on the TAP itself. Yes, Wireshark can decrypt encrypted traffic in some cases, but you have to supply it with the relevant key material.

To be continued...

(27 May '16, 15:14) sindy

I just wonder if it is not a case of Windows 10, that sends DNS queries using all possible network adapters, waiting for fastest response

"To send a packet towards a (remote!) destination using a particular interface" actually means to send the packet to a router accessible through that interface. Doing so normally requires that

  • either an IP address of a gateway in that interface's subnet has been indicated as a route to that destination in the routing table,

  • or the interface itself has been indicated as a route to that destination in the routing table, and the OS has received an ICMP router advertisement packet through that interface.

However, we cannot exclude that ValdikSS is right and Windows 10 really use the contents of the routing table in a creative way, as nothing can prevent them from sending the DNS query (or any other packet) to all gateways they can find in the routing table, regardless for what destinations these gateways have been indicated as routes. It is easy to check - if the routing table does not show any exceptional route for the DNS server and the default route points to a gateway whose IP address is in the same subnet like the TAP's IP address, then this becomes the most likely explanation. A remedy would be to disable access to the DNS servers using some firewall rules at your wireless AP, but not all APs can do that.

The other part of the ValdikSS's article may be true in parallel - yes, the Windows may rewrite the default route (or even several routes, depending on the DHCP options they receive) each time they renew the DHCP lease. But if this would happen, you would see all traffic, not just the DNS queries, to start using that gateway right after the first DHCP renewal after VPN session establishment.

(27 May '16, 15:15) sindy

Isn't this simply a case of a split-tunnel implementation? https://en.wikipedia.org/wiki/Split_tunneling If the DNS queries are made outside the VPN, then they would not be encrypted.

(27 May '16, 20:14) griff

Even if it would be the case, the routing table should show that. And I cannot see a reason why the "public VPN" provider would intentionally route DNS requests outside the tunnel - and if they did, why would they not mention it in their answers to the OP.

(27 May '16, 23:27) sindy

0

If you're using openvpn client and you're on windows 8-10, you need to configure your client to ignore any DNS server but those pushed by your server. It's because windows tries to play smart and send DNS queries to the fastest server.

So if it appears that your gateway answers to those queries faster than your vpn server (must be always the case), everything queries will be sent to it without encryption.

You need to open you .opvn file and add at the end of it : "block-outside-dns" (without the quotes).

In the log of openvpn, you'll see the client picking up that line and stating that it will ignore any DNS server but those pushed by the vpn server you're trying to connect to.

Also, in wireshark, you'll never be able to read anything again : encryption to it's fullest !

answered 06 Oct '17, 06:48

olleo's gravatar image

olleo
61
accept rate: 0%