Network & Virtual Switch DNS Leak Issue

Printers, HDDs, USB/eSATA drives, 3rd-party programs
Locked
TheTruePhoenix
Starting out
Posts: 47
Joined: Sat Dec 05, 2009 9:01 am

Network & Virtual Switch DNS Leak Issue

Post by TheTruePhoenix »

So after having my normal network router failed I was forced to setup a temporary one while I await a replacement device. The router I have doesn't allow me to set DNS servers so I statically assigned the IP and DNS of my QNAP under Network & Virtual Switch. Somehow though, it's still getting the DNS setting off the router, this is in turn causing me to have DNS leaks via browser station and any other I have going via the VPN.

Why, even when statically assigned, is the Network & Virtual Switch getting an DNS server from the router and ignoring the two I set directly?

I've uploaded an image with IPs changed on how the setup looks (see attached).

Any help on resolving this one? Prefer not to have a DNS leak making the VPN basically pointless.
You do not have the required permissions to view the files attached to this post.
User avatar
Moogle Stiltzkin
Guru
Posts: 11448
Joined: Thu Dec 04, 2008 12:21 am
Location: Around the world....
Contact:

Re: Network & Virtual Switch DNS Leak Issue

Post by Moogle Stiltzkin »

not quite sure how your's is leaking.

are you using your vpns own dns firstly? thats usually the vpns first recommendation to avoid ip leaks.

is ipv6 properly supported by your vpn? if not, that is another possible leak. I just simply disable ipv6 and not use it, problem solved. But my mullvad vpn claims they support ipv6, but i'm not really bothered to set that up. lots of places on the internet where ipv4 still works.

maybe the switches need to change the dns setting from gateway dns to custom dns. enter your vpn dns, whatever that is.


found your airvpn dns here
-Every VPN server has its DNS server, directly finds out information about the root servers, top level domains and authoritative name servers.

-Our DNS servers are neutral, do not ever inject or alter the requests (other services resolve to search results, try to fix typo etc).

-Where ICANN or root servers themselves interfer with censorship, we may apply specific censorship fix to our DNS server. See "AirVPN does not recognize ICANN authority anymore" topic for more informations.

-Using our DNS allows our customers to use our anti-geolocation discrimination features. For example, visit a website that allows only United States connections from a Netherlands VPN server.

-It's recommended to use our DNS server to avoid censorship and use our anti-geolocation features.

-VPN DNS addresses (private addresses, only reachable from inside the VPN): 10.4.0.1 / fde6:7a:7d20:4::1 - reachable from any virtual subnet

-However, we recommend that your machine accepts the DNS push from our servers. If that's not possible, then we suggest to set the DNS IP address matching the VPN gateway IP address, as this is the safest method to prevent certain attacks based on hijacking.

https://airvpn.org/specs/

TheTruePhoenix wrote: Mon Jun 29, 2020 6:47 pm Somehow though, it's still getting the DNS setting off the router, this is in turn causing me to have DNS leaks via browser station and any other I have going via the VPN.
i found this as well. one of the more probable causes perhaps?

Some routers can force their DNS servers onto all devices
Even if the router is functioning as a DNS server, it still has to pass along many, if not most, requests to other DNS servers. Again, to see which DNS servers your computer is ultimately using, see my Test Your Router page.

As for Peplink routers, including the Pepwave Surf SOHO that I recommend, the feature that instructs the router to impose its will (its DNS servers) on all attached devices is called DNS Forwarding and, as shown below, it is enabled with a simple checkbox.

Image

Note in the description, it says that DNS lookups will be "intercepted and redirected to the built-in DNS name server." This means that before a Peplink router can force clients to use its DNS servers, it must first be configured to act as the DNS server. When the router is acting as the DNS server, DHCP clients will see the LAN side IP address of the router (192.168.50.1 by default) as their DNS server. This is true with or without DNS Forwarding being enabled.

To be clear, when DNS Forwarding is being used, all devices, even those with hard coded IP addresses and hard coded DNS servers, will bow to the will of the router. The router will honor the hard coded LAN side IP address, but not the DNS servers. The client device will think it is using its desired DNS servers, but it won't be. You can use the many DNS tester websites to verify this.


Peplink is not unique in offering the ability to over-ride user specified DNS servers. As a rule, this is a feature of business class routers.

Steve Gibson himself uses pfSense, and it too, can enforce its will when it comes to DNS servers
https://www.michaelhorowitz.com/DNS.and ... h.2018.php



i noticed one setting in pfsense that may be a possible issue. If you have this ticked enabled, your ips dns can be active, which is not something you want (because then your isp will also log what sites you visit). so i left that unticked aka disabled (i then confirm in pfsense what are the active running dns on the pfsense router). Not sure about your router settings, but this is just another example of another possible issue perhaps :S
Allow DNS server list to be overridden by DHCP/PPP on WAN

If this option is set, pfSense will use DNS servers assigned by a DHCP/PPP server on WAN for its own purposes (including the DNS Forwarder/DNS Resolver). However, they will not be assigned to DHCP clients.

I use this to detect ipleaks
https://ipleak.net



not sure why you can't edit your router setting, but if it really is temporary, would you consider temporarily setting up pfsense router on your qnap? i posted a guide here
viewtopic.php?f=45&t=155315


i take it you are using airvpn? this guy has a pfsense guide for setting airvpn on his pfsense router
https://nguvu.org/pfsense/pfsense-basel ... 0Selection

Split Tunnel Routing With OpenVPN and pfsense
https://www.youtube.com/watch?v=XHtwVJt4AKo
NAS
[Main Server] QNAP TS-877 (QTS) w. 4tb [ 3x HGST Deskstar NAS & 1x WD RED NAS ] EXT4 Raid5 & 2 x m.2 SATA Samsung 850 Evo raid1 +16gb ddr4 Crucial+ QWA-AC2600 wireless+QXP PCIE
[Backup] QNAP TS-653A (Truenas Core) w. 4x 2TB Samsung F3 (HD203WI) RaidZ1 ZFS + 8gb ddr3 Crucial
[^] QNAP TL-D400S 2x 4TB WD Red Nas (WD40EFRX) 2x 4TB Seagate Ironwolf, Raid5
[^] QNAP TS-509 Pro w. 4x 1TB WD RE3 (WD1002FBYS) EXT4 Raid5
[^] QNAP TS-253D (Truenas Scale)
[Mobile NAS] TBS-453DX w. 2x Crucial MX500 500gb EXT4 raid1

Network
Qotom Pfsense|100mbps FTTH | Win11, Ryzen 5600X Desktop (1x2tb Crucial P50 Plus M.2 SSD, 1x 8tb seagate Ironwolf,1x 4tb HGST Ultrastar 7K4000)


Resources
[Review] Moogle's QNAP experience
[Review] Moogle's TS-877 review
https://www.patreon.com/mooglestiltzkin
TheTruePhoenix
Starting out
Posts: 47
Joined: Sat Dec 05, 2009 9:01 am

Re: Network & Virtual Switch DNS Leak Issue

Post by TheTruePhoenix »

Thanks for all the information Moogle. I like the idea of setting up the NAS as a router but unfortunately my WAN link comes in on one side of my house while my NAS is on the other side and I can't move it away from my only switch which handles 802.1ad as it's also the PoE switch for all my cameras.

I checked out my temporary router (FYI it's a "Telstra Smart Modem 2" which is just a rebranded Arcadyan LH1000) and it doesn't have any DNS forwarding listed as an option, it does seem that somehow, the router is effecting things, but it could also have been I just haven't tested for DNS leaks in a while and it was a patch that came out for the NAS or one of it's applications (I have had patches break the device before). I find it odd that the router would be able to detect the DNS requests though as shouldn't they be getting pushed directly via the tunnel?

Since my original post I've tried upgrading to the latest firmware, even though I was only three versions behind and none of the fixes listed had anything to do with my issue. Same problem.

Also just to confirm, the VPN is running via the NAS (using QVPN Service 2), not via my router. I use it this way so the majority of my day to day traffic, mostly streaming and basic internet browsing, is done via the boring normal internet, while things I want to keep secure like some of my VM servers are handled via the VPN tunnels directly from the NAS. A few years ago I had the NAS providing a VLAN out to my local network and numerous devices dual linked so they could have traffic directed either way depending on the interface used but I haven't utilised that system for a while as it was just overly complicated to maintain.

Anyway, I've tried resetting a few bit of the NAS config, starting over, still back to the same DNS leaking. If the NAS is truly directing all traffic via the tunnel it has established between itself and the remote VPN servers directly, which hence would be encrypted, I can't see any way external DNS would leak out unless it's incorrectly sending DNS requests from these apps via the normal internet connection (which is scary that it would even have that as a fail over).

I'm going to try to log a ticket directly with QNAP as well as something really doesn't seem right and it may be that one of the resent patches to QVPN, virtual switch, or the QNAP firmware has caused this problem and I just hadn't tested it for a while (so it's unrelated to my router change).
TheTruePhoenix
Starting out
Posts: 47
Joined: Sat Dec 05, 2009 9:01 am

Re: Network & Virtual Switch DNS Leak Issue

Post by TheTruePhoenix »

As an update to this, QNAP confirmed it's an issue. It's ignoring the DNS setting it received from my VPN server and instead applying it's default (google). They sent it up to the developers, but that was months ago and no update since :(
dawsonkm
Getting the hang of things
Posts: 62
Joined: Sun May 01, 2016 9:20 am
Location: New Jersey, USA

Re: Network & Virtual Switch DNS Leak Issue

Post by dawsonkm »

Thanks for the follow up
TS-431X2 QTS 4.4.3.1439 - Static Vol 4 x 8TB Hdd Raid 5 Using 10GBE
TS-431X2 QTS 4.4.3.1439 - Static Vol 4 x 8TB Hdd Raid 5 Using 10GBE
TS-431P2 QTS 4.4.3.1439 - Static Vol 4 x 8TB Hdd Raid 5
TS-431P2 QTS 4.4.3.1439 - Static Vol 4 x 8TB Hdd Raid 5
TVS-1282T QTS 4.5.4.2012- Static Vol 8 x 16TB Hdd Raid 6, Static Vol 4 X 8TB SSD Raid 5 Using 10GBE
cgronier
Starting out
Posts: 11
Joined: Sun Sep 11, 2016 4:06 pm

Re: Network & Virtual Switch DNS Leak Issue

Post by cgronier »

Hi,
Any update on this issue ?
My setup is :
- QNAP TS-451A
- Ver. 4.5.1.1480
- QVPN server ON
- QVPN client -> NordVPN with 'Use VPN as NAS Default Getway' ON (as advised on NordVPN site)
https://support.nordvpn.com/Connectivit ... -2-NAS.htm

The QVPN Client interface says that I have the IP address provided by NordVPN
However if I test the connection with a ipLeak test site (and Download Centre )it is my normal ISP IP address that is visible

On my computer all works as it should so the problem is really with QNAP/QVPN/Download Centre

Any help is welcome
mustard
Getting the hang of things
Posts: 86
Joined: Sat Jun 15, 2013 7:24 pm

Re: Network & Virtual Switch DNS Leak Issue

Post by mustard »

I'm seeing the same issue.
TheTruePhoenix
Starting out
Posts: 47
Joined: Sat Dec 05, 2009 9:01 am

Re: Network & Virtual Switch DNS Leak Issue

Post by TheTruePhoenix »

I made another post as this is so old, my ticket is still open, they aren't responding to anything, and the problem still exists. You would think with all the recent security issues they have had they would be focusing on fixing their problems like this, but instead we just get nothing, they aren't even replying to my ticket anymore.
dascolies
First post
Posts: 1
Joined: Tue Apr 20, 2021 3:46 am

Re: Network & Virtual Switch DNS Leak Issue

Post by dascolies »

I had the same issue. DNS leak to german dns servers although I'm in Spain.
QNAP support confirmed they are aware since last year but still not solved.
TheTruePhoenix
Starting out
Posts: 47
Joined: Sat Dec 05, 2009 9:01 am

Re: Network & Virtual Switch DNS Leak Issue

Post by TheTruePhoenix »

OK, so I found YET ANOTHER SECURITY BUG but also have a "work around".

Getting sick and tired of waiting for QNAP to even pretend they care about security I decided to build up an alternative.

I made a VLAN on my network which was isolated to only go out via the VPN and shared it as it's own SSID via Wireless. I disabled the VPN client on my QNAP and plugged in a wireless card. I connected that wireless card to the VPN exclusive network and success! No more DNS leak!

HOWEVER.... That was with my other interface having the gateway IP set to itself, as soon as I put that back on DHCP, EVEN WITH THE GATEWAY SET TO THE WIRELESS ONLY, I get a DNS leak... It's obviously using the DHCP received DNS on the physical interfaces over ANYTHING else... This should be an easy fix, can we get someone to fix this up already?!?!?!

So the work around - Don't use the build in VPN. Setup the VPN on a router elsewhere and use a wireless card to connect to it BUT make sure you manually disable the gateway of your other NIC, otherwise it will still leak...
sibbers
New here
Posts: 8
Joined: Mon Nov 01, 2010 2:23 am

Re: Network & Virtual Switch DNS Leak Issue

Post by sibbers »

I’m also seeing this issue. I presume it’s not yet fixed?
MrOtto
New here
Posts: 8
Joined: Wed Aug 31, 2022 3:06 pm

Re: Network & Virtual Switch DNS Leak Issue

Post by MrOtto »

QVPN Service is still leaking DNS. Is there another VPN app for QNAP?
User avatar
dolbyman
Guru
Posts: 35019
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: Network & Virtual Switch DNS Leak Issue

Post by dolbyman »

closed to prevent further necropostings

open a ticket..posting complaints here will do zilch
Locked

Return to “Hardware & Software Compatibility”