Blocking traffic in port 53 prevents DNS leaks (or any kind of DNS traffic) ??

13 Antworten [Letzter Beitrag]
GNUser
Offline
Beigetreten: 07/17/2013

Like I said, is blocking port 53 enough to prevent DNS requests on my local DNS? Or can somehow a DNS request be made through port 80/443 and lead to a DNS leak?

I have vlc set to use socks proxy in 127.0.0.1:9150 which I do to use it through Tor Browser Bundle (using the Tor process that TBB starts). I am not certain if vlc will respect proxy settings for DNS requests, so I made a few tests closing port 53 on gufw. However I am unfamiliar with how Trisquel (any GNU/Linux distro actually) will handle DNS requests, and would like some insight from some more experienced users :)

Btw, I did the tests like this:

TBB running, vlc set to proxy, port 53 blocked, tried to access http live stream, and it worked.
TBB not running, vlc set to proxy, port 53 blocked, tried to access http live stream, it fails.
TBB not running, vlc not set to proxy, port 53 blocked, tried to access http live stream, it fails.
TBB not running, vlc not set to proxy, port 53 open, tried to access http live stream, it works.

lsof -i usually gave me the expected results too (vlc set to proxy vlc connects to 9150, vlc not set to proxy vlc connects directly to stream ip). That is a good sign right?

Sorry, I know this is related to general GNU/Linux firewall settings, but just Trisquel's, but since I am using Trisquel and some people here know more about this than me, thought I would ask :)

Thanks in advance!

GNUsercn
Offline
Beigetreten: 10/13/2015

Thanks, but I will your post soon later.

Today I had a related issue. When I was using openVPN to visit a invalid hostname (a written mistake), I found the 404.html was returned by my ISP (the ISP-made 404.html which was easy to identify).

I had already set my laptop's nameserver as 8.8.8.8 that I thought I could circumvent the censorship from ISP on the user's info to/from DNS. Now it didn't make it.

I thought I didn't specify DNS servers on my openvpn configuration.

So there is the question: can ISP censor and hi-jack all 404 messages on any of the DNS anywhere?

(When I use VPN I shouldn't use my ISP's DNS,right?)

Mangy Dog

I am a member!

I am a translator!

Offline
Beigetreten: 03/15/2015

Hi GNUsern

When you have configurated your Network Manager
to import a saved OpenVPN configuration(keys)

CA.cert /User.key/ta.key
and the file containing OpenVPN Client Configuration

(Gateway,Protocol & DNS server) which sets your DNS (From your VPN provider)

In no way should your DNS be your ISP's DNS.

without your VPN activated
#ifconfig
#route
then with your VPN activated
"Route"will show your your default DNS

Check with Gnome-System Log (syslog)the VPN connections & messages

IceCat/Abrowser & Iceweasel leak DNS by default due to WebRTC leak one must disable WebRTC as indicated

https://www.privacytools.io/
How to disable WebRTC in Firefox

once done
https://ipleak.net/
Your IP address - WebRTC detection
&
DNS Address detection

to change DNS without VPN this here is in French
https://trisquel.info/fr/wiki/changer-les-dns
https://wikileaks.org/wiki/Alternative_DNS

GNUsercn
Offline
Beigetreten: 10/13/2015

Thanks a million, Mangy!

This is very useful and helped me.(Fow now there are no WebRTC leak or DNS leak with my openVPN as I had checked it)

However, this remind me another problem:

I found there may be a transparent DNS proxy from my ISP, even though I set my laptop (Debian) using Google's DNS as well as on my router's DHCP settings.

It turned out to be useless when I got a test on https://www.dnsleaktest.com/ -- still the DNS server from my ISP.....

sad...is it really unavoidable ? (if without using a VPN)

Gracias

Mangy Dog

I am a member!

I am a translator!

Offline
Beigetreten: 03/15/2015

This may help
DNS configuration
https://www.howtoforge.com/debian-static-ip-address

GNUser
Offline
Beigetreten: 07/17/2013

I don't want to sound rude, but this was my thread, which got hijacked :-P
Seriously though, I am happy GNUsercn got his answer, could someone please try to answer the original post?
Thanks

GNUsercn
Offline
Beigetreten: 10/13/2015

I'm so sorry

GNUser
Offline
Beigetreten: 07/17/2013

Don't be :)
I am just hoping someone will actually help me too.
I am glad your issue is now solved :)

SuperTramp83

I am a translator!

Offline
Beigetreten: 10/31/2014
GNUser
Offline
Beigetreten: 07/17/2013

LOL :-P

Mangy Dog

I am a member!

I am a translator!

Offline
Beigetreten: 03/15/2015

lol...
SuperTramp83 or Crocodile Dundee ??!

GNUuser i'm no network specialist and there is some by far more experienced members here that use iptables and have webservers ect.

Port 53 is DNS
80 443 HTTP/HTTPS
https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers

http://blog.simple-help.com/2011/12/ports-vs-protocols-80-and-443/

Quote:DNS can’t tell you what port a web server is on, only the IP address, so your browser always has to assume that the web browser is going to be there on port 80. When you have another protocol like HTTPS, it specifies its own default port (443) so that means when you use HTTPS to connect to a website your browser is again always going to have to just assume its going to be there on port 443.

https://doc.pfsense.org/index.php/Blocking_DNS_queries_to_external_resolvers
https://unix.stackexchange.com/questions/209926/how-to-check-my-dns-chain

GNUser
Offline
Beigetreten: 07/17/2013

Thanks for your reply anyway.

From the looks of it, I think blocking port 53 should be enough. BUT not sure.

Mangy Dog

I am a member!

I am a translator!

Offline
Beigetreten: 03/15/2015

You can do a tcpdump on Port 53

# tcpdump -n -s 1500 -i eth0 udp port 53
Ex:I opened Synaptic Package Manager & clicked on Reload

root@Host-001:# tcpdump -n -s 1500 -i eth0 udp port 53
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 1500 bytes
17:50:56.418269 IP xxx.x.x.xx.60188 > xx.x.x.x.x: 18737+ A? archive.gnewsense.org. (39)
17:50:56.418687 IP x.x.x.x.60188 > x.x.x.x.x: 31483+ AAAA? archive.gnewsense.org. (39)................ect

http://serverfault.com/questions/243877/how-to-monitor-traffic-at-port-53-dns

https://nsrc.org/workshops/2005/pre-SANOG-VI/bc/dns/dns1-02-exercise.html

http://www.binarytides.com/tcpdump-tutorial-sniffing-analysing-packets/

GNUser
Offline
Beigetreten: 07/17/2013

Tried to install tcpdump and synaptic warned me that the package couldn't be authenticated!
Could it mean a problem with Trisquel repo??