On Sun, Mar 27, 2016 at 11:12:38PM -0700, Adam Smith wrote:
> Hi,
>
> Relevant info:
>
> 1. OpenBSD-amd64 snapshot (install59.iso) with sha256sum of
> 5e8020ce150e0fba17b1eef7acc8c27d10845288b9d8c82315bd6826dc94669d and dated
> March 27, 2016
> (installed OpenBSD as desktop OS)
> 2. openvpn-2.3.10
> 3. firefox
> 4. enabled DHCP during installation of OS
> 5. edit /etc/resolv.conf.tail to include my preferred public DNS servers
> 6. computer connects directly to cable modem supplied by ISP, meaning my
> machine receives dynamic IP addresses from my ISP
> 7. computer is standalone, not part of network
>
> After my computer is connected to VPN tunnel, I start Firefox and surf to
> https://www.dns-oarc.net/oarc/services/dnsentropy where I click on the button
> that says "Test My DNS".
>
> The IP address of my ISP appears in the results. It means that OpenBSD
> operating system leaks DNS.
I tend to saying that OpenBSD does what you ask for :)
> How to fix the problem, please?
without seeing any configuration files it is a bit complex to be sure...
with my magic hat, my interpretation is:
- you don't configure specific options in dhclient.conf, so when your
ISP send to you the DNS list, dhclient(8) adds it to /etc/resolv.conf
- you added your preferred public DNS servers in resolv.conf.tail, so
these addresses will be *at bottom*
- your /etc/resolv.conf should look like:
nameserver ISP-DNS-address
nameserver preferred-public-DNS-address
- so when a program asks for resolving an address, libc works as
documented in resolv.conf:
"If there are multiple servers, the resolver library queries them in
the order listed".
as resolv.conf.tail is at bottom, these DNS addresses are used when
the first (ISP DNS) addresses failed.
I think what you want is to override the DNS addresses provided by your
ISP. It could be done using dhclient.conf, with the following line for
example:
supersede domain-name-servers 8.8.8.8;
Take a look at dhclient.conf(5) man page for more information.
supersede option option-value;
Use option-value for the given option, regardless of the value
supplied by the server.
I hope it helps.
--
Sebastien Marie
