Re: [Openvpn-users] How to invalidate client local DNS? (no leak)

Thu, 15 Nov 2018 23:57:00 -0800 

Hi,

On 15/11/18 17:27, MRob wrote:

On 2018-11-15 16:17, MRob wrote:

On 2018-11-15 12:03, Jan Just Keijser wrote:


On 13/11/18 23:38, MRob wrote:

I use "push dhcp-option DNS..." option to give DNS to client, works 
great. But when connecting client log shows local backup DNS:


Nov 14 01:14:22 mara dnsmasq[2719]: reading /etc/resolv.conf
Nov 14 01:14:22 mara dnsmasq[2719]: using nameserver 10.10.15.1#53
Nov 14 01:14:22 mara dnsmasq[2719]: using nameserver 192.168.0.1#53

Nov 14 01:14:22 mara dnsmasq[2719]: using nameserver 
2602:411:23da:210::1#53



The last two are for local home router. I read that –resolv-retry 
default is infinite however I think I saw behavior when a client 
falls back to local DNS when DNS query failed on OpenVPN 
host(server). I'm not sure but maybe the DNS response came back 
NXDOMAIN so client tried its other DNS servers.



I want to invalidate all local DNS lookups to be sure no leaking. I 
want to do it in the OpenVPN config if possibl. (client or server)



it looks like your client is running Linux/BSD. On those platforms
there is no automatic way to invaliate local DNS settings (like the
Windows cilent block-outside-dns feature). You will have to resort to
rolling out your own 'invalidate local DNS settings' for your
clients.  There certainly is no way to *enforce* the blocking of local
DNS stuff - if a client want to continue using his/her own DNS
settings, then he/she may do so.

HTH,



HTH? yes! I didn't know block-outside-dns! I will push it for windows 
use.


Can you tell me if block-outside-dns works on other platform, like
android or iphone?



Oh sorry, docs say it's only windows. Most concern for me is 
smartphone, because how to remove other DNS from smartphone is not 
easy for user to understand? How to approach this problem?



Also would you able to help me find documentation or how-to for
creating linux script to remove outside DNS after connect to VPN? Can
script be run from post-connect hook on client side?



Do this for smartphone in some way to be most important concern to me. 
Thank if you can help.


use your favorite search engine:

Linux:
  https://github.com/masterkorp/openvpn-update-resolv-conf
  https://github.com/jonathanio/update-systemd-resolved

Android:
  it should "just work" (tm) with the latest OpenVPN 4 Android client

iOS: no clue ...

HTH,

JJK


_______________________________________________
Openvpn-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openvpn-users






















					Reply via email to