ISP DNS leaks when switching VPN servers
Closed this issue ยท 18 comments
This has been popping up for years, concerning multiple platforms, and seems to have never been properly addressed, even though.
Steps to reproduce
- Be connected
- Open ipleak.net and start testing
- Switch VPN servers
- See your ISP's DNS servers pop up
Remarks
- Tested on Windows 10 x64 with Windscribe v2.x up until v2.6.6alpha and v2.6.9alpha
- It also happens when the App Internal DNS is set to ControlD, which negates o2pb's remark here: https://reddit.com/r/Windscribe/comments/oeshf1/windscribe_leaks_dns_when_changing_servers/h48zjsm/
Sources
- Windows (2022.01.14): https://reddit.com/r/Windscribe/comments/10bdttm/windscribe_leaks_dns_when_switching_server_even/
- Windows (2021.07.06): https://reddit.com/r/Windscribe/comments/oeshf1/windscribe_leaks_dns_when_changing_servers/
- Android (2022.03.20): https://reddit.com/r/Windscribe/comments/ti9y2l/dns_leak/
Hi. Can you please see if you can still reproduce this with this test build? Also, please set your App Internal DNS to 'Cloudflare' for the test. Thanks!
https://deploy.totallyacdn.com/desktop-apps/2.6.9/Windscribe_2.6.9_guinea_pig.exe
Still happens with ControlD set as internal DNS. Why would I change it to Cloudflare? What good would that do?
@ltguillaume Do you have the "Allow LAN Traffic" option enabled?
Yes, I do.
I just tested without allowing LAN traffic: I cannot reproduce the issue in this case.
Something that also seems strange: with LAN traffic enabled and my ISP's DNS servers showing up, some are IPv6, even though I disabled it in Windscribe AND ran the script below:
@echo off
:https://support.microsoft.com/en-us/help/929852
:https://sourcedaddy.com/windows-7/enabling-or-disabling-ipv6.html
if exist "%SystemRoot%\System32\net.exe" net file /y>nul 2>&1 & if errorlevel 1 goto 0
call:state
if "%1"=="" pause
netsh interface ipv6 6to4 set state state=disabled undoonstop=disabled
netsh interface ipv6 isatap set state state=disabled
netsh interface teredo set state disabled
reg add HKLM\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters /v DisabledComponents /t REG_DWORD /d 0xFF /f
sc stop iphlpsvc
sc config iphlpsvc start= disabled
sc config ncasvc start= disabled
call:state
if "%1"=="" set /p =Done.
goto:eof
:state
netsh interface ipv6 6to4 show state
netsh interface ipv6 isatap show state
netsh interface teredo show state
reg query HKLM\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters /v DisabledComponents
echo (Disabled = 0xff)
sc query iphlpsvc
echo.
goto:eof
:0
>"%tmp%\0.vbs" (echo Set UAC = CreateObject^("Shell.Application"^)
echo UAC.ShellExecute "%~0", "", "", "runas", 1)
"%tmp%\0.vbs"
del "%tmp%\0.vbs"
(It's an old script mentioning Win7, but - as said - I'm on Win10 x64.
Then this is expected behavior. When you allow LAN traffic, this relaxes the firewall to allow LAN communications to be unrestricted. Your router's IP (say 192.168.0.1) also happens to be your DNS server. We cannot block your router, as this is your internet gateway, so DNS will "leak" while you're not connected with the firewall ON.
If you want to avoid this, disable LAN Traffic or set App Internal DNS to any setting except OS Default.
As I said, I do not have my app internal DNS set to OS Default. It's set to ControlD.
@yegors Hoping you don't consider this as solved?
It's amazing how often an issue just seems to be "solved" by radio silence from your end.
This is being looked at and addressed.
Hi. Can you please see if you can reproduce this with this test build? The 'Allow LAN Traffic' option still needs to be disabled. Thanks!
https://deploy.totallyacdn.com/desktop-apps/2.6.12/Windscribe_2.6.12_guinea_pig.exe
Hi. Can you please see if you can reproduce this with this test build? The 'Allow LAN Traffic' option still needs to be disabled. Thanks! https://deploy.totallyacdn.com/desktop-apps/2.6.12/Windscribe_2.6.12_guinea_pig.exe
This seems to have fixed the issue while "Allow LAN Traffic" is disabled! I've tried switching about 25 times without leaking issues. I don't know if it's related, but switching now sometimes took 30 seconds, instead the usual 1-2 seconds (WireGuard), but the connection was successfully created.
Excellent! Thank you for testing it for us. Yes, switching locations frequently on Windows can get the app into a funky state, where Windows indicates to us that the WireGuard adapter has been destroyed when it actually hasn't. This then causes a 'brief' hang when we attempt to recreate the adapter, as we have to wait for the Windows API to work its magic.
Thx for explaining. It's not a big issue, it's just a bit weird without feedback.
I hope this issue will eventually be fixed while allowing LAN traffic ๐
Closing this as the main issue is fixed. Please create a new ticket for the 'changing locations frequently' issue if it is still reproducible in the latest GP build (2.9.5). Cheers!
I don't think it's fixed @bernerdad
If I repeat the method from my first post using v2.9.9 I get:
- Two IPv4 addresses of DNS servers of my ISP
- Two IPv6 addresses of DNS servers of my ISP, even though I disabled IPv6 using the option in the Windscribe desktop app
Is this a regression? Did the leaks not occur in the previous stable release (2.8.6) and now do in 2.9.9?
I'm sorry, I don't think I tested it back then.
Just to be clear: I'm still talking about the situation with:
- Firewall = Always on
- Allow LAN traffic = On
- Internal app DNS = ControlD
Thanks for the clarification. Please open a new issue with these specifics so we can track and action it. Cheers!