dnscrypt and VPN
Couto opened this issue · 4 comments
I've been a long time user of the streisand project.
I'm also an user of dnsmasq for development purposes (to redirect all *.dev domains to localhost)
So, reading about dnscrypt on your guide, it seemed like an easy addiction to get some extra level of privacy.
Your instructions were crystal clear, and after the setup, everything worked fine... Until the moment that I connected to my VPN using tunnelblick.
Most VPNs override the DNS settings, and therefore they break with dnscrypt.
Has something like this happened to you before? If so, how did you fix it?
@Couto I have the same problem with some VPN, I have subscribed to 3 VPN by very cheap temporary deal/bundles.
For one of them, I must start the VPN then DNSCrypt.
For another VPN, I have extracted some country-servers settings and insert them in Apple Network and activate the 'country' I want through apple vpn icon in the menu bar.
For another VPN, don't use it often, I think it does not change the DNS, so DNSCrypt is launched then the VPN.
You can check your IP and DNS used on http://whoer.net/
It sounds like the VPN software is setting DNS settings, which makes sense. I'm not familiar with tunnelblick but will check it out. You'll probably want to edit the scripts or commands it uses to set DNS to localhost, so your packets take this route:
browser > dnsmasq > dnscrypt client > vpn server > dnscrypt server > upstream resolver(s)
instead of
browser > vpn dns server > upstream resolver(s)
Most VPN are using google DNS which is not a good idea for privacy without mentionning censorship.
8.8.8.8 and 4.4.4.4
2001:4860:4860::8888 & 2001:4860:4860::8844
Some VPN have their own, providing an extra level of privacy.
Up to you to choose another free or paying DNS services but try before to see if it can work along with your VPN.
Up to you to choose another free or paying DNS services.
Perhaps adding a list of alternative of (free) DNS would be helpful.
And all the different commands to flush DNS cache:
http://osxdaily.com/2014/11/20/flush-dns-cache-mac-os-x/
Find the fastest DNS around you with:
https://code.google.com/p/namebench/
To get your IP and DNS IP:
http://whoer.net
To check your DNS:
https://dnsleaktest.com/
To learn DNS:
http://www.zytrax.com/books/dns/
DNS alternatives:
http://censurfridns.dk
http://securedns.dnsbycomodo.com
https://www.opendns.com/home-internet-security/
https://dns.norton.com/homeuser.html
More here:
http://www.greycoder.com/list-free-public-domain-name-services-dns/
THESE SITE IS ABOUT PRIVACY
Ok, so I was able to figure out my (specific) problem:
- dnscrypt requires the computer to use 127.0.0.1:53 as DNS server (which makes sense)
- OpenVPN says that I should use a specific DNS server (and actually pushes the configuration to the client)
So far, no apparent problem, except that, at least Tunnelblick won't actually change the system DNS settings, if they've been manually changed before (to set dnscrypt)
My solution was simply to manually add the VPN's preferred DNS server to my nameservers list, after the dnscrypt address.
I hope I was clear on my solution, just in case someone needs it.
@TraderStf Thanks a lot for the links. Specially whoer.net, which was quite valuable
@drduh Thanks for the explanation, your diagram actually pointed me to the right direction.
Feel free to close, if you wish so :)