I connect to a WireGuard installed on my VPS. Then I go to a random VPN service marketing page on which I’ll discover that my DNS leaks. And which is correct because I’ve specified DNS = 1.1.1.1 in [Interface] for all the Peers.

In order to avoid DNS leakadge, do I have to a) run DNS server on the a VPS – along with WireGuard, and b) use this one and only it, instead of 1.1.1.1?

But if so, how will this possibly work?

[Peer]
PublicKey = [....;....]
PresharedKey = [......]
Endpoint = wg.my_domain123.com:51820

In order to resolve Endpoint of my VPS to begin with, other DNS server will have to be used – by IP. But there’ll be none because I’ll use a DNS on my VPS instead of 1.1.1.1. In other words, it’ll be a circular dependency.

  • lemmyvoreEnglish
    31 year ago

    You may want to ask this in a selfhosted community, not in programming. With that out of the way:

    I don’t think hosting your own DNS server on VPS will help much, for several reasons:

    • As you noticed, if you connect to the VPS by name then you can’t resolve that name with the DNS server you will only reach after connecting.
    • Your hosted DNS server will still need to get its information from somewhere, meaning it will query other DNS servers, meaning information about which domains you visit will still “leak”.

    DNS “leakage” happens in two ways:

    1. The DNS server directly upstream from you knows what domains you want and can associate them with your identity. This applies to scenarios like you using your ISP’s DNS server from the home being served by that ISP, you using your VPS provider’s DNS from a VPS issued by that provider, using Google’s DNS if you use any Google services on any devices (they spy on a tremendous amount of things, even your IP is enough to associate you) etc.
    2. You connect to a random DNS server that doesn’t know anything about you or doesn’t care, but the DNS protocol is not natively encrypted, meaning anybody on the way can spy on your queries. Which brings us back to the usual suspects: your ISP, your VPS provider etc.

    To fix DNS leaks you need to do two things:

    a) Use a DNS service that has an explicit mission statement of protecting the users’ privacy. Here’s a good start.
    b) You need to connect using encrypted DNS. The most widespread form is DoH (DNS over HTTPS) which uses port 443 and is virtually indistinguishable from regular web traffic (aside from the fact it connects to known public DNS servers). You can also use DoT (DNS over TLS) on port 853 (as opposed to unencrypted DNS on 53).

    You can set up DoH or DoT with the address of a privacy-respecting public DNS service on a wide variety of apps and devices:

    • On Android or iOS you can set it up directly on the device, and force all DNS queries from that device to always use that service.
    • You can set it up in recent versions of Firefox.
    • You can set it up on your router, for example on OpenWRT if you run that, and force all devices on the LAN to resolve through that encrypted service.

    There are also downsides to DoH/DoT. For example, you can’t coerce LAN devices or apps that use a hardcoded DoH/DoT server to use the one you want. You could hijack their name resolution to the server name but you can’t satisfy their TLS certificate, especially if it’s also hardcoded and doesn’t rely on a central store (like the Android or iOS certificate store). This is often the case with Chinese ioT devices who like to phone home. Google has also started to do this with Chrome on mobile, to prevent DNS-based adblocking.

    Use https://www.dnsleaktest.com/ to test what you leak.