Fix DNS Leak Di Linux Ubuntu atau Windows

Apa itu DNS Leak?

Secara garis besar, DNS Leak merupakan sebuah proses dimana setiap request DNS Query di inject oleh DNS ISP. Sehingga ketika anda mengakses situs yang terblokir oleh DNS, tetap tidak terbuka meskipun anda sudah menggunakan VPN pada Komputer Anda.

Sehingga ini menyebabkan VPN seperti tidak bisa digunakan sama sekali atau efektifitasnya tidak ada, karena tentu saja salah satu fitur utama yang paling di cari selain keamanan menggunakan VPN yaitu bisa membuka situs terblokir.

Bagaimana cara mengecek DNS Leak?

Silahkan mengunjungi web berikut dan klik Standard Test

1.0 - Hasil Standard Test DNS

Test dengan VPN Default

  • Login ke VPN seperti biasa, kemudian ke web dnsleaktest kembali

1.1 - Test DNSLeak dengan VPN

  • Pada gambar 1.1 terlihat bahwa kita sudah menggunakan VPN tetapi DNS tetap tidak berubah, padahal pada VPN tersebut sudah di inject DNS dari Google tetapi tidak mempan. Ini adalah result sebelum saya menggunakan perubahan configurasi.
  • Kemudian kita akan test membuka website vimeo.com

1.2 - Test Buka Web Vimeo

  • Dari hasil gambar 1.2 .. ternyata hanya loading saja, web tidak terbuka.

Update Konfigurasi

Linux Ubuntu

  • Ubah Konfigurasi Network Manager, Jalankan Command /etc/NetworkManager/NetworkManager.conf, kemudian hapus baris dns=default , sehingga menjadi seperti ini :
$ cat /etc/NetworkManager/NetworkManager.conf
[main]
plugins=ifupdown,keyfile
[ifupdown]
managed=false
[device]
wifi.scan-rand-mac-address=no
  • Cek Interfaces Internet anda dengan command ip a
$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: enp1s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether xx:xx:xx:xx:xx:xx brd ff:ff:ff:ff:ff:ff
inet 192.168.8.100/24 brd 192.168.8.255 scope global dynamic noprefixroute enp1s0
valid_lft 80094sec preferred_lft 80094sec
inet6 fe80::a10f:8d3b:d471:59ab/64 scope link noprefixroute
valid_lft forever preferred_lft forever
3: wlp2s0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether xx:xx:xx:xx:xx:xx brd ff:ff:ff:ff:ff:ff

Pada hasil command diatas, komputer saya mempunyai 2 interfaces network yaitu enp1s0 sebagai LAN dan wlp2s0 sebagai WiFi. Dan saat ini yang terhubung ke internet adalah enp1s0.

  • Ubah settingan DHCP di /etc/dhcp/dhclient.conf kemudian masukkan kode berikut diakhir file :
# ganti enp1s0 sesuai dengan network interfaces anda
# 1.1.1.1 1.0.0.1 merupakan DNS dari Cloudflare
interface "enp1s0" {
prepend domain-name-servers 1.1.1.1, 1.0.0.1;
}
  • Restart Network Manager dengan sudo systemctl restart network-manager
  • Tambahkan file berikut ke /etc/openvpn/update-resolv-conf
#!/bin/bash
#
# Parses DHCP options from openvpn to update resolv.conf
# To use set as 'up' and 'down' script in your openvpn *.conf:
# up /etc/openvpn/update-resolv-conf
# down /etc/openvpn/update-resolv-conf
#
# Used snippets of resolvconf script by Thomas Hood and Chris Hanson.
# Licensed under the GNU GPL. See /usr/share/common-licenses/GPL.
#
# Example envs set from openvpn:
#
# foreign_option_1='dhcp-option DNS 193.43.27.132'
# foreign_option_2='dhcp-option DNS 193.43.27.133'
# foreign_option_3='dhcp-option DOMAIN be.bnc.ch'
#
if [ ! -x /sbin/resolvconf ] ; then
logger "[OpenVPN:update-resolve-conf] missing binary /sbin/resolvconf";
exit 0;
fi
[ "$script_type" ] || exit 0
[ "$dev" ] || exit 0
split_into_parts()
{
part1="$1"
part2="$2"
part3="$3"
}
case "$script_type" in
up)
NMSRVRS=""
SRCHS=""
foreign_options=$(printf '%s\n' ${!foreign_option_*} | sort -t _ -k 3 -g)
for optionvarname in ${foreign_options} ; do
option="${!optionvarname}"
echo "$option"
split_into_parts $option
if [ "$part1" = "dhcp-option" ] ; then
if [ "$part2" = "DNS" ] ; then
NMSRVRS="${NMSRVRS:+$NMSRVRS }$part3"
elif [ "$part2" = "DOMAIN" ] ; then
SRCHS="${SRCHS:+$SRCHS }$part3"
fi
fi
done
R=""
[ "$SRCHS" ] && R="search $SRCHS
"
for NS in $NMSRVRS ; do
R="${R}nameserver $NS
"
done
echo -n "$R" | /sbin/resolvconf -a "${dev}.openvpn"
;;
down)
/sbin/resolvconf -d "${dev}.openvpn"
;;
esac
  • Buka file .ovpn anda kemudian tambahkan baris kode pada baris ke 18-24 pada config tersebut:
client
dev tun
proto tcp
sndbuf 0
rcvbuf 0
remote xxxxxx 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
auth SHA512
cipher AES-256-CBC
comp-lzo
setenv opt block-outside-dns
key-direction 1
verb 3
#block-outside-dns
script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf
down-pre
dhcp-option DNSSEC allow-downgrade
dhcp-option DOMAIN-ROUTE .

Windows

  • Pada windows, hal ini lebih simpel (sudah kami test pada OS Windows 7). Anda hanya perlu menambahkan 1 baris code block-outside-dns pada config .ovpn anda. (Cek baris ke-18).
client
dev tun
proto tcp
sndbuf 0
rcvbuf 0
remote xxxxxx 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
auth SHA512
cipher AES-256-CBC
comp-lzo
setenv opt block-outside-dns
key-direction 1
verb 3
block-outside-dns

{% hint style="success" %} Pastikan aplikasi openVPN anda versi terbaru atau diatas versi v2.3.9+ agar fitur diatas bekerja maksimal. {% endhint %}

Test VPN Setelah Di Update

  • Login ke VPN seperti biasa
  • Cek hasil result tentu berbeda dari logs setelah ada penambahan konfigurasi pada file .ovpn

1.3 - Perubahan Config dan Hasil ketika login dengan OpenVPN

  • Sekarang kita test kembali dengan web dnsleaktest

1.4 - Hasil test setelah perubahan config

  • Terlihat pada gambar 1.4 bahwa DNS yang muncul saat ini adalah 3, yaitu :
    • Telkomsel
    • Cloudflare
    • Google
  • Test kembali buka website vimeo

1.5 - Test Web Vimeo Dengan Config Baru

  • Saat ini web vimeo sudah bisa dibuka, karena dns telah di update. Selesai

Fix Systemd Resolved Ubuntu

Pada 29 Jan 2020 saya melakukan test fresh reinstall ke ubuntu 19.04 dengan versi openvpn 2.4.6, kemudian masalah ini agak sulit diatasi awalnya, sehingga butuh beberapa test dan akhirnya ketemu untuk problem systemd ini, karena dengan systemd ini, dns leak tetap terjadi.

Installasi OpenVPN dan OpenVPN Systemd

sudo apt install openvpn
sudo apt install openvpn-systemd-resolved

Update Konfigurasi OpenVPN

Jika baris kode ini belum ada pada konfigurasi .ovpn anda, silahkan ditambahkan

script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf
down-pre
dhcp-option DNSSEC allow-downgrade
dhcp-option DOMAIN-ROUTE .

Update Config Resolv

Disini yang terpenting, karena di Resolv dari systemd akan dioverride dengan skrip ini, yang dimana jika menggunakan bawaan openvpn tidak bekerja secara maksimal.

sudo mv /etc/openvpn/update-resolv-conf /etc/openvpn/update-resolv-conf.bak
sudo nano /etc/openvpn/update-resolv-conf

Kita ambil configurasi file `update-systemd-resolved` dari Github ini https://github.com/jonathanio/update-systemd-resolved

#!/usr/bin/env bash
#
# OpenVPN helper to add DHCP information into systemd-resolved via DBus.
# Copyright (C) 2016, Jonathan Wright <jon@than.io>
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
# This script will parse DHCP options set via OpenVPN (dhcp-option) to update
# systemd-resolved directly via DBus, instead of updating /etc/resolv.conf. To
# install, set as the 'up' and 'down' script in your OpenVPN configuration file
# or via the command-line arguments, alongside setting the 'down-pre' option to
# run the 'down' script before the device is closed. For example:
# up /etc/openvpn/scripts/update-systemd-resolved
# down /etc/openvpn/scripts/update-systemd-resolved
# down-pre
# Define what needs to be called via DBus
DBUS_DEST="org.freedesktop.resolve1"
DBUS_NODE="/org/freedesktop/resolve1"
SCRIPT_NAME="${BASH_SOURCE[0]##*/}"
log() {
logger -s -t "$SCRIPT_NAME" "$@"
}
for level in emerg err warning info debug; do
printf -v functext -- '%s() { log -p user.%s -- "$@" ; }' "$level" "$level"
eval "$functext"
done
usage() {
err "${1:?${1}. }. Usage: ${SCRIPT_NAME} up|down device_name."
}
busctl_call() {
# Preserve busctl's exit status
busctl call "$DBUS_DEST" "$DBUS_NODE" "${DBUS_DEST}.Manager" "$@" || {
local -i status=$?
emerg "'busctl' exited with status $status"
return $status
}
}
get_link_info() {
dev="$1"
shift
link=''
link="$(ip link show dev "$dev")" || return $?
echo "$dev" "${link%%:*}"
}
dhcp_settings() {
for foreign_option in "${!foreign_option_@}"; do
foreign_option_value="${!foreign_option}"
[[ "$foreign_option_value" == *dhcp-option* ]] \
&& echo "${foreign_option_value#dhcp-option }"
done
}
up() {
local link="$1"
shift
local if_index="$1"
shift
info "Link '$link' coming up"
# Preset values for processing -- will be altered in the various process_*
# functions.
local -a dns_servers=() dns_domain=() dns_search=() dns_routed=()
local -i dns_server_count=0 dns_domain_count=0 dns_search_count=0 dns_routed_count=0
local dns_sec=""
while read -r setting; do
setting_type="${setting%% *}"
setting_value="${setting#* }"
process_setting_function="${setting_type,,}"
process_setting_function="process_${process_setting_function//-/_}"
if declare -f "$process_setting_function" &>/dev/null; then
"$process_setting_function" "$setting_value" || return $?
else
warning "Not a recognized DHCP setting: '${setting}'"
fi
done < <(dhcp_settings)
if [[ "${#dns_servers[*]}" -gt 0 ]]; then
busctl_params=("$if_index" "$dns_server_count" "${dns_servers[@]}")
info "SetLinkDNS(${busctl_params[*]})"
busctl_call SetLinkDNS 'ia(iay)' "${busctl_params[@]}" || return $?
fi
if [[ "${#dns_domain[*]}" -gt 0 \
|| "${#dns_search[*]}" -gt 0 \
|| "${#dns_routed[*]}" -gt 0 ]]; then
dns_count=$((dns_domain_count+dns_search_count+dns_routed_count))
busctl_params=("$if_index" "$dns_count")
if [[ "${#dns_domain[*]}" -gt 0 ]]; then
busctl_params+=("${dns_domain[@]}")
fi
if [[ "${#dns_search[*]}" -gt 0 ]]; then
busctl_params+=("${dns_search[@]}")
fi
if [[ "${#dns_routed[*]}" -gt 0 ]]; then
busctl_params+=("${dns_routed[@]}")
fi
info "SetLinkDomains(${busctl_params[*]})"
busctl_call SetLinkDomains 'ia(sb)' "${busctl_params[@]}" || return $?
fi
if [[ -n "${dns_sec}" ]]; then
if [[ "${dns_sec}" == "default" ]]; then
# We need to provide an empty string to use the default settings
info "SetLinkDNSSEC($if_index '')"
busctl_call SetLinkDNSSEC 'is' "$if_index" "" || return $?
else
info "SetLinkDNSSEC($if_index ${dns_sec})"
busctl_call SetLinkDNSSEC 'is' "$if_index" "${dns_sec}" || return $?
fi
fi
}
down() {
local link="$1"
shift
local if_index="$1"
shift
info "Link '$link' going down"
if [[ "$(whoami 2>/dev/null)" != "root" ]]; then
# Cleanly handle the privilege dropped case by not calling RevertLink
info "Privileges dropped in the client: Cannot call RevertLink."
else
busctl_call RevertLink i "$if_index"
fi
}
process_dns() {
address="$1"
shift
if looks_like_ipv6 "$address"; then
process_dns_ipv6 "$address" || return $?
elif looks_like_ipv4 "$address"; then
process_dns_ipv4 "$address" || return $?
else
err "Not a valid IPv6 or IPv4 address: '$address'"
return 1
fi
}
process_dns6() {
process_dns $1
}
looks_like_ipv4() {
[[ -n "$1" ]] && {
local dots="${1//[^.]}"
(( ${#dots} == 3 ))
}
}
looks_like_ipv6() {
[[ -n "$1" ]] && {
local colons="${1//[^:]}"
(( ${#colons} >= 2 ))
}
}
process_dns_ipv4() {
local address="$1"
shift
info "Adding IPv4 DNS Server ${address}"
(( dns_server_count += 1 ))
dns_servers+=(2 4 ${address//./ })
}
# Enforces RFC 5952:
# 1. Don't shorten a single 0 field to '::'
# 2. Only longest run of zeros should be compressed
# 3. If there are multiple longest runs, the leftmost should be compressed
# 4. Address must be maximally compressed, so no all-zero runs next to '::'
#
# ...
#
# Thank goodness we don't have to handle port numbers, though :)
parse_ipv6() {
local raw_address="$1"
log_invalid_ipv6() {
local message="'$raw_address' is not a valid IPv6 address"
emerg "${message}: $*"
}
trap -- 'unset -f log_invalid_ipv6' RETURN
if [[ "$raw_address" == *::*::* ]]; then
log_invalid_ipv6 "address cannot contain more than one '::'"
return 1
elif [[ "$raw_address" =~ :0+:: ]] || [[ "$raw_address" =~ ::0+: ]]; then
log_invalid_ipv6 "address contains a 0-group adjacent to '::' and is not maximally shortened"
return 1
fi
local -i length=8
local -a raw_segments=()
IFS=$':' read -r -a raw_segments <<<"$raw_address"
local -i raw_length="${#raw_segments[@]}"
if (( raw_length > length )); then
log_invalid_ipv6 "expected ${length} segments, got ${raw_length}"
return 1
fi
# Store zero-runs keyed to their sizes, storing all non-zero segments prefixed
# with a token marking them as such.
local nonzero_prefix=$'!'
local -i zero_run_i=0 compressed_i=0
local -a tokenized_segments=()
local decimal_segment='' next_decimal_segment=''
for (( i = 0 ; i < raw_length ; i++ )); do
raw_segment="${raw_segments[i]}"
printf -v decimal_segment -- '%d' "0x${raw_segment:-0}"
# We're in the compressed group. The length of this run should be
# enough to bring the total number of segments to 8.
if [[ -z "$raw_segment" ]]; then
(( compressed_i = zero_run_i ))
# `+ 1' because the length of the current segment is counted in
# `raw_length'.
(( tokenized_segments[zero_run_i] = ((length - raw_length) + 1) ))
# If we have an address like `::1', skip processing the next group to
# avoid double-counting the zero-run, and increment the number of
# 0-groups to add since the second empty group is counted in
# `raw_length'.
if [[ -z "${raw_segments[i + 1]}" ]]; then
(( i++ ))
(( tokenized_segments[zero_run_i]++ ))
fi
(( zero_run_i++ ))
elif (( decimal_segment == 0 )); then
(( tokenized_segments[zero_run_i]++ ))
# The run is over if the next segment is not 0, so increment the
# tracking index.
printf -v next_decimal_segment -- '%d' "0x${raw_segments[i + 1]}"
(( next_decimal_segment != 0 )) && (( zero_run_i++ ))
else
# Prefix the raw segment with `nonzero_prefix' to mark this as a
# non-zero field.
tokenized_segments[zero_run_i]="${nonzero_prefix}${decimal_segment}"
(( zero_run_i++ ))
fi
done
if [[ "$raw_address" == *::* ]]; then
if (( ${#tokenized_segments[*]} == length )); then
log_invalid_ipv6 "single '0' fields should not be compressed"
return 1
else
local -i largest_run_i=0 largest_run=0
for (( i = 0 ; i < ${#tokenized_segments[@]}; i ++ )); do
# Skip groups that aren't zero-runs
[[ "${tokenized_segments[i]:0:1}" == "$nonzero_prefix" ]] && continue
if (( tokenized_segments[i] > largest_run )); then
(( largest_run_i = i ))
largest_run="${tokenized_segments[i]}"
fi
done
local -i compressed_run="${tokenized_segments[compressed_i]}"
if (( largest_run > compressed_run )); then
log_invalid_ipv6 "the compressed run of all-zero fields is smaller than the largest such run"
return 1
elif (( largest_run == compressed_run )) && (( largest_run_i < compressed_i )); then
log_invalid_ipv6 "only the leftmost largest run of all-zero fields should be compressed"
return 1
fi
fi
fi
for segment in "${tokenized_segments[@]}"; do
if [[ "${segment:0:1}" == "$nonzero_prefix" ]]; then
printf -- '%04x\n' "${segment#${nonzero_prefix}}"
else
for (( n = 0 ; n < segment ; n++ )); do
echo 0000
done
fi
done
}
process_dns_ipv6() {
local address="$1"
shift
info "Adding IPv6 DNS Server ${address}"
local -a segments=()
segments=($(parse_ipv6 "$address")) || return $?
# Add AF_INET6 and byte count
dns_servers+=(10 16)
for segment in "${segments[@]}"; do
dns_servers+=("$((16#${segment:0:2}))" "$((16#${segment:2:2}))")
done
(( dns_server_count += 1 ))
}
process_domain() {
local domain="$1"
shift
info "Adding DNS Domain ${domain}"
if [[ $dns_domain_count -eq 1 ]]; then
(( dns_search_count += 1 ))
dns_search+=("${domain}" false)
else
(( dns_domain_count = 1 ))
dns_domain+=("${domain}" false)
fi
}
process_adapter_domain_suffix() {
# This enables support for ADAPTER_DOMAIN_SUFFIX which is a Microsoft standard
# which works in the same way as DOMAIN to set the primary search domain on
# this specific link.
process_domain "$@"
}
process_domain_search() {
local domain="$1"
shift
info "Adding DNS Search Domain ${domain}"
(( dns_search_count += 1 ))
dns_search+=("${domain}" false)
}
process_domain_route() {
local domain="$1"
shift
info "Adding DNS Routed Domain ${domain}"
(( dns_routed_count += 1 ))
dns_routed+=("${domain}" true)
}
process_dnssec() {
local option="$1" setting=""
shift
case "${option,,}" in
yes|true)
setting="yes" ;;
no|false)
setting="no" ;;
default)
setting="default" ;;
allow-downgrade)
setting="allow-downgrade" ;;
*)
local message="'$option' is not a valid DNSSEC option"
emerg "${message}"
return 1 ;;
esac
info "Setting DNSSEC to ${setting}"
dns_sec="${setting}"
}
main() {
local script_type="${1}"
shift
local dev="${1:-$dev}"
shift
if [[ -z "$script_type" ]]; then
usage 'No script type specified'
return 1
elif [[ -z "$dev" ]]; then
usage 'No device name specified'
return 1
elif ! declare -f "${script_type}" &>/dev/null; then
usage "Invalid script type: '${script_type}'"
return 1
else
if ! read -r link if_index _ < <(get_link_info "$dev"); then
usage "Invalid device name: '$dev'"
return 1
fi
"$script_type" "$link" "$if_index" "$@" || return 1
# Flush the DNS cache
systemd-resolve --flush-caches
fi
}
if [[ "${BASH_SOURCE[0]}" == "$0" ]] || [[ "$AUTOMATED_TESTING" == 1 ]]; then
set -o nounset
main "${script_type:-down}" "$@"
fi

Simpan File dan Kemudian Login

Seharusnya jika seperti ini, DNS Leak sudah berhasil teratasi.

Selamat Mencoba :)

Last updated on