Skip to main content

Fix DNS Leak Di Linux Ubuntu atau Windows

Apa itu DNS Leak?#

Secara garis besar, DNS Leak merupakan sebuah proses dimana setiap request DNS Query di inject oleh DNS ISP. Sehingga ketika anda mengakses situs yang terblokir oleh DNS, tetap tidak terbuka meskipun anda sudah menggunakan VPN pada Komputer Anda.

Sehingga ini menyebabkan VPN seperti tidak bisa digunakan sama sekali atau efektifitasnya tidak ada, karena tentu saja salah satu fitur utama yang paling di cari selain keamanan menggunakan VPN yaitu bisa membuka situs terblokir.

Bagaimana cara mengecek DNS Leak?#

Silahkan mengunjungi web berikut dan klik Standard Test

1.0 - Hasil Standard Test DNS

Test dengan VPN Default#

  • Login ke VPN seperti biasa, kemudian ke web dnsleaktest kembali

1.1 - Test DNSLeak dengan VPN

  • Pada gambar 1.1 terlihat bahwa kita sudah menggunakan VPN tetapi DNS tetap tidak berubah, padahal pada VPN tersebut sudah di inject DNS dari Google tetapi tidak mempan. Ini adalah result sebelum saya menggunakan perubahan configurasi.
  • Kemudian kita akan test membuka website vimeo.com

1.2 - Test Buka Web Vimeo

  • Dari hasil gambar 1.2 .. ternyata hanya loading saja, web tidak terbuka.

Update Konfigurasi#

Linux Ubuntu#

  • Ubah Konfigurasi Network Manager, Jalankan Command /etc/NetworkManager/NetworkManager.conf, kemudian hapus baris dns=default , sehingga menjadi seperti ini :
$ cat /etc/NetworkManager/NetworkManager.conf[main]plugins=ifupdown,keyfile
[ifupdown]managed=false
[device]wifi.scan-rand-mac-address=no
  • Cek Interfaces Internet anda dengan command ip a
$ ip a1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00    inet 127.0.0.1/8 scope host lo       valid_lft forever preferred_lft forever    inet6 ::1/128 scope host        valid_lft forever preferred_lft forever2: enp1s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000    link/ether xx:xx:xx:xx:xx:xx brd ff:ff:ff:ff:ff:ff    inet 192.168.8.100/24 brd 192.168.8.255 scope global dynamic noprefixroute enp1s0       valid_lft 80094sec preferred_lft 80094sec    inet6 fe80::a10f:8d3b:d471:59ab/64 scope link noprefixroute        valid_lft forever preferred_lft forever3: wlp2s0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000    link/ether xx:xx:xx:xx:xx:xx brd ff:ff:ff:ff:ff:ff

Pada hasil command diatas, komputer saya mempunyai 2 interfaces network yaitu enp1s0 sebagai LAN dan wlp2s0 sebagai WiFi. Dan saat ini yang terhubung ke internet adalah enp1s0.

  • Ubah settingan DHCP di /etc/dhcp/dhclient.conf kemudian masukkan kode berikut diakhir file :
# ganti enp1s0 sesuai dengan network interfaces anda# 1.1.1.1 1.0.0.1 merupakan DNS dari Cloudflareinterface "enp1s0" {        prepend domain-name-servers 1.1.1.1, 1.0.0.1;}
  • Restart Network Manager dengan sudo systemctl restart network-manager
  • Tambahkan file berikut ke /etc/openvpn/update-resolv-conf
#!/bin/bash# # Parses DHCP options from openvpn to update resolv.conf# To use set as 'up' and 'down' script in your openvpn *.conf:# up /etc/openvpn/update-resolv-conf# down /etc/openvpn/update-resolv-conf## Used snippets of resolvconf script by Thomas Hood and Chris Hanson.# Licensed under the GNU GPL.  See /usr/share/common-licenses/GPL. # # Example envs set from openvpn:##     foreign_option_1='dhcp-option DNS 193.43.27.132'#     foreign_option_2='dhcp-option DNS 193.43.27.133'#     foreign_option_3='dhcp-option DOMAIN be.bnc.ch'#
if [ ! -x /sbin/resolvconf ] ; then    logger "[OpenVPN:update-resolve-conf] missing binary /sbin/resolvconf";    exit 0;fi
[ "$script_type" ] || exit 0[ "$dev" ] || exit 0
split_into_parts(){        part1="$1"        part2="$2"        part3="$3"}
case "$script_type" in  up)        NMSRVRS=""        SRCHS=""        foreign_options=$(printf '%s\n' ${!foreign_option_*} | sort -t _ -k 3 -g)        for optionvarname in ${foreign_options} ; do                option="${!optionvarname}"                echo "$option"                split_into_parts $option                if [ "$part1" = "dhcp-option" ] ; then                        if [ "$part2" = "DNS" ] ; then                                NMSRVRS="${NMSRVRS:+$NMSRVRS }$part3"                        elif [ "$part2" = "DOMAIN" ] ; then                                SRCHS="${SRCHS:+$SRCHS }$part3"                        fi                fi        done        R=""        [ "$SRCHS" ] && R="search $SRCHS"        for NS in $NMSRVRS ; do                R="${R}nameserver $NS"        done        echo -n "$R" | /sbin/resolvconf -a "${dev}.openvpn"        ;;  down)        /sbin/resolvconf -d "${dev}.openvpn"        ;;esac

  • Buka file .ovpn anda kemudian tambahkan baris kode pada baris ke 18-24 pada config tersebut:
clientdev tunproto tcpsndbuf 0rcvbuf 0remote xxxxxx 1194resolv-retry infinitenobindpersist-keypersist-tunremote-cert-tls serverauth SHA512cipher AES-256-CBCcomp-lzosetenv opt block-outside-dnskey-direction 1verb 3#block-outside-dnsscript-security 2up /etc/openvpn/update-resolv-confdown /etc/openvpn/update-resolv-confdown-predhcp-option DNSSEC allow-downgradedhcp-option DOMAIN-ROUTE .

Windows#

  • Pada windows, hal ini lebih simpel (sudah kami test pada OS Windows 7). Anda hanya perlu menambahkan 1 baris code block-outside-dns pada config .ovpn anda. (Cek baris ke-18).
clientdev tunproto tcpsndbuf 0rcvbuf 0remote xxxxxx 1194resolv-retry infinitenobindpersist-keypersist-tunremote-cert-tls serverauth SHA512cipher AES-256-CBCcomp-lzosetenv opt block-outside-dnskey-direction 1verb 3block-outside-dns

{% hint style="success" %} Pastikan aplikasi openVPN anda versi terbaru atau diatas versi v2.3.9+ agar fitur diatas bekerja maksimal. {% endhint %}

Test VPN Setelah Di Update#

  • Login ke VPN seperti biasa
  • Cek hasil result tentu berbeda dari logs setelah ada penambahan konfigurasi pada file .ovpn

1.3 - Perubahan Config dan Hasil ketika login dengan OpenVPN

  • Sekarang kita test kembali dengan web dnsleaktest

1.4 - Hasil test setelah perubahan config

  • Terlihat pada gambar 1.4 bahwa DNS yang muncul saat ini adalah 3, yaitu :
    • Telkomsel
    • Cloudflare
    • Google
  • Test kembali buka website vimeo

1.5 - Test Web Vimeo Dengan Config Baru

  • Saat ini web vimeo sudah bisa dibuka, karena dns telah di update. Selesai

Fix Systemd Resolved Ubuntu#

Pada 29 Jan 2020 saya melakukan test fresh reinstall ke ubuntu 19.04 dengan versi openvpn 2.4.6, kemudian masalah ini agak sulit diatasi awalnya, sehingga butuh beberapa test dan akhirnya ketemu untuk problem systemd ini, karena dengan systemd ini, dns leak tetap terjadi.

Installasi OpenVPN dan OpenVPN Systemd#

sudo apt install openvpnsudo apt install openvpn-systemd-resolved

Update Konfigurasi OpenVPN#

Jika baris kode ini belum ada pada konfigurasi .ovpn anda, silahkan ditambahkan

script-security 2up /etc/openvpn/update-resolv-confdown /etc/openvpn/update-resolv-confdown-predhcp-option DNSSEC allow-downgradedhcp-option DOMAIN-ROUTE .

Update Config Resolv#

Disini yang terpenting, karena di Resolv dari systemd akan dioverride dengan skrip ini, yang dimana jika menggunakan bawaan openvpn tidak bekerja secara maksimal.

sudo mv /etc/openvpn/update-resolv-conf /etc/openvpn/update-resolv-conf.baksudo nano /etc/openvpn/update-resolv-conf

Kita ambil configurasi file `update-systemd-resolved` dari Github ini https://github.com/jonathanio/update-systemd-resolved

#!/usr/bin/env bash## OpenVPN helper to add DHCP information into systemd-resolved via DBus.# Copyright (C) 2016, Jonathan Wright <jon@than.io>## This program is free software: you can redistribute it and/or modify# it under the terms of the GNU General Public License as published by# the Free Software Foundation, either version 3 of the License, or# (at your option) any later version.## This program is distributed in the hope that it will be useful,# but WITHOUT ANY WARRANTY; without even the implied warranty of# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the# GNU General Public License for more details.## You should have received a copy of the GNU General Public License# along with this program.  If not, see <http://www.gnu.org/licenses/>.
# This script will parse DHCP options set via OpenVPN (dhcp-option) to update# systemd-resolved directly via DBus, instead of updating /etc/resolv.conf. To# install, set as the 'up' and 'down' script in your OpenVPN configuration file# or via the command-line arguments, alongside setting the 'down-pre' option to# run the 'down' script before the device is closed. For example:#   up /etc/openvpn/scripts/update-systemd-resolved#   down /etc/openvpn/scripts/update-systemd-resolved#   down-pre
# Define what needs to be called via DBusDBUS_DEST="org.freedesktop.resolve1"DBUS_NODE="/org/freedesktop/resolve1"
SCRIPT_NAME="${BASH_SOURCE[0]##*/}"
log() {  logger -s -t "$SCRIPT_NAME" "$@"}
for level in emerg err warning info debug; do  printf -v functext -- '%s() { log -p user.%s -- "$@" ; }' "$level" "$level"  eval "$functext"done
usage() {  err "${1:?${1}. }. Usage: ${SCRIPT_NAME} up|down device_name."}
busctl_call() {  # Preserve busctl's exit status  busctl call "$DBUS_DEST" "$DBUS_NODE" "${DBUS_DEST}.Manager" "$@" || {    local -i status=$?    emerg "'busctl' exited with status $status"    return $status  }}
get_link_info() {  dev="$1"  shift
  link=''  link="$(ip link show dev "$dev")" || return $?
  echo "$dev" "${link%%:*}"}
dhcp_settings() {  for foreign_option in "${!foreign_option_@}"; do    foreign_option_value="${!foreign_option}"
    [[ "$foreign_option_value" == *dhcp-option* ]] \      && echo "${foreign_option_value#dhcp-option }"  done}
up() {  local link="$1"  shift  local if_index="$1"  shift
  info "Link '$link' coming up"
  # Preset values for processing -- will be altered in the various process_*  # functions.  local -a dns_servers=() dns_domain=() dns_search=() dns_routed=()  local -i dns_server_count=0 dns_domain_count=0 dns_search_count=0 dns_routed_count=0  local dns_sec=""
  while read -r setting; do    setting_type="${setting%% *}"    setting_value="${setting#* }"
    process_setting_function="${setting_type,,}"    process_setting_function="process_${process_setting_function//-/_}"
    if declare -f "$process_setting_function" &>/dev/null; then      "$process_setting_function" "$setting_value" || return $?    else      warning "Not a recognized DHCP setting: '${setting}'"    fi  done < <(dhcp_settings)
  if [[ "${#dns_servers[*]}" -gt 0 ]]; then    busctl_params=("$if_index" "$dns_server_count" "${dns_servers[@]}")    info "SetLinkDNS(${busctl_params[*]})"    busctl_call SetLinkDNS 'ia(iay)' "${busctl_params[@]}" || return $?  fi
  if [[ "${#dns_domain[*]}" -gt 0 \     || "${#dns_search[*]}" -gt 0 \     || "${#dns_routed[*]}" -gt 0 ]]; then    dns_count=$((dns_domain_count+dns_search_count+dns_routed_count))    busctl_params=("$if_index" "$dns_count")    if [[ "${#dns_domain[*]}" -gt 0 ]]; then      busctl_params+=("${dns_domain[@]}")    fi    if [[ "${#dns_search[*]}" -gt 0 ]]; then      busctl_params+=("${dns_search[@]}")    fi    if [[ "${#dns_routed[*]}" -gt 0 ]]; then      busctl_params+=("${dns_routed[@]}")    fi    info "SetLinkDomains(${busctl_params[*]})"    busctl_call SetLinkDomains 'ia(sb)' "${busctl_params[@]}" || return $?  fi
  if [[ -n "${dns_sec}" ]]; then    if [[ "${dns_sec}" == "default" ]]; then      # We need to provide an empty string to use the default settings      info "SetLinkDNSSEC($if_index '')"      busctl_call SetLinkDNSSEC 'is' "$if_index" "" || return $?    else      info "SetLinkDNSSEC($if_index ${dns_sec})"      busctl_call SetLinkDNSSEC 'is' "$if_index" "${dns_sec}" || return $?    fi  fi}
down() {  local link="$1"  shift  local if_index="$1"  shift
  info "Link '$link' going down"  if [[ "$(whoami 2>/dev/null)" != "root" ]]; then    # Cleanly handle the privilege dropped case by not calling RevertLink    info "Privileges dropped in the client: Cannot call RevertLink."  else    busctl_call RevertLink i "$if_index"  fi}
process_dns() {  address="$1"  shift
  if looks_like_ipv6 "$address"; then    process_dns_ipv6 "$address" || return $?  elif looks_like_ipv4 "$address"; then    process_dns_ipv4 "$address" || return $?  else    err "Not a valid IPv6 or IPv4 address: '$address'"    return 1  fi}
process_dns6() {  process_dns $1}
looks_like_ipv4() {  [[ -n "$1" ]] && {    local dots="${1//[^.]}"    (( ${#dots} == 3 ))  }}
looks_like_ipv6() {  [[ -n "$1" ]] && {    local colons="${1//[^:]}"    (( ${#colons} >= 2 ))  }}
process_dns_ipv4() {  local address="$1"  shift
  info "Adding IPv4 DNS Server ${address}"  (( dns_server_count += 1 ))  dns_servers+=(2 4 ${address//./ })}
# Enforces RFC 5952:#   1. Don't shorten a single 0 field to '::'#   2. Only longest run of zeros should be compressed#   3. If there are multiple longest runs, the leftmost should be compressed#   4. Address must be maximally compressed, so no all-zero runs next to '::'## ...## Thank goodness we don't have to handle port numbers, though :)parse_ipv6() {  local raw_address="$1"
  log_invalid_ipv6() {    local message="'$raw_address' is not a valid IPv6 address"    emerg "${message}: $*"  }
  trap -- 'unset -f log_invalid_ipv6' RETURN
  if [[ "$raw_address" == *::*::* ]]; then    log_invalid_ipv6 "address cannot contain more than one '::'"    return 1  elif [[ "$raw_address" =~ :0+:: ]] || [[ "$raw_address" =~ ::0+: ]]; then    log_invalid_ipv6 "address contains a 0-group adjacent to '::' and is not maximally shortened"    return 1  fi
  local -i length=8  local -a raw_segments=()
  IFS=$':' read -r -a raw_segments <<<"$raw_address"
  local -i raw_length="${#raw_segments[@]}"
  if (( raw_length > length )); then    log_invalid_ipv6 "expected ${length} segments, got ${raw_length}"    return 1  fi
  # Store zero-runs keyed to their sizes, storing all non-zero segments prefixed  # with a token marking them as such.  local nonzero_prefix=$'!'  local -i zero_run_i=0 compressed_i=0  local -a tokenized_segments=()  local decimal_segment='' next_decimal_segment=''
  for (( i = 0 ; i < raw_length ; i++ )); do    raw_segment="${raw_segments[i]}"
    printf -v decimal_segment -- '%d' "0x${raw_segment:-0}"
    # We're in the compressed group.  The length of this run should be    # enough to bring the total number of segments to 8.    if [[ -z "$raw_segment" ]]; then      (( compressed_i = zero_run_i ))
      # `+ 1' because the length of the current segment is counted in      # `raw_length'.      (( tokenized_segments[zero_run_i] = ((length - raw_length) + 1) ))
      # If we have an address like `::1', skip processing the next group to      # avoid double-counting the zero-run, and increment the number of      # 0-groups to add since the second empty group is counted in      # `raw_length'.      if [[ -z "${raw_segments[i + 1]}" ]]; then        (( i++ ))        (( tokenized_segments[zero_run_i]++ ))      fi
      (( zero_run_i++ ))    elif (( decimal_segment == 0 )); then      (( tokenized_segments[zero_run_i]++ ))
      # The run is over if the next segment is not 0, so increment the      # tracking index.      printf -v next_decimal_segment -- '%d' "0x${raw_segments[i + 1]}"
      (( next_decimal_segment != 0 )) && (( zero_run_i++ ))    else      # Prefix the raw segment with `nonzero_prefix' to mark this as a      # non-zero field.      tokenized_segments[zero_run_i]="${nonzero_prefix}${decimal_segment}"      (( zero_run_i++ ))    fi  done
  if [[ "$raw_address" == *::* ]]; then    if (( ${#tokenized_segments[*]} == length )); then      log_invalid_ipv6 "single '0' fields should not be compressed"      return 1    else      local -i largest_run_i=0 largest_run=0
      for (( i = 0 ; i < ${#tokenized_segments[@]}; i ++ )); do        # Skip groups that aren't zero-runs        [[ "${tokenized_segments[i]:0:1}" == "$nonzero_prefix" ]] && continue
        if (( tokenized_segments[i] > largest_run )); then          (( largest_run_i = i ))          largest_run="${tokenized_segments[i]}"        fi      done
      local -i compressed_run="${tokenized_segments[compressed_i]}"
      if (( largest_run > compressed_run )); then        log_invalid_ipv6 "the compressed run of all-zero fields is smaller than the largest such run"        return 1      elif (( largest_run == compressed_run )) && (( largest_run_i < compressed_i )); then        log_invalid_ipv6 "only the leftmost largest run of all-zero fields should be compressed"        return 1      fi    fi  fi
  for segment in "${tokenized_segments[@]}"; do    if [[ "${segment:0:1}" == "$nonzero_prefix" ]]; then      printf -- '%04x\n' "${segment#${nonzero_prefix}}"    else      for (( n = 0 ; n < segment ; n++ )); do        echo 0000      done    fi  done}
process_dns_ipv6() {  local address="$1"  shift
  info "Adding IPv6 DNS Server ${address}"
  local -a segments=()  segments=($(parse_ipv6 "$address")) || return $?
  # Add AF_INET6 and byte count  dns_servers+=(10 16)  for segment in "${segments[@]}"; do    dns_servers+=("$((16#${segment:0:2}))" "$((16#${segment:2:2}))")  done
  (( dns_server_count += 1 ))}
process_domain() {  local domain="$1"  shift
  info "Adding DNS Domain ${domain}"  if [[ $dns_domain_count -eq 1 ]]; then    (( dns_search_count += 1 ))    dns_search+=("${domain}" false)  else    (( dns_domain_count = 1 ))    dns_domain+=("${domain}" false)  fi}
process_adapter_domain_suffix() {  # This enables support for ADAPTER_DOMAIN_SUFFIX which is a Microsoft standard  # which works in the same way as DOMAIN to set the primary search domain on  # this specific link.  process_domain "$@"}
process_domain_search() {  local domain="$1"  shift
  info "Adding DNS Search Domain ${domain}"  (( dns_search_count += 1 ))  dns_search+=("${domain}" false)}
process_domain_route() {  local domain="$1"  shift
  info "Adding DNS Routed Domain ${domain}"  (( dns_routed_count += 1 ))  dns_routed+=("${domain}" true)}
process_dnssec() {  local option="$1" setting=""  shift
  case "${option,,}" in    yes|true)      setting="yes" ;;    no|false)      setting="no" ;;    default)      setting="default" ;;    allow-downgrade)      setting="allow-downgrade" ;;    *)      local message="'$option' is not a valid DNSSEC option"      emerg "${message}"      return 1 ;;  esac
  info "Setting DNSSEC to ${setting}"  dns_sec="${setting}"}
main() {  local script_type="${1}"  shift  local dev="${1:-$dev}"  shift
  if [[ -z "$script_type" ]]; then    usage 'No script type specified'    return 1  elif [[ -z "$dev" ]]; then    usage 'No device name specified'    return 1  elif ! declare -f "${script_type}" &>/dev/null; then    usage "Invalid script type: '${script_type}'"    return 1  else    if ! read -r link if_index _ < <(get_link_info "$dev"); then      usage "Invalid device name: '$dev'"      return 1    fi
    "$script_type" "$link" "$if_index" "$@" || return 1    # Flush the DNS cache    systemd-resolve --flush-caches  fi}
if [[ "${BASH_SOURCE[0]}" == "$0" ]] || [[ "$AUTOMATED_TESTING" == 1 ]]; then  set -o nounset
  main "${script_type:-down}" "$@"fi

Simpan File dan Kemudian Login#

Seharusnya jika seperti ini, DNS Leak sudah berhasil teratasi.

Selamat Mencoba :)

Last updated on