TunSafe Forum

Welcome to the TunSafe Community Forum. This is open for discussions related to TunSafe and the WireGuard protocol.

You are not logged in.

#1 2019-04-30 09:07:19

Hitchhiker
Member
From: The Netherlands
Registered: 2018-12-11
Posts: 43

Insecure connection when using Tunsafe

There's a topic over at ghacks.net concerning browser security which can be found here

The article contains a link to Cloudflare's Browser Security Check which I ran while connected to the Tunsafe client with the Kill Switch enabled. What I find disturbing about the results is that although I've configured DNS to use Cloudflare on 1.1.1.1 the connection isn't secure while logged into the Tunsafe client. Here's a pix of the results: http://imgbox.com/pcJGkJTH

It's the first result under the heading "Secure DNS" which concerns me. I've always assumed that connecting via Tunsafe would ensure that the connection would be secure.

Is there some means of ensuring a secure connection?

Offline

#2 2019-04-30 13:02:47

wiggo
Administrator
Registered: 2018-03-09
Posts: 98

Re: Insecure connection when using Tunsafe

Hi Hitchhiker,

DNS requests are normally sent as plaintext and unlike HTTPS, there has been no properly established standard for encrypted DNS requests.

When using TunSafe your DNS requests are encrypted between your PC and the VPN server that you are connected to, however, when they leave the VPN server they are still plaintext. So there's no "DNS leak" from your PC.


Cloudflare recently added support for DNS over TLS (DoT) , which they call "Secure DNS". Googles DNS 8.8.8.8 also added support för DoT earlier this year. Windows has no native support for it so you'll have to install a local DNS proxy with DoT support on your computer and specify 127.0.0.1 as DNS. Then your DNS request will be encrypted all the way to the DNS server.

I assume that Microsoft will release a patch to support DoT in Windows. Otherwise, we might choose to implement a DoT proxy in TunSafe.


Quote from https://www.cloudflare.com/ssl/encrypted-sni/

Secure DNS

Traditionally, DNS queries are sent in plaintext. Anyone listening on the Internet can see which websites you are connecting to.

To ensure your DNS queries remain private, you should use a resolver that supports secure DNS transport such as DNS over HTTPS (DoH) or DNS over TLS (DoT).

The fast, free, privacy focused 1.1.1.1 resolver supports DNS over TLS (DoT), which you can configure by using a client that supports it. For a list of these take a look here https://dnsprivacy.org/wiki/display/DP/ … cy+Clients. DNS over HTTPS can be configured in Firefox today using these instructions. Both will ensure your DNS queries remain private.

Regards
Viktor

Offline

#3 2019-05-01 09:01:37

Hitchhiker
Member
From: The Netherlands
Registered: 2018-12-11
Posts: 43

Re: Insecure connection when using Tunsafe

Hi Wiggo,

Thanks for the clarification.

Offline

#4 2019-05-01 12:18:04

logcabin
Member
Registered: 2018-04-30
Posts: 27

Re: Insecure connection when using Tunsafe

I use a local resolver called "stubby". It's easy to configure and provides DNS over TLS.

Last edited by logcabin (2019-05-02 12:05:50)

Offline

#5 2019-05-02 13:10:42

GreekPilot
Member
Registered: 2019-04-20
Posts: 7

Re: Insecure connection when using Tunsafe

logcabin wrote:

I use a local resolver called "stubby". It's easy to configure and provides DNS over TLS.

Great program, but unfortunately slows down internet (ping times)

Offline

#6 2019-05-02 16:04:47

logcabin
Member
Registered: 2018-04-30
Posts: 27

Re: Insecure connection when using Tunsafe

Interesting, my system shows almost no network latency. I'm wondering if your TLS server is too far away from your location. You can use the site "dnsleaktest.com" to show where your TLS server is located.

Last edited by logcabin (2019-05-02 16:52:36)

Offline

#7 2019-05-02 16:26:54

wiggo
Administrator
Registered: 2018-03-09
Posts: 98

Re: Insecure connection when using Tunsafe

GreekPilot wrote:
logcabin wrote:

I use a local resolver called "stubby". It's easy to configure and provides DNS over TLS.

Great program, but unfortunately slows down internet (ping times)

It should not effect the ping times, or do you mean too much delay in domain resolve times?

Offline

#8 2019-05-02 17:07:58

GreekPilot
Member
Registered: 2019-04-20
Posts: 7

Re: Insecure connection when using Tunsafe

wiggo wrote:

It should not effect the ping times, or do you mean too much delay in domain resolve times?

This is exactly my problem. Domain resolve time. I have tried a lot of configurations, from one to five dns servers. Problem remains either I am using TunSafe nor not. Sorry for my mistake about ping times....

Dear Wiggo, have you considered to use your own "TunSafe"s DNS Server as almost every VPN supplier??

Thank you again.

Offline

Board footer

Powered by FluxBB