Our Community Forums will be closing on June 27, 2024. Please visit att.com/support for all your support needs.
Get superfast AT&T Fiber internet
D

New Member

 • 

10 Messages

Wednesday, August 4th, 2021 4:52 AM

Closed

More than 2 dns servers causing DNS leaks when running a vpn client.

I have notices some strange DNS issues on my ATNT router. I am attempting to run a VPN to an amazon cloud instance, and keep getting DNS leaks whenever the vpn client is running from my machine. It seems like the ATNT router has some sort of dns caching issue, or it's cache has been poisoned. A few things that seem unusual which I would appreciate if someone could explain to me, are as follows....

a) When plugged into my ATNT Router and doing a dns check, I notice about 11 or 12 dns servers being used as opposed to the standard of 2.

b) My ATNT router's dns servers are completely different than my public IP address. From my understanding, shouldn't DNS servers be using the same IP address as my public IP? i.e. if my public IP is 3.15.388.76 my dns servers would be 3.15.388.76 and 3.15.388.77? or something rather? 

But instead, when my ip public IP is 3.15.388.76, my DNS servers are showing up as completely different such as 208.256.126.244, 209.165.156.133, 109.156.223.196, etc. etc. etc.

Is there a way to manually set my dns servers on my ATNT router, or verify that my dns servers are properly propagating? 

Lastly, when running my vpn client on ubuntu 20.04, how can I prevent 6 atnt dns ip addresses from showing up in a dnsleaktest? It seems as though the ATNT router is pushing it's dns server onto my vpn client without my vpn clients permission. How can I stop this dns leak on my vpn client?

Accepted Solution

ACE - Expert

 • 

35.9K Messages

3 years ago

When your DNS client (the web server) needs to translate the names, it asks the local DNS resolver to translate.  Since the (random) name has never been seen, the DNS resolver will look at the IP interface configuration for an IP address to ask.  Without VPN, that would be whatever your So-Ho router gave it.  Unless you told it otherwise, the So-Ho is going to give out the IP address of the AT&T Gateway.  So, the web server will ask the AT&T Gateway.  The AT&T Gateway also doesn't have it in its cache, so it checks its table, and asks the primary DNS server for it.  Eventually that will get back to the Authoritative DNS server and that answer will be cached (but won't be repeated.  Shucks).

With the OpenVPN client on your web server, the OpenVPN client should change the primary and secondary DNS servers for the web server based on the configuration given to it from the OpenVPN host.  It should also change the default gateway such that all traffic goes through the tunnel.  All traffic from the webserver should be encrypted passed to the So-Ho router.  The So-Ho router passes the encrypted traffic to the AT&T Gateway.  The AT&T Gateway routes the encrypted traffic over the Internet to your VPN Host.  Who decrypts it and forwards it to where its supposed to go.  Nothing between the VPN client and the VPN Host has any idea what the traffic is inside the tunnel.

So, if a DNS request got to an AT&T server while your OpenVPN software was up on the web server then:

1) You have it configured for split-tunnel, or

2) The client isn't configuring the IP routing environment/DNS settings properly.

AT&T doesn't control any of this, other than the Gateway passing DNS requests that it receives to AT&T DNS servers if it hasn't already cached the answer, and giving out its own IP address in DHCP requests.  And passing the encrypted traffic (and unencrypted traffic) to the next hop along the route.

ACE - Expert

 • 

35.9K Messages

3 years ago

b) Your DNS server IP should have nothing to do with your public IP.  Nothing.

a) The router only has two slots for DNS servers: primary and secondary, how can you see 11 or 12?  If you're saying your primary and secondary change over time, that's all right.

There is no way to change the DNS servers on your AT&T router.  There is no way to change the DNS IP address that the router gives out to clients, which will always be its own IP address.

Unless your VPN client flushes the DNS cache upon starting the tunnel, you may have entries populated in it that were retrieved via the AT&T DNS servers.  Once the tunnel comes up, assuming a no split tunnel, your DNS requests will go through the tunnel and AT&T cannot alter the requests in any way.

New Member

 • 

10 Messages

3 years ago

b) Ok great this makes sense.

a) I can see 11 or 12 DNS servers when I go to dnsleaktest.com and click on extended test. I can also see theses servers when using a dns leak test tool for linux that you can find here: https://github.com/macvk/dnsleaktest. With the vpn inactive it shows many atnt dns servers all different. With the vpn active, it shows my vpn dns servers, plus the atnt dns servers.

The rest of this makes sense but I dont understand why so many dns servers show up on my dns leak tests. What do you think?

ACE - Expert

 • 

35.9K Messages

3 years ago

With the VPN inactive, your DNS requests are going to your Gateway, which is passing it to its Primary DNS caching server, which may have to pass the request to a pool of other DNS servers.  I believe what the "leak test" is doing is generating random host names (that are not likely to be cached) on a known domain and reporting what DNS servers contacted the authoritative name server for that domain to get an IP address for the bogus name.  This is just showing you how DNS works.  If you are paranoid about what DNS servers may get to know what host names you're looking at, then you need to have the VPN or an anonymizing tunnel up so that your DNS traffic goes to the VPN before it goes to the DNS.

If the AT&T servers are still showing once your VPN is up, then something is wrong with your IP stack or the way the VPN client is configured.

New Member

 • 

10 Messages

3 years ago

With the VPN inactive, your DNS requests are going to your Gateway, which is passing it to its Primary DNS caching server, which may have to pass the request to a pool of other DNS servers.  I believe what the "leak test" is doing is generating random host names (that are not likely to be cached) on a known domain and reporting what DNS servers contacted the authoritative name server for that domain to get an IP address for the bogus name.  This is just showing you how DNS works.

Thank you! I think i sort of understand how dns and dnsleaktests work now.

 If you are paranoid about what DNS servers may get to know what host names you're looking at, then you need to have the VPN or an anonymizing tunnel up so that your DNS traffic goes to the VPN before it goes to the DNS.

I'm not reallly paranoid, but more concerned about cohesiveness and consistency with my ip/dns, since I'm tunneling a web server through a vpn in order to get port 25 open and to get a proper reverse dns record. Since It's a server, there are a lot of things that could go wrong, so I just want my dns to be consistent with my vpn in order to remove a step from the process of elimination when debugging the server....(continued)....

If the AT&T servers are still showing once your VPN is up, then something is wrong with your IP stack or the way the VPN client is configured.

I believe the VPN Client as well as the server is properly configured, as the Opvnepn Forums seem to think so as well. Maybe you could help in pointing me in the right direction for figuring out where my IP stack has gone wrong, since when my vpn client connects, a dns leak test shows both my ATnT and my VPN's dns servers being used from my client.

I have a relatively non-standard setup, and it looks like the following:

Atnt-Router>Soho-Router (connecting via dhcp with a static IP assigned by mac address on the ATNT router)>Web Server (connecting to soho router via dhcp with static IP assigned by routers mac address)>VPN Tunnel.

On the Atnt router, I have all of the default settings set (just about at least), with its IP address being 192dot168dot1dot254.

On the Soho router, I am connecting it's wan, to the atnt's lan, via dhcp with its atnt statically assigned IP address of 192dot168dot1dot2). I am using DHCP on the soho routers lan which assigns a static IP to my server, and again, most of its default settings with the soho's WAN DNS Settings set to default (so it uses the dns servers and IP address assigned to it by the atnt router), and it's LAN DNS setting set to default (so other clients and the server use the soho's local dns which is 192dot168dot100dot100). The IP address that the SOHO router is giving the server (which is our VPN Client) on it's LAN, is 192dot168dot100dot101. 

On the server (our VPN Client), its default IP address is 192dot168dot100dot101. 

When doing a dnsleak test on this vpn client (which is a webserver), without running the open vpn tunnel, it shows that I am using about 7-10 dns addresses for my public IP. When I connect it to the openVPN tunnel in client mode, it then shows 7-10 atnt dns addresses, and the 2-4 dns addresses (amazon Public DNS addresses) from my vpn server. The tunnel sucessfully connects and the webserver works using openvpn. Since my setup is rather complicated, I'm thinking you might be right about my IP stack being problematic. If I understand things correctly, using a router behind router dhcp setup is what we call a double natted network? Could the problem lay there and possibly be something to do with subnets or subnet masks? I'm just not sure here, but those are the first things that come to mind, especially since i don't understand subnet masks whatsoever. 

Thank you for all of your help and replies here. Very helpful stuff!

Community Support

 • 

232.9K Messages

3 years ago

Hi, @duuuuuuuuude.

 

Thank you to the aces for the useful information.

 

We recommend that you contact our Connect tech team for more assistance on this. They will be able to answer any questions that you have.

 

If you have any other questions or concerns, feel free to reach back out.

 

Thank you for choosing AT&T.

 

Marc, AT&T Community Specialist

New Member

 • 

10 Messages

4 months ago

Sorry I never replied to this until now. Just logged in for the first time in a long time. Your explanation is excellent, and provides a much greater understanding of how vpns work behind double router/natted configurations. I don't exactly remember how I fixed this, but the issue has since been resolved. I'm sure this explanation helped! Thank you very much for it!

Not finding what you're looking for?
New to AT&T Community?
New to the AT&T Community? Start by visiting the Community How-To.
New to the AT&T Community?
Visit the Community How-To.