ISP DNS leaks when switching VPN servers

[ltguillaume]

Configuration

• Firewall = Always on
• Allow LAN traffic = On
• Internal app DNS = ControlD

Steps to reproduce

1. Be connected
2. Open ipleak.net and start testing
3. Switch VPN servers
4. See your ISP's DNS servers pop up

Remarks

• Tested on Windows 10 x64 with Windscribe v2.x up until v2.9.9
• Firewall is always-on, which negates ISP DNS leaks when switching VPN servers #79 (comment)
• As said, it also happens when the App Internal DNS is set to ControlD, which negates o2pb's remark here: https://reddit.com/r/Windscribe/comments/oeshf1/windscribe_leaks_dns_when_changing_servers/h48zjsm/ and ISP DNS leaks when switching VPN servers #79 (comment)

Sources

• Previous issue: ISP DNS leaks when switching VPN servers #79
• Windows (2022.01.14): https://reddit.com/r/Windscribe/comments/10bdttm/windscribe_leaks_dns_when_switching_server_even/
• Windows (2021.07.06): https://reddit.com/r/Windscribe/comments/oeshf1/windscribe_leaks_dns_when_changing_servers/
• Android (2022.03.20): https://reddit.com/r/Windscribe/comments/ti9y2l/dns_leak/

[Ivantheallknowing]

Hi there! I'm one of the QA guys at Windscribe. The scenario you mentioned can only happen if the following conditions are met

1. The system DNS is set to a local one (i.e Your router) or the system DNS is set to same one as in-app
2. Allow LAN Traffic is enabled with a local DNS is set on your system.

There are two options available right now that can help with this.

1. Set the system DNS to something else besides a local one
   or
2. Turn off Allow LAN Traffic

[ltguillaume]

Then this looks like the local DNS (my router) is a fallback option at all times. In other words, why wouldn't this happen during an active VPN connection, e.g. when the Windscribe DNS doesn't respond (in time), which at times has been the case, instead of just when switching between servers?

[Ivantheallknowing]

It doesn't happen during an active VPN connection as our app only whitelists a single DNS server (10.255.255.1 - 10.255.255.4). If for some reason the DNS fails in the tunnel it will appear that you don't have any internet.

During a re-connection this whitelist is dropped so the app can configure itself again. During this time since the tunnel is down any DNS servers that are allowed through the firewall can communicate. And since Allow LAN Traffic is enabled, the locally configured DNS server can respond to queries. As it's in the whitelisted LAN range.

We've discussed a way to work around this, but the ideas don't work for all platforms.

[ltguillaume]

Thanks for explaining, but this is rather confusing nonetheless: I have set up a different internal app DNS (ControlD), so why wouldn't it only whitelist that DNS during (re-)connection, especially if the firewall is set to always-on? It seems that makes both of those settings rather obsolete and misleading under these conditions.

[ltguillaume]

v2.10.2

So I've set the network adapter's DNS IPs to my ISP's servers, the same as my router's settings.

I can see that the DNS leaks are indeed now gone, even with "Allow LAN traffic" enabled.

A new problem arises, though: there's a 20s delay on first start-up now before

Windscribe helper connected ok

Also, the start of WireGuardService takes 20 seconds, often even on reconnects/server switches, where there previously was no such delay.

[040424 0:23:54:658     43.086] [firewall_controller]	 firewall enabled with ips count: 181
[040424 0:23:54:924     43.352] [xxx]	 Starting "WireguardService"
[040424 0:24:15:170     63.597] [xxx]	 Opened and mapped the wireguard service log file

Edit
So, this is when using ControlD or OpenDNS set for the App internal DNS. If I set it to System default, there's no such delay.

What I don't understand either is that I don't see the OpenDNS or ControlD DNS pop up on ipleak.net during a server switch/reconnection, but I DO see my ISP's IP pop up there if I set App Internal DNS to OS default. Why wouldn't I see the OpenDNS/ControlD IPs?

[ltguillaume]

@Ivantheallknowing Is there anything I can do to resolve the extreme times it currently takes before I get connected after following your first advice ("Set the system DNS to something else besides a local one") without setting the App Internal DNS to OS Default?