October 5, 2015 at 02:53Getting rid of DNS Leak in Windows 10 - your userspace WFP filter as an OpenVPN plugin
As you may already know , the DNS resolver in Windows 10 sends DNS queries to all interfaces in parallel, which is often or just inconvenient when the so-called Split Tunneling is used and DNS inside the VPN tunnel gives internal addresses for internal resources, and Windows cannot to understand what’s happening, or even poses a security risk, as in the case of a DNS leak through public Wi-Fi.
You can solve the problem in different ways, for example, by temporarily adding firewall rules to block 53 ports on all interfaces except the VPN interface, or install on all interfaces except VPN, DNS in 127.0.0.1.
However, these methods make changes that can withstand a reboot, so if you accidentally disconnected your electricity while the VPN was running or the VPN daemon just crashed, you would be left with Internet not working. There is nothing good about it.
However, there is a better method that only makes temporary changes and does not leave the user without the Internet.
The kernel-mode driver can view, modify, and log packets and just the data stream, and userspace filters can pass, drop, delay or direct traffic to the kernel driver based on information from the Ethernet frame or IP packet and their headers, as well as ( at the ALE level) of the source and destination interface, process ID, full path to exe, and some other.
The WFP filter can add persistent filters that survive after a reboot, even if the software that installed them was no longer running, temporary filters that are saved after the program ends, but not after the reboot, and session filters that only work when the program the creator of them is still being fulfilled.
A user-mode filter with session filters is enough for our tasks, but we need:
All this resulted in a plugin for OpenVPN, however, the source code can be compiled as a regular executable file:
github.com/ValdikSS/openvpn-fix-dns-leak-plugin
To use this plugin, download .dll files from the repository, put them to the config folder next to the configuration file, and add the line to it:
Now you can not be afraid to use a VPN on Windows 10 through public Wi-Fi.
UPD: The OpenVPN 2.3.9 there was an option to block third-party the DNS:
You can solve the problem in different ways, for example, by temporarily adding firewall rules to block 53 ports on all interfaces except the VPN interface, or install on all interfaces except VPN, DNS in 127.0.0.1.
However, these methods make changes that can withstand a reboot, so if you accidentally disconnected your electricity while the VPN was running or the VPN daemon just crashed, you would be left with Internet not working. There is nothing good about it.
However, there is a better method that only makes temporary changes and does not leave the user without the Internet.
Windows Filtering Platform
Starting with Windows Vista, WFP is a replacement for legacy traffic-processing technologies like NDIS, TDI, and LSP, a modern, lightweight, and convenient technology that works in both kernel mode and user mode. Modern versions of Windows Firewall just use WFP, like all third-party firewalls and antiviruses with the ability to check traffic.The kernel-mode driver can view, modify, and log packets and just the data stream, and userspace filters can pass, drop, delay or direct traffic to the kernel driver based on information from the Ethernet frame or IP packet and their headers, as well as ( at the ALE level) of the source and destination interface, process ID, full path to exe, and some other.
The WFP filter can add persistent filters that survive after a reboot, even if the software that installed them was no longer running, temporary filters that are saved after the program ends, but not after the reboot, and session filters that only work when the program the creator of them is still being fulfilled.
A user-mode filter with session filters is enough for our tasks, but we need:
- Deny all outgoing packets from all interfaces to port 53 over UDP / TCP and IPv4 / IPv6
- Allow any traffic from the OpenVPN TAP interface (s)
All this resulted in a plugin for OpenVPN, however, the source code can be compiled as a regular executable file:
github.com/ValdikSS/openvpn-fix-dns-leak-plugin
To use this plugin, download .dll files from the repository, put them to the config folder next to the configuration file, and add the line to it:
plugin fix-dns-leak-32.dllplugin fix-dns-leak-64.dllNow you can not be afraid to use a VPN on Windows 10 through public Wi-Fi.
UPD: The OpenVPN 2.3.9 there was an option to block third-party the DNS:
block-outside-dns. Use it, not a plugin.