Every morning, I do a multiple DNS Leak test just as a precaution. Today, I did the leak test and all my IPs were different. They were the same IP block, just different. This made me suspicious and I set about trying to track the problem down. Turns out, there was a misconfiguration in the VPS. Worked yesterday, different today. I guess it was ghosts or gremlins in the machinery.
I got to thinking, for you guys who download a lot of Linux ISOs, might be a good idea to check daily. Even though you are setting behind a VPN, it’s still worth the minute it takes to fire off multiple DNS Leak checks just for a sanity check.
I might be misunderstanding, but you’re checking what exactly for DNS leaks?
If the IPs are changing, that’s not uncommon. The HOST changing would be though, like if you swapped from what you expected back to Comcast or something.
You need to get better control of your local network and not have to be paranoid about this. Static reservations for long lived hosts, your router should have a setting to override and prevent internal hosts (like guests) from sending OoB DNS requests, and any sort of VPS stack should as well.
Each different DNS leak test sites (multiple), were different, yet the same IP block. I don’t view it as paranoia. When you fire up your VPN, even though you have specified a certain locale, say Mexico, you still get different IPs each time you start your VPN, at least I do.
Example: 4.4.4.5, 4.4.4.6, 4.4.4.15
Same block, different IPs reported.
Yes, that’s called Round-Robin Load Balancing.
To get more specific, your DNS provider spins up a large number of DNS resolvers out in the world on a CDN network that resolves clients to the most geographically convenient server(s) at any point in time based on the GeoIP info of your public IP.
Once you resolve one set of addresses at any given time, it caches your request, so the next time you ask these DNS servers for something you’ll get a response right back from them as fast as possible.
You constantly checking is just going to show this. It’s quite normal.
I’ll have to accept a higher knowledge base than mine, but I check this every morning, and for years they have been the same across different leakcheck sites.
DNS leak tests only understand your exit IP. If your VPN provider allows round Robin load balancing, this may happen. This is a drawback of VPN exits out of your control, that you can’t know how their exits are handled.
Why you are so concerned about DNS leaks beyond one test is another matter only you can solve. Unless you are changing your dnssec config daily, this should be checked once.
this should be checked once
The way I see it is, we have three options:
- Always trust, never verify
- Trust but verify
- Never trust, always verify
As a fellow tinhat wearer, I applaud your reluctance to trust what they tell you.
However, there isn’t much you can do about your VPN provider setting up multiple exit routes, or maybe they’re doing something really fancy like NAT filtering DNS requests so big players like Netflix have a harder time catching on to ppl geo-hopping.
But the outcome is the same: you have no control over this behaviour.
But the outcome is the same: you have no control over this behaviour.
Yes, I totally understand that. It seemed suspicious to me because it had never happened to me before. (I have bookmarked a few articles about this 'Round Robin to read this evening) Like I said, This check gets done every morning, and has been a ‘ritual’ for years, and I have had the same VPN provider for years. So, that is what triggered my anxiety. I appreciate what everyone else has said, and I bow to greater knowledge bases than I possess. At the very least, TIL. So it’s been a good day 'tater.
Fair enough.
I see your posts and comments regularly in self-hosted, keep it up. Staying engaged is learning.
The issue is that I know what I know, and that’s it. LOL I’ve had a computer in front of me since the mid 70s, but don’t equate longevity with knowledge. I am self taught in most everything I do whether in real life or digital life. So when something pops up that’s different to your regularly scheduled program, it cause anxiety. Since I am not a real IT professional, solving the issue can sometimes be tedious.
I am, however, a bit sensitive to the word ‘paranoia’. It’s not paranoia to check yourself before you start the day. It takes less than thirty seconds to validate dns leak checks while I’m sipping my coffee. Also, if it wasn’t a habit every morning to check, I probably would have been clueless to the situation. It could have been leaking and I would have never known it.
's-aright. I appreciate greatly, everyone’s willingness to help and give their input. No harm - no foul.
