Hardened browser rule for prevention of VPN/DNS leaks

treefrogs · February 20, 2013, 10:06am

This is a link to a thread over at Wilders forum
It’s as the title says a browser rule to stop VPN and DNS leaks
they have been several similar threads here recently so thought I would link to it

At present I use one rule for all app’s I want to enforce VPN-only connections
Is there any benefit using this browser rule instead of the VPN-only rule ? shown below

[attachment deleted by admin]

Radaghast · February 21, 2013, 12:26am

It really depends what you want to do with the VPN. If you simply want to route everything through the tunnel, generic rules will suffice. If you only use the VPN for certain kinds of traffic, then a more creative approach will be necessary.

One thing about the ‘hardened rule’ unless the DNS Client service has been disabled, svchost will still be doing DNS queries, not the browser.

treefrogs · February 21, 2013, 7:57am

I figure I will stick with my existing block non-VPN rule, it’s simple, safe and effective - if it ain’t broke…
Also I don’t fully understand the implications of allowing svchost to deal with DNS queries over the browser…
I have studied both rules using wireshark and in both cases all that’s visible is a steady stream of encrypted UDP, which to me says “all is as meant to be” but my knowledge here is limited

Radaghast · February 21, 2013, 8:18am

Since Vista, Windows based Operating Systems have used the DNS Client Service to handle DNS queries, caching and so on, for all applications. The service is a hosted service, which basically means svchost is doing your DNS lookups. If you want individual applications to do their own DNS queries, you have to disable the service. The exception to this is Dragon and IceDragon, they have the option to use hard coded DNS, which bypasses the OS.

treefrogs · February 21, 2013, 3:45pm

Ok thanks for the explanation :-TU
I like the sound of hard coded DNS, so when using dragon with DNS manually added to the network adapters is this default ?

Edit: I don’t use Comodo secure DNS

Radaghast · February 21, 2013, 11:06pm

The ‘hard coded’ DNS I’m referring to, is Comodo Secure DNS, found in Dragon and IceDragon. When using either of these browsers, with Secure DNS enabled, you bypass the system DNS, for requests made from those browsers only. If you install CIS and choose Secure DNS, it changes the system DNS servers, so all applications are affected.

Don’t forget, if you have a router, svchost is probably getting it’s DNS information from this device. Depending on your router firmware, you may be able to control how DNS behaves, especially if it supports dnsmasq.

treefrogs · February 22, 2013, 7:42am

ok makes sense
I will explore this further
thanks again