[PLUG] trying to lock down DNS addresses problem

Daniel Hückmann sanitybit at gmail.com
Fri Jan 13 09:25:52 UTC 2023 

Are you connected to ExpressVPN when you get these results?

Those IP addresses on the public internet are owned by CloudFlare, but they
are not the Cloudflare DNS service IPv4 addresses (which are 1.1.1.1 and
1.0.0.1).

If you are connected to ExpressVPN, and since I can't resolve through them
via the public internet, my assumption is that those are the addresses used
by ExpressVPNs private DNS.

Either they are using that public range inside of their VPN, or they host
their DNS service behind CloudFlare and then limit who can resolve through
those addresses to those who are routing over their VPN service.

"When you use ExpressVPN, your DNS requests are handled directly by
ExpressVPN, with no exposure to third parties. You don’t need to opt in to
use ExpressVPN’s private DNS. The ExpressVPN app protects all DNS requests
automatically, with the same encryption and tunneling protocols as all your
other online activity."
Daniel Hückmann - Security Researcher - Portland, OR
--------------------------------------------------------------------------------
@sanitybit <https://twitter.com/sanitybit> - PubKey fingerprint: CE3E D4A9 8D49
4016 <https://keybase.io/sanitybit/key.asc>


On Fri, Jan 13, 2023 at 1:16 AM Russell Senior <russell at personaltelco.net>
wrote:

> https://support.mozilla.org/en-US/kb/dns-over-https-doh-faqs
>
> On Fri, Jan 13, 2023 at 1:05 AM Russell Senior <russell at personaltelco.net>
> wrote:
>
> > Because I don't have the router you have, I am lacking any particular
> > insight into what it is doing, so anything I suggest is pure guesswork.
> > Vendor firmware on commercial off the shelf routers is quite varied and
> > sometimes bordering on arbitrary in how they choose to behave.
> >
> > One other thing to be aware of, some browsers (including Firefox) are
> > doing DNS over HTTPS (or similar) by default these days. You can check
> the
> > setting in General / Network Settings / Enable DNS over HTTPS, and the
> > associated destination. Mine defaults to Cloudflare. I generally don't
> use
> > other browsers, but others may be doing something similar. You can, of
> > course, choose a different DNS over HTTPS provider, or you can turn it
> off
> > in Firefox's Settings. Further research into this behavior and its
> nuances
> > might be needed.
> >
> > --
> > Russell Senior
> > russell at personaltelco.net
> >
> > On Thu, Jan 12, 2023 at 5:55 PM American Citizen <
> > website.reader3 at gmail.com> wrote:
> >
> >> Hello all:
> >>
> >> I am currently hitting an unusual problem with two DNS addresses which I
> >> have set up in both the NetGear C6300v2 cable modem/router which has the
> >> option to manually set the DNS addresses (which I did) and with the
> >> openSuse Linux Leap 15.4 OS using NetManager, which has the option to
> >> set the DNS addresses in the configured connection. (and I did manually
> >> configure them too) .
> >>
> >> I am expecting to see DNS addresses 208.67.220.220 and 208.67.222.222
> >> when landing on either the https://www.dnsleaktest.com/ website or the
> >> https://surfshark.com/dns-leak-test website, but to my surprise both
> >> sites keep coming up with two Cloudflare DNS addresses
> >>
> >> IP      Hostname        ISP     Country
> >> 108.162.218.150         None    Cloudflare      Newark, United States
> >> 108.162.218.190         None    Cloudflare      Newark, United States
> >>
> >> I am concerned about this, as I do NOT want cloudflare doing the DNS
> >> lookups, I expected ExpressVPN DNS numbers to show up.
> >>
> >> Any ideas on how to fix this problem?
> >>
> >> Randall
> >>
> >>
>

More information about the PLUG mailing list