Security Flaws with VPN on Windows 10

[suzannegoh]

If you are using a VPN to trick websites in the US into thinking that you are inside the United States (perhaps because your bank or broker doesn't want to do business with non-US persons), you might want to open this web page to see what information sites in the US are able to see about you: https://ipleak.net. In some cases you will discover that enough information is being transmitted for the website that you are connecting to to be able to deduce that you are outside the US even if you are running a VPN.

Where the security flaw is is not with your main IP address (generally that’s going to be a US IP address if your VPN provider is in the US). Instead it is with DNS lookups and a relatively new feature in some browsers called WebRTC detection.

If you are in Thailand and connect to your VPN and then open https://ipleak.net in either Firefox or Chrome you most likely will see a Thai IP address under “Your IP address - WebRTC detection” no matter what version of Windows you are using. If you have that problem, there are concise instructions on https://ipleak.net about how to fix it.

Also, a few moments after loading https://ipleak.net a list of your DNS servers will show up. If you are running Windows 10, most likely one or more Thai or Singaporean DNS servers will be on the list. Fixing that is a bit more complicated, especially if you don’t control the router through which you are connecting.

I have seen this problem with StrongVPN and PandaPow but from google searching it appears that the problem is generic rather than being peculiar to certain VPN providers.

Edited August 30, 2015 by suzannegoh

[RichCor]

This has been discussed in several prior ThaiVisa topic threads.

This isn't a 'Security Flaw", but new services that have been implemented that were designed to aid in establishing links between devices. Usually it's the Browser being the tattle-tale.

How to fix IP being revealed when using VPN

Started by Chicog, 2015-02-04 18:36

Test your VPN

Started by Pakaty, 2015-05-03 15:05

To people using free proxies to get around restrictions...

Started by phazey, 2015-02-19 21:02

[robblok]

I can let my router run a vpn and set dns and such, the operating system has no clue then. But if you have a el cheapo router that is probably not possible.

[suzannegoh]

This has been discussed in several prior ThaiVisa topic threads.

This isn't a 'Security Flaw", but new services that have been implemented that were designed to aid in establishing links between devices. Usually it's the Browser being the tattle-tale.

How to fix IP being revealed when using VPN

Started by Chicog, 2015-02-04 18:36

Test your VPN

Started by Pakaty, 2015-05-03 15:05

To people using free proxies to get around restrictions...

Started by phazey, 2015-02-19 21:02

Maybe the Window10 aspects of it are buried somewhere in those threads but I didn't see it. Windows 10 handles DNS lookups differently than on previous versions of Windows. In previous versions of Windows if you manually entered DNS addresses in your wifi adaptor's IPv4 settings, Windows would use those and look no further. But now on Win10, if you do that windows might instead use the DNS addresses entered into your router or other network adapters if it gets better response times from them.

[suzannegoh]

I can let my router run a vpn and set dns and such, the operating system has no clue then. But if you have a el cheapo router that is probably not possible.

That would probably be the safest way to address the issue if you have control over the router settings and you're the only one using that router, i.e. not a public wifi signal nor a case where there are devices on your home network that you don't want to be connected to the VPN. What also seems to work is to manually enter US-based DNS addresses into your router and into the IPv4 settings of each of your network adapters (at least in terms of making ipleak.net think that I an inside the US - it wouldn't solve the potential problem of local hackers being able to monitor your DNS queries).

Edited August 30, 2015 by suzannegoh

[RichCor]

Here's a post that attempts to better describe the issue the OP eludes to:

Beware of Windows 10 DNS resolver and DNS Leaks

medium.com | ValdikSS | Aug 11

How DNS is handld on Windows 7 vs Windows 8/8.1 vs Windows 10

Windows 10 DNS resolver sends DNS requests in parallel to all available network interfaces and uses the fastest reply to come. If you use DNS from the local network, this problem allows your ISP or a hacker with Wi-Fi ap to hijack your DNS records even if you use VPN.

[RichCor]

Some additional posts discussing Windows 10 DNS resolver DNS Leaks

with potential work-around

How to fix the Windows 10 DNS resolver DNS Leaks

nish.com | by NISH VAMADEVAN | 29/08/2015

The design of Windows 10 allows the Operating System to send DNS queries to all the available interfaces on the machine. The OS does not take into account the network interface priority nor does it take into account any default route.

This design is somewhat okay until we face a VPN scenario where the DNS request has to go through the VPN tunnel for security reasons and this will allow a hacker to intercept a DNS request and modify the reply to perform a man-in-the-middle attack.

The easy fix it to add a DWORD name of DisableSmartNameResolution with a value of 0 under the following path.

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\DNSClient

Also discussed under...

Avast SecureLine VPN: Prevent DNS leak on Windows 10 systems

avast.com | Avast Customer & Technical Support |

...scroll down a bit to find:

Prevent DNS leak on Windows 10 systems

For users of SecureLine VPN on Windows 8, Windows 8.1 or Windows 10 operating systems, it is advised to disable the "smart multi-homed name resolution" service. This service is enabled by default and is intended to optimize DNS queries and improve performance. However, when enabled it leaves you vulnerable to DNS hijacking as well as DNS leak (which can result in web activity monitoring) even when using a VPN.

! Important

The "smart multi-homed name resolution" service is especially risky on Windows 10 systems. Therefore it is highly recommended to disable the service.

Settings for this service can be found in DNS Client settings within Local Group Policy Editor.

Article includes visual instruction on using Local Group Policy Editor to Turn off smart multi-homed name resolution.

[suzannegoh]

Some additional posts discussing Windows 10 DNS resolver DNS Leaks

with potential work-around

How to fix the Windows 10 DNS resolver DNS Leaks

nish.com | by NISH VAMADEVAN | 29/08/2015

The design of Windows 10 allows the Operating System to send DNS queries to all the available interfaces on the machine. The OS does not take into account the network interface priority nor does it take into account any default route.

This design is somewhat okay until we face a VPN scenario where the DNS request has to go through the VPN tunnel for security reasons and this will allow a hacker to intercept a DNS request and modify the reply to perform a man-in-the-middle attack.

The easy fix it to add a DWORD name of DisableSmartNameResolution with a value of 0 under the following path.

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\DNSClient

Also discussed under...

Avast SecureLine VPN: Prevent DNS leak on Windows 10 systems

avast.com | Avast Customer & Technical Support |

...scroll down a bit to find:

Prevent DNS leak on Windows 10 systems

For users of SecureLine VPN on Windows 8, Windows 8.1 or Windows 10 operating systems, it is advised to disable the "smart multi-homed name resolution" service. This service is enabled by default and is intended to optimize DNS queries and improve performance. However, when enabled it leaves you vulnerable to DNS hijacking as well as DNS leak (which can result in web activity monitoring) even when using a VPN.

! Important

The "smart multi-homed name resolution" service is especially risky on Windows 10 systems. Therefore it is highly recommended to disable the service.

Settings for this service can be found in DNS Client settings within Local Group Policy Editor.

Article includes visual instruction on using Local Group Policy Editor to Turn off smart multi-homed name resolution.

Thanks for researching that, but the things mentioned in those two articles seem to have no effect on my Win10 machine - ipleak.net is still able to see 3BB's DNS servers when connected via VPN unless I change my router configuration to use some other DNS servers.

[ev1lchris]

If I see the IP and country changed when I go to whatismyip.com is that good enough?

[suzannegoh]

If I see the IP and country changed when I go to whatismyip.com is that good enough?

In most cases that's all that websites that care about what country you are in look at. However it would be possible for someone to put code on their web page that would allow them to extract additional information that would allow them to figure out that you are using a VPN or proxy and what country your DNS servers are in. My fear is that US brokerage firms might start doing that in order to figure out which of their customers are living overseas..

[RichCor]

Thanks for researching that, but the things mentioned in those two articles seem to have no effect on my Win10 machine - ipleak.net is still able to see 3BB's DNS servers when connected via VPN unless I change my router configuration to use some other DNS servers.

Running tests using

Mozilla Firefox (with about:config media.peerconnection.enabled to false to disable WebRTC)

connected to a personal SoftEtherVPN hosted server in the US

perfect-privacy dns leaktest

will usually display my 3BB Thailand primary DNS IP (13~35 out of a list of 39) as replying to the web-based query.

ipleak.net

will sometimes display my 3BB Thailand primary DNS IP (21st out of a list of 23) as replying to the web-based query.

dnsleaktest.com

displays only the first 5 VPN provided DNS IP on the Standard but will sometime display my 3BB Thailand primary DNS IP on the Extended test (if the test doesn't crash first).

...i'll have to do a bit more research.

[suzannegoh]

FWIW, below are my work-arounds for the problem. These work-arounds won't guarantee that your DNS queries go through your VPN tunnel but they should make it such that the websites to which you are connecting will only be able to detect US-based DNS servers.

First, find the IP addresses for a DNS servers in the United States. Do not use Google or OpenDNS's servers for this because from here (Thailand) they will route through Singapore and that will be detectable by some websites in the US. One option is to use StrongVPN's pubic DNS servers in California: 216.131.95.20 and 216.131.94.5 .

Next, open your routers configuration page, go to LAN settings and look for DHCP options. There you should find a place to enter the IP address of your IP servers. Enter 216.131.95.20 and 216.131.94.5 . If you are on a public wifi or do not have access to the router's configuration page, then instead use the man-in-the-middle method described in the final paragraph of this post.

Then, on Windows 10, go into “Network Connections” and change the IPv4 section of ALL of your network adapters such that instead of the default DNS servers that 216.131.95.20 and 216.131.94.5 are used instead. Together with the DNS being set to 216.131.95.20 and 216.131.94.5 in your router's configuration, this will ensure that websites to which you are connecting (with or without VPN) will only be able to detect those two US-based DNS servers.

If you do not have access to your router's configuration page (perhaps because you are using a public wifi or because whoever owns the router doesn't want you to touch it), then the only work-around that I have found is to put a “man in the middle”. The concept is connect another device to the (public) wifi and to tether that device to your Windows 10 PC either via a cable or via Bluetooth. For instance, if you have an Android smartphone, connect the smartphone to wifi and then share the smartphone's internet connection with your Win10 PC by Bluetooth. Once initially connected, you'll find that you're unable to surf the internet because Windows is unable to find any DNS servers at all, so what you need to do is go back to “Network Connections”, look for the Bluetooth network adapter, and change it's IPv4 setting such that it's DNS servers are 216.131.95.20 and 216.131.94.5 . Once this is done, you should be able to surf the internet through your Win10 machine's Bluetooth connection and any websites that you go to should only be able to see US-based DNS servers.

Edited August 31, 2015 by suzannegoh

[keeniau96]

I have been using ZenMate in Chrome running in Linux Mint. Does a good job as VPN option but it did leak in the ipleak.net test. I added WebRTC Network Limited extension but still leaking. Added WebRTC Block exteansion and still leaking. Then referring to the suggestion by Chicog (http://www.thaivisa.com/forum/topic/797634-how-to-fix-ip-being-revealed-when-using-vpn/) mentioned earlier I used the link he provided (https://ironsocket.c...ddress-showing/) which also referred to the Chrome extensions but further on suggested the ScriptBloc extension (https://chrome.google.com/webstore/detail/scriptblock/hcdjknjpbnhdoabbngpmfekaecnpajba/related?hl=en). Added that and no more leaks. Tested with several VPN location and looks like good solution.

[slipperylobster]

Little buggy annoyances starting to reveal their hideous heads from that windows 10?

I know this much,windows users will find themselves scrambling to do things that they used to be able to do just a few years ago. Free internet may seem free...but for every laptop that wants anonymity...you will find that microsoft is 3 steps ahead of you. Makes me think that bill sold out to the NSA.

My prediction is ...that the internet will be absolutely free for users in the very near future....***However*** ...the payoff will be an ever more increasing loss of privacy. In other words...do what you will, but remember...they now know who and where you are.

For myself, I just gave up trying to be anonymous...as that just draws more attention. Now I just proceed as a "normal" person would. I am staying away from VPN's and MAC cloning....and Tor browsers. There is just no point in hiding. (Nothing to hide anyways). You can fight this all you want...but with the way things are going....it will take more than tin foil hats and vpn's to fool the prying "FVEY" (google it) eyes.

Edited August 31, 2015 by slipperylobster

[suzannegoh]

Little buggy annoyances starting to reveal their hideous heads from that windows 10?

I know this much,windows users will find themselves scrambling to do things that they used to be able to do just a few years ago. Free internet may seem free...but for every laptop that wants anonymity...you will find that microsoft is 3 steps ahead of you. Makes me think that bill sold out to the NSA.

My prediction is ...that the internet will be absolutely free for users in the very near future....***However*** ...the payoff will be an ever more increasing loss of privacy. In other words...do what you will, but remember...they now know who and where you are.

For myself, I just gave up trying to be anonymous...as that just draws more attention. Now I just proceed as a "normal" person would. I am staying away from VPN's and MAC cloning....and Tor browsers. There is just no point in hiding. (Nothing to hide anyways). You can fight this all you want...but with the way things are going....it will take more than tin foil hats and vpn's to fool the prying "FVEY" (google it) eyes.

I might agree that using a VPN is pointless if the reason for using it was to try to hide from the NSA, but with Fidelity and other American financial institutions putting restrictions on the accounts of Americans living abroad it makes all sorts of sense to use a VPN when connecting to their websites

[KhunBENQ]

Currently using Cyberghost with a German server.

No leaks, but the PerfectPrivacy clearly states that the DNS server is operated by Cyberghost.

So at least it is easy to find that I am using a VPN.

IP HOSTNAME ISP LAND

95.169.183.219 ns01.cyberghostvpn.com Cyberghost S.R.L. IP Network DE

Edited August 31, 2015 by KhunBENQ

[slipperylobster]

Little buggy annoyances starting to reveal their hideous heads from that windows 10?

I know this much,windows users will find themselves scrambling to do things that they used to be able to do just a few years ago. Free internet may seem free...but for every laptop that wants anonymity...you will find that microsoft is 3 steps ahead of you. Makes me think that bill sold out to the NSA.

My prediction is ...that the internet will be absolutely free for users in the very near future....***However*** ...the payoff will be an ever more increasing loss of privacy. In other words...do what you will, but remember...they now know who and where you are.

For myself, I just gave up trying to be anonymous...as that just draws more attention. Now I just proceed as a "normal" person would. I am staying away from VPN's and MAC cloning....and Tor browsers. There is just no point in hiding. (Nothing to hide anyways). You can fight this all you want...but with the way things are going....it will take more than tin foil hats and vpn's to fool the prying "FVEY" (google it) eyes.

I might agree that using a VPN is pointless if the reason for using it was to try to hide from the NSA, but with Fidelity and other American financial institutions putting restrictions on the accounts of Americans living abroad it makes all sorts of sense to use a VPN when connecting to their websites

but..unless I read the OP wrong....windows 10 is buggy with VPN....and soon these institutions will be able to know if you are not in the USA...

works for now...because I use a VPN to access sites like Hulu...and a few sites that say you must be in the USA.

My point is that this capability may go away...with windows 10, and future methods used to determine your actual location, mentioned in previous posts. I use windows 7, and refuse to upgrade. However...it will be only a matter of time until windows 7 degrades due to lack of driver support (in the future). The writing is on the wall....

[suzannegoh]

Little buggy annoyances starting to reveal their hideous heads from that windows 10?

I know this much,windows users will find themselves scrambling to do things that they used to be able to do just a few years ago. Free internet may seem free...but for every laptop that wants anonymity...you will find that microsoft is 3 steps ahead of you. Makes me think that bill sold out to the NSA.

My prediction is ...that the internet will be absolutely free for users in the very near future....***However*** ...the payoff will be an ever more increasing loss of privacy. In other words...do what you will, but remember...they now know who and where you are.

For myself, I just gave up trying to be anonymous...as that just draws more attention. Now I just proceed as a "normal" person would. I am staying away from VPN's and MAC cloning....and Tor browsers. There is just no point in hiding. (Nothing to hide anyways). You can fight this all you want...but with the way things are going....it will take more than tin foil hats and vpn's to fool the prying "FVEY" (google it) eyes.

I might agree that using a VPN is pointless if the reason for using it was to try to hide from the NSA, but with Fidelity and other American financial institutions putting restrictions on the accounts of Americans living abroad it makes all sorts of sense to use a VPN when connecting to their websites

but..unless I read the OP wrong....windows 10 is buggy with VPN....and soon these institutions will be able to know if you are not in the USA...

works for now...because I use a VPN to access sites like Hulu...and a few sites that say you must be in the USA.

My point is that this capability may go away...with windows 10, and future methods used to determine your actual location, mentioned in previous posts. I use windows 7, and refuse to upgrade. However...it will be only a matter of time until windows 7 degrades due to lack of driver support (in the future). The writing is on the wall....

I think that you are giving bad advice if you are telling people not to bother using a VPN when connecting to US financial instutions. That logic seems to be the same as telling someone who has holes in his trousers that instead of patching the holes that he should just not wear pants. I think that it is possible to patch the holes in Win10's VPN.

[Chicog]

Is this Windows 10 specific? It seems to relate to WebRTC which is a Browser technology in Chrome, FireFox and Opera.

[RichCor]

Is this Windows 10 specific? It seems to relate to WebRTC which is a Browser technology in Chrome, FireFox and Opera.

I believe this is more an issue with Microsoft's Smart [Multi-homed] Name Resolution, which in Windows 10 allows the operating system to send DNS queries to all the available interfaces on the machine.

When a VPN client is invoked, even if the connection is set to use "only use remote gateway", the Smart Name Resolution breaks the private tunnel policy by mixing in other interface DNS results.

[Chicog]

Yet the fixes seem to be to the Browsers

[suzannegoh]

Yet the fixes seem to be to the Browsers

Not really, the WebRTC leaks are related to the browser and can be addressed by patching the browser, but the DNS leaks are specific to Windows 10 and have nothing to do with the browser. My guess is that MS might not be inclined to fix this issue anytime soon since they probably view it as being a "feature" rather than a bug.

Edited August 31, 2015 by suzannegoh

[suzannegoh]

Is this Windows 10 specific? It seems to relate to WebRTC which is a Browser technology in Chrome, FireFox and Opera.

I believe this is more an issue with Microsoft's Smart [Multi-homed] Name Resolution, which in Windows 10 allows the operating system to send DNS queries to all the available interfaces on the machine.

When a VPN client is invoked, even if the connection is set to use "only use remote gateway", the Smart Name Resolution breaks the private tunnel policy by mixing in other interface DNS results.

Yes, that is correct.

[Chicog]

Yet the fixes seem to be to the Browsers

Not really, the WebRTC leaks are related to the browser and can be addressed by patching the browser, but the DNS leaks are specific to Windows 10 and have nothing to do with the browser. My guess is that MS might not be inclined to fix this issue anytime soon since they probably view it as being a "feature" rather than a bug.

But you can disable it through the registry according to an earlier post.

So they must have expected this....

[suzannegoh]

Yet the fixes seem to be to the Browsers

Not really, the WebRTC leaks are related to the browser and can be addressed by patching the browser, but the DNS leaks are specific to Windows 10 and have nothing to do with the browser. My guess is that MS might not be inclined to fix this issue anytime soon since they probably view it as being a "feature" rather than a bug.

But you can disable it through the registry according to an earlier post.

So they must have expected this....

That registry key was introduced on Win 8 or 8.1 and affected what sounds like a similar problem, but that fix does not seem to work on Windows 10.

[Chicog]

Yet the fixes seem to be to the Browsers

Not really, the WebRTC leaks are related to the browser and can be addressed by patching the browser, but the DNS leaks are specific to Windows 10 and have nothing to do with the browser. My guess is that MS might not be inclined to fix this issue anytime soon since they probably view it as being a "feature" rather than a bug.

But you can disable it through the registry according to an earlier post.

So they must have expected this....

That registry key was introduced on Win 8 or 8.1 and affected what sounds like a similar problem, but that fix does not seem to work on Windows 10.

More:

https://medium.com/@ValdikSS/beware-of-windows-10-dns-resolver-and-dns-leaks-5bc5bfb4e3f1

[suzannegoh]

But you can disable it through the registry according to an earlier post.

So they must have expected this....

That registry key was introduced on Win 8 or 8.1 and affected what sounds like a similar problem, but that fix does not seem to work on Windows 10.

More:

https://medium.com/@ValdikSS/beware-of-windows-10-dns-resolver-and-dns-leaks-5bc5bfb4e3f1

When I put in a support ticket with StrongVPN on that issue they sent me that article too. This was their full reply:

"Unfortunately this is a new feature of DNS resolver in Windows 10.

I would recommend you to read this article to understand this issue deeper https://medium.com/@ValdikSS/beware-of-windows-10-dns-resolver-and-dns-leaks-5bc5bfb4e3f1"

So basically they are telling customers "I feel your pain".

BTW, there are some other interesting articles on the blog on which the above article appears. For instance, one of them explains how webmasters can programmatically determine that users are connecting though a VPN or proxy by looking at various properties of the data stream.

https://medium.com/@ValdikSS/detecting-vpn-and-its-configuration-and-proxy-users-on-the-server-side-1bcc59742413

Edited September 1, 2015 by suzannegoh

[suzannegoh]

That registry key was introduced on Win 8 or 8.1 and affected what sounds like a similar problem, but that fix does not seem to work on Windows 10.

More:

https://medium.com/@ValdikSS/beware-of-windows-10-dns-resolver-and-dns-leaks-5bc5bfb4e3f1

That article references one thing that does seem to solve the problem on Win10 though it's a bit unwieldy. Solution "B" at this link seems to force all DNS queries to go through the VPN tunnel (at least with StrongVPN):

https://www.dnsleaktest.com/how-to-fix-a-dns-leak.html