转自：http://www.xue163.com/131/6/1310369.html    和 http://ipleak.net/

What is a “DNS leaks”?

In this context, with “DNS leak” we mean an unencrypted DNS query sent by your system OUTSIDE the established VPN tunnel.

Why my system suffers DNS leaks?

In brief: Windows lacks the concept of global DNS. Each network interface can have its own DNS. Under various circumstances, the system process svchost.exe will send out DNS queries without respecting the routing table and the default gateway of the VPN tunnel, causing the leak.

Should I be worried for a DNS leak?

If you don’t want that your ISP, and anybody with the ability to monitor your line, knows the names your system tries to resolve (so the web sites you visit etc.) you must prevent your system to leak DNS. If you feel that you’re living in a human rights hostile country, or in any way the above mentioned knowledge may harm you, you should act immediately to stop DNS leaks.

Dealing with DNS Leaks

The Problem

When an application connects to a server on the Internet, it needs to resolve hostnames (i.e., www.antagonism.org) to IP addresses. To do this, the application sends the hostname to a DNS server for resolution. The DNS server sends the IP address for the hostname back to the application. This is normal business and is good for every day use. However, it is bad for business when you wish to conduct anonymous connections.

Let’s examine an example of why DNS leaks are bad for anonymous connections. Let’s say you exist in an oppressive regime and wish to browse a web site on the rergime’s forbidden list. Your computer needs to resolve the hostname for forbidden web site, so it sends a request to its DNS resolver. The regime true to its repressive nature is monitoring the DNS servers for requests for forbidden sites. It correlates the request for the banned site with your IP address and stops by to arrest you for violating the law even though you made the connection using an anonymizing tool, such as Tor .

Solutions

There are a couple of solutions to the issue of DNS leaks. The most common is the use of a SOCKS proxy. The second solution is to send your DNS requests through the Tor network. Due the possiblity of applications either not supporting SOCKS or implementing it poorly, I highly recommend you employ both solutions.

SOCKS proxy

A SOCKS proxy operates as a transparent proxy to allow client-server applications to reach resources which may not be accessible otherwise. The Tor application provides a SOCKS proxy (listening by default on localhost:9050) to allow applications which support SOCKS to access the Tor network.

When using SOCKS 4a, you are able to provide hostnames, which Tor will resolve through the Tor network. Thus, your DNS requests are anonymized and the problem mentioned above is avoided. To allow those applications which support SOCKS to access TOR, one simply needs to configure the application to use the SOCKS proxy which the Tor application runs or a HTTP proxy which supports SOCKS (i.e. privoxy or polipo ). The following page covers how to configure many applications with Tor in order to prevent DNS leaks.

Sending DNS requests through Tor

There are several problems which exist with the above solution. First, not all applications support SOCKS. This means you can not anonymize their DNS requests with the above method. Second, even though an application claims to support SOCKS, it may implement it incorrectly and still leak DNS requests. This page details how to determine if your application using SOCKS still leaks DNS requests. Lastly, the above method requires you to hand configure each and every application. While this may be a viable solution for a handful of machines, as the number of machines grows larger, the solution becomes more unwieldly.

Transparently proxying DNS requests will resolve the problems mentioned with the previous solutions. It will handle DNS requests for applications which either do not support SOCKS or implement it poorly and since it transparently proxies the requests, you do not have to configure each individual machine. There are two methods to do this. The first is to use your firewall software (iptables, pf) to redirect DNS requests from your network to dns-proxy-tor (note the previous link is only accessible through Tor). The second method is to use the your firewall software to redirect DNS requests from your network to the DNSPort of a server running Tor version 0.2.0.1-alpha or later. Since the 0.2.x series is still not considered stable, this example will cover the former.

转载请注明：jinglingshu的博客 » Dealing with DNS Leaks