How to eliminate DNS leaks? [Bookworm64_10.0.6]

New to Puppy and have questions? Start here

Moderator: Forum moderators

User avatar
Governor
Posts: 893
Joined: Sat Nov 12, 2022 7:11 pm
Has thanked: 228 times
Been thanked: 46 times

How to eliminate DNS leaks? [Bookworm64_10.0.6]

Post by Governor »

I discovered I have DNS leaks, and apparently all of them are going to google. Looks like my internet provider is using google servers for DNS.

I tried to find out more and what I can do about it. Can anyone shed any light on this?

First stop:
https://dnscrypt.info/implementations/

Second stop:
https://github.com/DNSCrypt/dnscrypt-proxy

Third stop:
https://github.com/dnscrypt/dnscrypt-pr ... tion-linux

Fourth stop:
https://github.com/dnscrypt/dnscrypt-pr ... and-Ubuntu

Fifth stop:
https://github.com/dnscrypt/dnscrypt-pr ... tion-linux
I did not get further than Step 2 on this page.
Below are my results.

Code: Select all

# ss -lp 'sport = :domain'
Command 'ss' not found, but can be installed with:
apt install iproute2
# apt install iproute2
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following package was automatically installed and is no longer required:
  libxaw3dxft6
Use 'apt autoremove' to remove it.
The following additional packages will be installed:
  libbpf1 libcap2-bin
Suggested packages:
  iproute2-doc
Recommended packages:
  libatm1 libpam-cap
The following NEW packages will be installed:
  iproute2 libbpf1 libcap2-bin
0 upgraded, 3 newly installed, 0 to remove and 39 not upgraded.
Need to get 1,226 kB of archives.
After this operation, 4,129 kB of additional disk space will be used.
N: Ignoring file 'mullvad.listlear' in directory '/etc/apt/sources.list.d/' as it has an invalid filename extension
N: Ignoring file 'mullvad.listclear' in directory '/etc/apt/sources.list.d/' as it has an invalid filename extension
Do you want to continue? [Y/n] y
Get:1 http://deb.debian.org/debian bookworm/main amd64 libbpf1 amd64 1:1.1.0-1 [145 kB]
Get:2 http://deb.debian.org/debian bookworm/main amd64 libcap2-bin amd64 1:2.66-4 [34.7 kB]
Get:3 http://deb.debian.org/debian bookworm/main amd64 iproute2 amd64 6.1.0-3 [1,046 kB]
Fetched 1,226 kB in 0s (4,648 kB/s) 
debconf: delaying package configuration, since apt-utils is not installed
Selecting previously unselected package libbpf1:amd64.
(Reading database ... 61375 files and directories currently installed.)
Preparing to unpack .../libbpf1_1%3a1.1.0-1_amd64.deb ...
Unpacking libbpf1:amd64 (1:1.1.0-1) ...
Selecting previously unselected package libcap2-bin.
Preparing to unpack .../libcap2-bin_1%3a2.66-4_amd64.deb ...
Unpacking libcap2-bin (1:2.66-4) ...
Selecting previously unselected package iproute2.
Preparing to unpack .../iproute2_6.1.0-3_amd64.deb ...
Unpacking iproute2 (6.1.0-3) ...
dpkg: error processing archive /var/cache/apt/archives/iproute2_6.1.0-3_amd64.deb (--unpack):
 cannot copy extracted data for './sbin/devlink' to '/sbin/devlink.dpkg-new': failed to write (No space left on device)
dpkg: error: error creating new backup file '/var/lib/dpkg/status-old': No space left on device
E: Sub-process /usr/bin/dpkg returned an error code (2)
# apt autoremove ibxaw3dxft6
N: Ignoring file 'mullvad.listlear' in directory '/etc/apt/sources.list.d/' as it has an invalid filename extension
N: Ignoring file 'mullvad.listclear' in directory '/etc/apt/sources.list.d/' as it has an invalid filename extension
E: dpkg was interrupted, you must manually run 'dpkg --configure -a' to correct the problem. 
# run dpkg --configure -a
Command 'run' not found, did you mean:
  command 'zun' from deb python3-zunclient
  command 'rup' from deb rstat-client
  command 'runc' from deb runc
  command 'runq' from deb exim4-daemon-heavy
  command 'runq' from deb exim4-daemon-light
  command 'srun' from deb slurm-client
  command 'crun' from deb crun
  command 'grun' from deb grun
  command 'zrun' from deb moreutils
Try: apt install <deb name>

I did download the file:
https://github.com/DNSCrypt/dnscrypt-pr ... 1.5.tar.gz

Governor

User avatar
Trapster
Posts: 184
Joined: Sat Aug 01, 2020 7:44 pm
Has thanked: 1 time
Been thanked: 55 times

Re: How to eliminate DNS leaks [Bookworm64_10.0.6]

Post by Trapster »

What nameserver are you using in /etc/resolv.conf ?

Try changing it to 1.1.1.1 and retest for leaks.

Also, when the apt instruction tells you to run 'dpkg --configure -a',
it should be

# dpkg --configure -a
not
# run dpkg --configure -a

williams2
Posts: 1062
Joined: Sat Jul 25, 2020 5:45 pm
Been thanked: 305 times

Re: How to eliminate DNS leaks [Bookworm64_10.0.6]

Post by williams2 »

Duckduckgo search for firefox dns encrypt

Firefox enables encrypted dns by default, it says.

Firefox now collects data of your web usage, I think.

https://support.mozilla.org/en-US/kb/fi ... over-https

https://support.mozilla.org/en-US/kb/dns-over-https

User avatar
Governor
Posts: 893
Joined: Sat Nov 12, 2022 7:11 pm
Has thanked: 228 times
Been thanked: 46 times

Re: How to eliminate DNS leaks [Bookworm64_10.0.6]

Post by Governor »

williams2 wrote: Thu Jul 25, 2024 4:57 pm

Duckduckgo search for firefox dns encrypt

Firefox enables encrypted dns by default, it says.

Firefox now collects data of your web usage, I think.

https://support.mozilla.org/en-US/kb/fi ... over-https

https://support.mozilla.org/en-US/kb/dns-over-https

Firefox uses Cloudflare, and I am not too happy with them. I would like to use a true anonymous DNS server if that is possible.
With my current setup, I have a choice between 4 Cloudflare servers getting my data or 8 Google servers.

Mozilla bought an advertising company, so now Mozilla can simply pass on the data collection to itself, ie. from one server to another. What could possibly go wrong with that arrangement. Hmm.

Last edited by Governor on Thu Jul 25, 2024 6:05 pm, edited 1 time in total.

Governor

User avatar
Governor
Posts: 893
Joined: Sat Nov 12, 2022 7:11 pm
Has thanked: 228 times
Been thanked: 46 times

Re: How to eliminate DNS leaks [Bookworm64_10.0.6]

Post by Governor »

Trapster wrote: Thu Jul 25, 2024 3:54 pm

What nameserver are you using in /etc/resolv.conf ?

Try changing it to 1.1.1.1 and retest for leaks.

Also, when the apt instruction tells you to run 'dpkg --configure -a',
it should be

# dpkg --configure -a
not
# run dpkg --configure -a

Ok, thanks. I got this, should I change it?

Code: Select all

# Generated by dhcpcd from eth0.dhcp, eth0.dhcp6, eth0.ra
# /etc/resolv.conf.head can replace this line
domain home
nameserver 8.8.8.8
nameserver 1.1.1.1
nameserver 2001:4860:4860::8888
nameserver 2001:4860:4860::8844
# /etc/resolv.conf.tail can replace this line

Governor

williams2
Posts: 1062
Joined: Sat Jul 25, 2020 5:45 pm
Been thanked: 305 times

Re: How to eliminate DNS leaks [Bookworm64_10.0.6]

Post by williams2 »

8.8.8.8 is a google public dns server.

1.1.1.1 is Cloudflare.

the name servers in /etc/resolv.conf will try the first one at the top of the list, if it times out, it will try the next in the list.

So for you, it will try 8.8.8.8
if 8.8.8.8 times out it will try 1.1.1.1 etc etc.

If you run Firefox with encrypted dns enabled,
then Firefox will bypass (not use) /etc/resolv.conf

Last edited by williams2 on Thu Jul 25, 2024 9:31 pm, edited 1 time in total.
williwaw
Posts: 1973
Joined: Tue Jul 14, 2020 11:24 pm
Has thanked: 172 times
Been thanked: 372 times

Re: How to eliminate DNS leaks [Bookworm64_10.0.6]

Post by williwaw »

most routers allow you to set DNS for the network
https://dnsleaktest.com/ is useful for testing

geo_c
Posts: 2883
Joined: Fri Jul 31, 2020 3:37 am
Has thanked: 2208 times
Been thanked: 880 times

Re: How to eliminate DNS leaks [Bookworm64_10.0.6]

Post by geo_c »

Yes, what @williwaw said.

Both LibreWolf and Firefox allow you to set a custom DNS, and LibreWolf also has Quad9 preconfigured.
Image

Firefox also has a custom setting:
Image

geo_c
Old School Hipster, and Such

williams2
Posts: 1062
Joined: Sat Jul 25, 2020 5:45 pm
Been thanked: 305 times

Re: How to eliminate DNS leaks [Bookworm64_10.0.6]

Post by williams2 »

I have DNS leaks, and apparently all of them are going to google. Looks like my internet provider is using google servers for DNS

To be clear, your default dns name server is google.

If you don't want to use google nameservers,
then delete the 3 google nameserver lines in /etc/resolv.conf

1.1.1.1 is Cloudflare

your ISP usually puts it's dns server address at the top of resolv.conf

If you configure a dns server in eg Firefox,
then that will be used instead of resolv.conf

williwaw
Posts: 1973
Joined: Tue Jul 14, 2020 11:24 pm
Has thanked: 172 times
Been thanked: 372 times

Re: How to eliminate DNS leaks [Bookworm64_10.0.6]

Post by williwaw »

williams2 wrote: Fri Jul 26, 2024 2:25 am

If you configure a dns server in eg Firefox,
then that will be used instead of resolv.conf

and if you set a DNS in the router, should that trump the browser config DNS (and /etc/resolve.conf)?

darksun
Posts: 128
Joined: Tue Dec 19, 2023 10:12 am
Location: behind a vpn
Has thanked: 53 times
Been thanked: 39 times

Re: How to eliminate DNS leaks [Bookworm64_10.0.6]

Post by darksun »

@Governor

The DNS subject is not too complicated yet is a complex one.

- DNSCrypt is one of many (encrypted) dns protocols, is not an exclusive way to make sure you do not have a dns leakage, which is a different thing.

- regarding what DNS is and how it works you can find a plethora of information using google and/or youtube

- having a dns leak it just means that the actual dns resolver used by your software differ from what you, as user, have set / configured / expected .

- dns have different protocols , these protocols mainly can work with
(a) clear text dns queries (not so privacy focused solution) or
(b) DoT (dns over tls, used at the OS layer via a software installed on the running machine) or
(c) DoH (dns over https , dns sent encrypted at the web browser layer)

several considerations need to be understood, such as:

- your computer when connects to its router/gateway it fetch (as a client) from the mentioned router (as a server) not only ip addresses but also DNS and "imports" them into its configuration file (eg /etc/resolv.conf)

- you might have different dns address set up on your machine and the software might use/prioritize one instead of another one , eg
-if you use a web browser and set, within its settings, to use a certain (secure, DoH) DNS this will override the other DNS addresses (eg the ones into /etc/resolv.conf) ; this means your browser will use certain dns whilst your OS will use the other ones;

- you can check which DNS you use within your web browser using the plethora of web services, a good one I find to be https://ipleak.net/.

- you can check which DNS you use within your OS with this tool https://github.com/macvk/dnsleaktest (instruction on how to install it and use it are also in that page)

- if you want to use the same DNS you are using within your OS (linux , windows, android and so on) while using your web browser you can open your web browser's settings and configure it to use no dns/doh service . For example in firefox, under "enable secure dns using:" section you can set "off"

- a good dns service is https://nextdns.io/ then click "try it now" . Even if you dont want to use it (I do not) that website if very useful as it shows you all the client software (DoT mainly, but also DoH) you can use within your used OS and its configuration files. This can be a good starting point to understood how to configure a secure DNS resolver using their service, then you might decide to change using another dns resolver and dns clients.

- if you use a VPN , when you install and configure its client, it will take over your DoT and your machine will (supposedly should) use its own DNS addresses. In fact a common scenario of DNS leakage is when your machine does not use, for some reason, the DNS you (or your VPN client) have set up but instead will use other ones (eg bugs within software or at the OS level).

For sure I am not an expert in this field but I do value encrypted dns so I document myself on it.

darksun
Posts: 128
Joined: Tue Dec 19, 2023 10:12 am
Location: behind a vpn
Has thanked: 53 times
Been thanked: 39 times

Re: How to eliminate DNS leaks [Bookworm64_10.0.6]

Post by darksun »

a simple and effective configuration, which is the one I came up with and use, is simply:

1) DoH: for the web browser I use mullvad web browser , it is meant to be used as it is, without changing any configuration, so you install it and you are ready to go. It uses encrypted DNS DoH by default. You can check if you have leakages by connecting to their websites https://mullvad.net/en/check

2) DoT: I use stubby as client resolver , set up using mullvad free encrypted dns services , but you are free to use whatever you want

Code: Select all

 apt install stubby 

then you need to edit its configuration file. My /etc/stubby/stubby.yml is

Code: Select all

resolution_type: GETDNS_RESOLUTION_STUB
dns_transport_list:
  - GETDNS_TRANSPORT_TLS
tls_authentication: GETDNS_AUTHENTICATION_REQUIRED
tls_query_padding_blocksize: 128
edns_client_subnet_private : 1
round_robin_upstreams: 1
idle_timeout: 10000
listen_addresses:
  - 127.0.0.1
  - 0::1
appdata_dir: "/var/cache/stubby"
upstream_recursive_servers:

  - address_data: 194.242.2.2
    tls_auth_name: "dns.mullvad.net"

then, below, is a manual way to add the stubby process to auto start up at boot, but you can use the software provided within your OS.

Code: Select all

echo "stubby >/dev/null 2>&1 &" >> /etc/rc.d/rc.local

-now configure network manager's nameserver to 127.0.0.1 : open your network manager software (eg connman) , open the connection you are using (Ethernet, or the ESSID/wifi you using), edit its configuration and under "nameserver" set 127.0.0.1 . This because the installed dns server stubby works as a local server.

Code: Select all

 stubby &

(launch that command only the first time post installation. From the next machine boot , if you have set it up as I told you above, stubby should be launched automatically)

Remember that google is your best friend if you want to troubleshooting something and, before that, hopefully, to learn about something.

darksun
Posts: 128
Joined: Tue Dec 19, 2023 10:12 am
Location: behind a vpn
Has thanked: 53 times
Been thanked: 39 times

Re: How to eliminate DNS leaks [Bookworm64_10.0.6]

Post by darksun »

williwaw wrote: Fri Jul 26, 2024 4:27 am
williams2 wrote: Fri Jul 26, 2024 2:25 am

If you configure a dns server in eg Firefox,
then that will be used instead of resolv.conf

and if you set a DNS in the router, should that trump the browser config DNS (and /etc/resolve.conf)?

@williwaw

A override B and/or override C.

- If your web browser has it own DNS/DoH set up, it will use those and ignore /etc/resolv.conf .

- If your web browser is configured to not use any DNS/DoH but to use the system ones yes it should use /etc/resolv.conf .

- /etc/resolv.conf can be populated/written by many software . It is populated when your network manager fetches from the router ip and dns addresses (by default) but also can be populated by eg a VPN software , or by your custom DNS values set up by you when configuring your network manager client.

There are more than one player in this game, and one can take charge and override configuration of another player, if you know what I mean.

User avatar
Governor
Posts: 893
Joined: Sat Nov 12, 2022 7:11 pm
Has thanked: 228 times
Been thanked: 46 times

Re: How to eliminate DNS leaks [Bookworm64_10.0.6]

Post by Governor »

geo_c wrote: Fri Jul 26, 2024 12:07 am

Yes, what @williwaw said.

Both LibreWolf and Firefox allow you to set a custom DNS, and LibreWolf also has Quad9 preconfigured.
Image

Firefox also has a custom setting:
Image

LibreWolf portable (@mikewalsh) stopped working, and I have no idea why. It just won't start with the script. It will start with the LibreWolf64 executible, but with all my settings gone. I deleted everything in the folder and unpacked it again, and the launch script still won't work. My other portables (except Audacity which won't run at all) are working with the launch script. It took me 20 minutes to set up LibreWolf.

<rant>Think about it: 20 minutes here, 20 minutes there. I figure an average of 20 minutes per problem (some more, some less) and they keep coming. I don't get a break. My wife keeps begging me to get a Windows computer because this takes so much time out of my life, but I refuse to go back to Windows. This is not a good situation for me.</rant>

So here I am, still trying to get things to work properly.

I was going to try NextDNS to test it, but I need a port number in Firefox and I can't find a port number on their instruction page.
https://my.nextdns.io/2228c4/setup

Thanks for the info. This will be useful if I can get LibreWolf up and running again.

Last edited by Governor on Fri Jul 26, 2024 7:35 am, edited 1 time in total.

Governor

User avatar
Governor
Posts: 893
Joined: Sat Nov 12, 2022 7:11 pm
Has thanked: 228 times
Been thanked: 46 times

Re: How to eliminate DNS leaks [Bookworm64_10.0.6]

Post by Governor »

williwaw wrote: Thu Jul 25, 2024 9:20 pm

most routers allow you to set DNS for the network
https://dnsleaktest.com/ is useful for testing

Tried dnsleaktest.com. With standard setting in Firefox, they reported 30 google servers!
with Cloudflare, they report 2 servers.
I just noticed I can choose NextDNS, so I'll try it.
Now only 1 server is reported, but it still reports my country and approximate city on the test page.
This seems to be the safest alternative so far.
Thanks.

Governor

User avatar
Governor
Posts: 893
Joined: Sat Nov 12, 2022 7:11 pm
Has thanked: 228 times
Been thanked: 46 times

Re: How to eliminate DNS leaks [Bookworm64_10.0.6]

Post by Governor »

darksun wrote: Fri Jul 26, 2024 6:29 am

a simple and effective configuration, which is the one I came up with and use, is simply:

1) DoH: for the web browser I use mullvad web browser , it is meant to be used as it is, without changing any configuration, so you install it and you are ready to go. It uses encrypted DNS DoH by default. You can check if you have leakages by connecting to their websites https://mullvad.net/en/check

2) DoT: I use stubby as client resolver , set up using mullvad free encrypted dns services , but you are free to use whatever you want

Code: Select all

 apt install stubby 

then you need to edit its configuration file. My /etc/stubby/stubby.yml is

Code: Select all

resolution_type: GETDNS_RESOLUTION_STUB
dns_transport_list:
  - GETDNS_TRANSPORT_TLS
tls_authentication: GETDNS_AUTHENTICATION_REQUIRED
tls_query_padding_blocksize: 128
edns_client_subnet_private : 1
round_robin_upstreams: 1
idle_timeout: 10000
listen_addresses:
  - 127.0.0.1
  - 0::1
appdata_dir: "/var/cache/stubby"
upstream_recursive_servers:

  - address_data: 194.242.2.2
    tls_auth_name: "dns.mullvad.net"

then, below, is a manual way to add the stubby process to auto start up at boot, but you can use the software provided within your OS.

Code: Select all

echo "stubby >/dev/null 2>&1 &" >> /etc/rc.d/rc.local

-now configure network manager's nameserver to 127.0.0.1 : open your network manager software (eg connman) , open the connection you are using (Ethernet, or the ESSID/wifi you using), edit its configuration and under "nameserver" set 127.0.0.1 . This because the installed dns server stubby works as a local server.

Code: Select all

 stubby &

(launch that command only the first time post installation. From the next machine boot , if you have set it up as I told you above, stubby should be launched automatically)

Remember that google is your best friend if you want to troubleshooting something and, before that, hopefully, to learn about something.

I will try Mullvad again. If it doesn't work, can I still use Stubby?
Thanks.

BTW, I discovered there is an option in Firefox to use NextDNS, so I did that. I then checked it at https://mullvad.net/en/check and it reports an IP address in Austria, but it still reports my country and approximate city. My IP is not revealed, but is there a way to prevent my country and city from showing up?

Last edited by Governor on Fri Jul 26, 2024 8:15 am, edited 1 time in total.

Governor

User avatar
Governor
Posts: 893
Joined: Sat Nov 12, 2022 7:11 pm
Has thanked: 228 times
Been thanked: 46 times

Re: How to eliminate DNS leaks [Bookworm64_10.0.6]

Post by Governor »

darksun wrote: Fri Jul 26, 2024 6:06 am

@Governor

8<------ snipped --------

- you can check which DNS you use within your web browser using the plethora of web services, a good one I find to be https://ipleak.net/.

- you can check which DNS you use within your OS with this tool https://github.com/macvk/dnsleaktest (instruction on how to install it and use it are also in that page)

- if you want to use the same DNS you are using within your OS (linux , windows, android and so on) while using your web browser you can open your web browser's settings and configure it to use no dns/doh service . For example in firefox, under "enable secure dns using:" section you can set "off"

- a good dns service is https://nextdns.io/ then click "try it now" . Even if you dont want to use it (I do not) that website if very useful as it shows you all the client software (DoT mainly, but also DoH) you can use within your used OS and its configuration files. This can be a good starting point to understood how to configure a secure DNS resolver using their service, then you might decide to change using another dns resolver and dns clients.

- if you use a VPN , when you install and configure its client, it will take over your DoT and your machine will (supposedly should) use its own DNS addresses. In fact a common scenario of DNS leakage is when your machine does not use, for some reason, the DNS you (or your VPN client) have set up but instead will use other ones (eg bugs within software or at the OS level).

For sure I am not an expert in this field but I do value encrypted dns so I document myself on it.

I discovered I can choose Next DNS in Firefox, and tests show a single IP address in Austria which is, dns.nextdns.io. However my country and approximate city are revealed. Ok, so I thought "At least google is not involved". But then I downloaded and ran the bash script, dnsleaktest.sh, and I was shocked to see the following list:

Code: Select all

You use 17 DNS servers:
172.217.33.195 [Australia AS15169 Google LLC]
172.217.33.197 [Australia AS15169 Google LLC]
172.217.34.1 [India AS15169 Google LLC]
172.217.34.2 [India AS15169 Google LLC]
172.217.44.129 [Canada AS15169 Google LLC]
172.217.44.132 [Canada AS15169 Google LLC]
172.253.2.131 [United States of America AS15169 Google LLC]
172.253.10.130 [United States of America AS15169 Google LLC]
172.253.10.196 [United States of America AS15169 Google LLC]
172.253.193.197 [Japan AS15169 Google LLC]
172.253.197.1 [Germany AS15169 Google LLC]
172.253.197.2 [Germany AS15169 Google LLC]
172.253.197.4 [Germany AS15169 Google LLC]
172.253.197.5 [Germany AS15169 Google LLC]
172.253.225.36 [United States of America AS15169 Google LLC]
173.194.96.194 [Ireland AS15169 Google LLC]
173.194.96.195 [Ireland AS15169 Google LLC]

It seems like Google is close to controlling the entire internet.

Governor

williwaw
Posts: 1973
Joined: Tue Jul 14, 2020 11:24 pm
Has thanked: 172 times
Been thanked: 372 times

Re: How to eliminate DNS leaks [Bookworm64_10.0.6]

Post by williwaw »

Governor wrote: Fri Jul 26, 2024 8:11 am

ran the bash script, dnsleaktest.sh, and I was shocked to see......

# /etc/resolv.conf.head can replace this line
seems to suggest you can make your a DNS entry persistent in bookworm

# echo 1.1.1.1 >> /etc/resolv.conf.head

User avatar
Governor
Posts: 893
Joined: Sat Nov 12, 2022 7:11 pm
Has thanked: 228 times
Been thanked: 46 times

Re: How to eliminate DNS leaks [Bookworm64_10.0.6]

Post by Governor »

darksun wrote: Fri Jul 26, 2024 6:29 am

a simple and effective configuration, which is the one I came up with and use, is simply:

1) DoH: for the web browser I use mullvad web browser , it is meant to be used as it is, without changing any configuration, so you install it and you are ready to go. It uses encrypted DNS DoH by default. You can check if you have leakages by connecting to their websites https://mullvad.net/en/check

2) DoT: I use stubby as client resolver , set up using mullvad free encrypted dns services , but you are free to use whatever you want

Code: Select all

 apt install stubby 

What about the error messages?

Code: Select all

Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following package was automatically installed and is no longer required:
  libxaw3dxft6
Use 'apt autoremove' to remove it.
The following additional packages will be installed:
  dns-root-data libev4 libgetdns10 libuv1
The following NEW packages will be installed:
  dns-root-data libev4 libgetdns10 libuv1 stubby
0 upgraded, 5 newly installed, 0 to remove and 94 not upgraded.
Need to get 600 kB of archives.
After this operation, 1,648 kB of additional disk space will be used.
Get:1 http://deb.debian.org/debian bookworm/main amd64 dns-root-data all 2024041801~deb12u1 [4,356 B]
Get:2 http://deb.debian.org/debian bookworm/main amd64 libev4 amd64 1:4.33-1 [43.2 kB]
Get:3 http://deb.debian.org/debian bookworm/main amd64 libuv1 amd64 1.44.2-1+deb12u1 [136 kB]
Get:4 http://deb.debian.org/debian bookworm/main amd64 libgetdns10 amd64 1.6.0-3+b1 [206 kB]
Get:5 http://deb.debian.org/debian bookworm/main amd64 stubby amd64 1.6.0-3+b1 [211 kB]
Fetched 600 kB in 0s (3,490 kB/s)
debconf: delaying package configuration, since apt-utils is not installed
Selecting previously unselected package dns-root-data.
(Reading database ... 61375 files and directories currently installed.)
Preparing to unpack .../dns-root-data_2024041801~deb12u1_all.deb ...
Unpacking dns-root-data (2024041801~deb12u1) ...
Selecting previously unselected package libev4:amd64.
Preparing to unpack .../libev4_1%3a4.33-1_amd64.deb ...
Unpacking libev4:amd64 (1:4.33-1) ...
Selecting previously unselected package libuv1:amd64.
Preparing to unpack .../libuv1_1.44.2-1+deb12u1_amd64.deb ...
Unpacking libuv1:amd64 (1.44.2-1+deb12u1) ...
Selecting previously unselected package libgetdns10:amd64.
Preparing to unpack .../libgetdns10_1.6.0-3+b1_amd64.deb ...
Unpacking libgetdns10:amd64 (1.6.0-3+b1) ...
Selecting previously unselected package stubby.
Preparing to unpack .../stubby_1.6.0-3+b1_amd64.deb ...
Unpacking stubby (1.6.0-3+b1) ...
Setting up libev4:amd64 (1:4.33-1) ...
Setting up dns-root-data (2024041801~deb12u1) ...
Setting up libuv1:amd64 (1.44.2-1+deb12u1) ...
Setting up libgetdns10:amd64 (1.6.0-3+b1) ...
Setting up stubby (1.6.0-3+b1) ...
Processing triggers for libc-bin (2.36-9+deb12u4) ...
Processing triggers for man-db (2.11.2-2) ...
N: Ignoring file 'mullvad.listlear' in directory '/etc/apt/sources.list.d/' as it has an invalid filename extension
N: Ignoring file 'mullvad.listclear' in directory '/etc/apt/sources.list.d/' as it has an invalid filename extension
# 

then you need to edit its configuration file. My /etc/stubby/stubby.yml is

Code: Select all

resolution_type: GETDNS_RESOLUTION_STUB
dns_transport_list:
  - GETDNS_TRANSPORT_TLS
tls_authentication: GETDNS_AUTHENTICATION_REQUIRED
tls_query_padding_blocksize: 128
edns_client_subnet_private : 1
round_robin_upstreams: 1
idle_timeout: 10000
listen_addresses:
  - 127.0.0.1
  - 0::1
appdata_dir: "/var/cache/stubby"
upstream_recursive_servers:

  - address_data: 194.242.2.2
    tls_auth_name: "dns.mullvad.net"

Would the above code replace the code that is already in /etc/stubby/stubby.ym ?
I don't want to mess anything up. Thanks!

then, below, is a manual way to add the stubby process to auto start up at boot, but you can use the software provided within your OS.

Code: Select all

echo "stubby >/dev/null 2>&1 &" >> /etc/rc.d/rc.local

-now configure network manager's nameserver to 127.0.0.1 : open your network manager software (eg connman) , open the connection you are using (Ethernet, or the ESSID/wifi you using), edit its configuration and under "nameserver" set 127.0.0.1 . This because the installed dns server stubby works as a local server.

Code: Select all

 stubby &

(launch that command only the first time post installation. From the next machine boot , if you have set it up as I told you above, stubby should be launched automatically)

Remember that google is your best friend if you want to troubleshooting something and, before that, hopefully, to learn about something.

Governor

User avatar
Trapster
Posts: 184
Joined: Sat Aug 01, 2020 7:44 pm
Has thanked: 1 time
Been thanked: 55 times

Re: How to eliminate DNS leaks [Bookworm64_10.0.6]

Post by Trapster »

williwaw wrote: Fri Jul 26, 2024 10:13 am
Governor wrote: Fri Jul 26, 2024 8:11 am

ran the bash script, dnsleaktest.sh, and I was shocked to see......

# /etc/resolv.conf.head can replace this line
seems to suggest you can make your a DNS entry persistent in bookworm

# echo 1.1.1.1 >> /etc/resolv.conf.head

This should probably be:
# echo nameserver 1.1.1.1 >> /etc/resolv.conf.head

User avatar
Governor
Posts: 893
Joined: Sat Nov 12, 2022 7:11 pm
Has thanked: 228 times
Been thanked: 46 times

Re: How to eliminate DNS leaks [Bookworm64_10.0.6]

Post by Governor »

Trapster wrote: Fri Jul 26, 2024 11:42 am
williwaw wrote: Fri Jul 26, 2024 10:13 am
Governor wrote: Fri Jul 26, 2024 8:11 am

ran the bash script, dnsleaktest.sh, and I was shocked to see......

# /etc/resolv.conf.head can replace this line
seems to suggest you can make your a DNS entry persistent in bookworm

# echo 1.1.1.1 >> /etc/resolv.conf.head

This should probably be:
# echo nameserver 1.1.1.1 >> /etc/resolv.conf.head

Would I use this, or should it be 1.1.1.1? Or....?
# echo dns.mullvad.net 194.242.2.2 >> /etc/resolv.conf.head

Governor

User avatar
Trapster
Posts: 184
Joined: Sat Aug 01, 2020 7:44 pm
Has thanked: 1 time
Been thanked: 55 times

Re: How to eliminate DNS leaks [Bookworm64_10.0.6]

Post by Trapster »

I've always used the word "nameserver"
I've never tried the actual server name.

Here are some popular dns servers

https://www.howtogeek.com/874773/the-be ... -browsing/

darksun
Posts: 128
Joined: Tue Dec 19, 2023 10:12 am
Location: behind a vpn
Has thanked: 53 times
Been thanked: 39 times

Re: How to eliminate DNS leaks [Bookworm64_10.0.6]

Post by darksun »

Governor wrote: Fri Jul 26, 2024 7:46 am

I will try Mullvad again. If it doesn't work, can I still use Stubby?
Thanks.

BTW, I discovered there is an option in Firefox to use NextDNS, so I did that. I then checked it at https://mullvad.net/en/check and it reports an IP address in Austria, but it still reports my country and approximate city. My IP is not revealed, but is there a way to prevent my country and city from showing up?

@Governor

Mullvad is a company that offers (a) a vpn (b) a private and secure web browser (c) free encrypted DNS

I guess you meant that you will try to install mullvad browser again, am I right? and BTW the installation is a straightforward process and should not give you any big issues. Is it possible that you have been juggling around and changing many things within your puppy linux that at this point it could be a wise idea to start over from a fresh installation of your PUPPY linux? This could avoid issues coming up in your way that do not depends on the software and configuration we are discussing here, doing so removing any possible issues that will tamper your new set up you are trying to achieve here.

Firefox has partnered with nextdns (which offers a free and paid service) and cloudflare hence Firefox allows you yes to set those as secure/encrypted dns resolver for your web browser.
https://mullvad.net/en/check is just a web page, offered by mullvad, that checks and displays what IP you are browsing from, what DNS your web browser (DoH) is using and the webrtc .

If you are not using a service like VPN or Tor or web proxy then your public IPv4 Address & ISP Provider name & your approximate Location are based on your IP address given by you from your ISP.

If you are not using any of the mullvad dns services found here, while visiting their https://mullvad.net/en/check , there will be a red message saying there is a problem/leak , but that does not mean that there is a problem (remember what I said to you on my first post in this thread? a leak is when your actual dns used by your machine differs from what you have set up, from what it should be eg you set your machine to use mullvad dns but when you run a test your machine for some reasons uses another ones eg lets say it uses google dns instead, due to bugs, misconfiguration and so on).

If you want to mask your real IP address (and location associated to that ) there are services like VPN , TOR , proxies . But here the more we discuss the more this thread get biggers.
I suggest you using google and youtube and getting the basic information about these topics; like I said, these topics are not complicated but they are complex so you need to understand several pieces of a puzzle within the topic of networking.

Last edited by darksun on Fri Jul 26, 2024 1:20 pm, edited 5 times in total.
darksun
Posts: 128
Joined: Tue Dec 19, 2023 10:12 am
Location: behind a vpn
Has thanked: 53 times
Been thanked: 39 times

Re: How to eliminate DNS leaks [Bookworm64_10.0.6]

Post by darksun »

Trapster wrote: Fri Jul 26, 2024 12:13 pm

I've always used the word "nameserver"
I've never tried the actual server name.

Here are some popular dns servers

https://www.howtogeek.com/874773/the-be ... -browsing/

If you are looking for secure and private DNS providers a good starting point is not what you posted but I would suggest you to start having a look at those

https://www.privacyguides.org/en/dns/

geo_c
Posts: 2883
Joined: Fri Jul 31, 2020 3:37 am
Has thanked: 2208 times
Been thanked: 880 times

Re: How to eliminate DNS leaks [Bookworm64_10.0.6]

Post by geo_c »

Governor wrote: Fri Jul 26, 2024 7:19 am

LibreWolf portable (@mikewalsh) stopped working, and I have no idea why. It just won't start with the script. It will start with the LibreWolf64 executible, but with all my settings gone.

I remember mike had a portable for LibreWolf way back at least a year or two ago. But he dropped that one early on, then I remember he explained how to make one, or made one for you perhaps not that long ago.

But I just use the appimage. I place it in a folder in my portable apps directory outside the OS system folder, and run it once clean, then immediately close it and move the /.librewolf profile folder it creates from /root to the portable directory I created. After that, I symlink the profile folder back to root. Doing this allows you to share the profile between OSs and pupsaves, but it requires that everytime you use Librewolf in a new OS, or new save pupsave folder that you first symlink that profile folder back into root, just once for each new OS or new pupsave. That's almost all it takes to use as a portable. One more convenience would be to create a launcher, a simple script or .desktop file to start it, and put it in /usr/share/applications.

Here's my desktop file, the Icon= is my own so it's in an unusual location, you can see in the Exec= I have a folder in /mnt/home called portableAPP and a folder inside portableAPP called LibreWolf-img and it inside that is the appimage and that's where I move the profile folder after running it the first time:

Code: Select all

[Desktop Entry]
Encoding=UTF-8
Name=LibreWolf
Icon=/mnt/home/tcons/unichrome/console/librewolf.png
Comment=LibreWolf Browser
Exec=/mnt/home/portableAPP/LibreWolf-img/LibreWolf.x86_64.AppImage
Terminal=false
Type=Application
Categories=X-Desktop;Internet;Network;WebBrowser;
GenericName=librewolf

This shows the /.librewolf symlink in root, and the /.librewolf folder in the appimage directory. (Ignore the other folders like 127, root-, default-extensions. Those are mine and contain different appimage versions, etc)
Image

geo_c
Old School Hipster, and Such

User avatar
Governor
Posts: 893
Joined: Sat Nov 12, 2022 7:11 pm
Has thanked: 228 times
Been thanked: 46 times

Re: How to eliminate DNS leaks [Bookworm64_10.0.6]

Post by Governor »

geo_c wrote: Fri Jul 26, 2024 2:20 pm
Governor wrote: Fri Jul 26, 2024 7:19 am

LibreWolf portable (@mikewalsh) stopped working, and I have no idea why. It just won't start with the script. It will start with the LibreWolf64 executible, but with all my settings gone.

I remember mike had a portable for LibreWolf way back at least a year or two ago. But he dropped that one early on, then I remember he explained how to make one, or made one for you perhaps not that long ago.

But I just use the appimage. I place it in a folder in my portable apps directory outside the OS system folder, and run it once clean, then immediately close it and move the /.librewolf profile folder it creates from /root to the portable directory I created. After that, I symlink the profile folder back to root. Doing this allows you to share the profile between OSs and pupsaves, but it requires that everytime you use Librewolf in a new OS, or new save pupsave folder that you first symlink that profile folder back into root, just once for each new OS or new pupsave. That's almost all it takes to use as a portable. One more convenience would be to create a launcher, a simple script or .desktop file to start it, and put it in /usr/share/applications.

Here's my desktop file, the Icon= is my own so it's in an unusual location, you can see in the Exec= I have a folder in /mnt/home called portableAPP and a folder inside portableAPP called LibreWolf-img and it inside that is the appimage and that's where I move the profile folder after running it the first time:

Code: Select all

[Desktop Entry]
Encoding=UTF-8
Name=LibreWolf
Icon=/mnt/home/tcons/unichrome/console/librewolf.png
Comment=LibreWolf Browser
Exec=/mnt/home/portableAPP/LibreWolf-img/LibreWolf.x86_64.AppImage
Terminal=false
Type=Application
Categories=X-Desktop;Internet;Network;WebBrowser;
GenericName=librewolf

This shows the /.librewolf symlink in root, and the /.librewolf folder in the appimage directory. (Ignore the other folders like 127, root-, default-extensions. Those are mine and contain different appimage versions, etc)
Image

Is there a place on-line that has detailed instructions on how to do this? I think Mike's instruction may have been simpler, but I am not sure, I will have to try and find it.
I will try and get time this weekend to research this, and appimage. It seems complicated to me.

If I install a non-portable Librewolf, will I be able to save my profile and settings and install them to a different install of LibreWolf later?

Governor

geo_c
Posts: 2883
Joined: Fri Jul 31, 2020 3:37 am
Has thanked: 2208 times
Been thanked: 880 times

Re: How to eliminate DNS leaks [Bookworm64_10.0.6]

Post by geo_c »

Governor wrote: Fri Jul 26, 2024 5:01 pm

Is there a place on-line that has detailed instructions on how to do this? I think Mike's instruction may have been simpler, but I am not sure, I will have to try and find it.
I will try and get time this weekend to research this, and appimage. It seems complicated to me.

As long as bookwormpup has everything need to run appimages, they are really handy and can be found for many popular apps.

The only thing you actually have to do to run an appimage is download the appimage, make it executable, and run it. If it runs successfully, It will create a profile folder, cache, and config in your /root directory. You don't need to symlink it if you are always using the same pupsave folder, it will be in your pupsave. Nothing more to do, just keep using.

The reason @mike makes portables is so that all the profiles and configs will be accessible from more than one OS, in other words 'portable.'

So if you want to be able to use the same profile from a location outside the pupsave, like another pup, or from a fresh pupsave it's not overly complex.

Here's how simple it is, step by step:

1. In a terminal: mkdir /mnt/home/librewolf-img (makes a folder to store the appimage)

2. Download the LibreWolf v127..0.1-1 appimage by pasting this link in a browser: https://gitlab.com/api/v4/projects/2438 ... 4.AppImage

3. Move or copy the appimage from your download folder to the folder /mnt/home/librewolf-img

3. In a terminal: chmod 777 /mnt/home/librewolf-img/LibreWolf.x86_64.AppImage (makes the appimage executable)

4. Click the appimage in Rox, it should run if bookworm is setup like other puppies.

5. If it runs successfully, shut down LibreWolf.

6. In a terminal: cp -arv /root/.librewolf /mnt/home/librewolf-img (copies the newly created profile folder to the portable location)

7. In a terminal: rm -r /root/.librewolf (deletes the created profile from root)

8. In a terminal: ln -s /mnt/home/librewolf-img/.librewolf /root (symlinks the profile back into root)

That's all, next time you run LibreWolf all your profile changes will be stored in /mnt/home/librewolf-img/.librewolf. If you want to use LibreWolf in fossapup, just do step number 8 in fossapup BEFORE running LibreWolf. That's all you will have to do going forward to run LibreWolf with your saved profile changes from other OS's/saves.

Of course all of those steps can be done from a gui file manager like rox, instead of from a terminal. But the terminal commands are easier to communicate.

Governor wrote: Fri Jul 26, 2024 5:01 pm

If I install a non-portable Librewolf, will I be able to save my profile and settings and install them to a different install of LibreWolf later?

Maybe copying the profile folder to a different install will work just fine, but if for some reason the two LibreWolf installs aren't the same version or configured quite the same, it could be buggy. It might be possible to import profile from within LibreWolf also.

And btw, here's the page to get the latest updates (or older versions) of LibreWolf appimages: https://gitlab.com/librewolf-community/ ... -/releases

geo_c
Old School Hipster, and Such

darksun
Posts: 128
Joined: Tue Dec 19, 2023 10:12 am
Location: behind a vpn
Has thanked: 53 times
Been thanked: 39 times

Re: How to eliminate DNS leaks [Bookworm64_10.0.6]

Post by darksun »

geo_c wrote: Fri Jul 26, 2024 6:43 pm

2. Download the LibreWolf v127..0.1-1 appimage by pasting this link in a browser: https://gitlab.com/api/v4/projects/2438 ... 4.AppImage

I would not use that url as it points to a specific (and old) version of the software.
I'd rather have this link bookmarked https://librewolf.net/installation/linux/ and manually download the latest version, or, for a quicker download, have this direct link bookmarked to get the latest one

Code: Select all

https://gitlab.com/api/v4/projects/24386000/packages/generic/librewolf/latest/LibreWolf.x86_64.AppImage

it is important to use the latest versions as they include known security fixes, among other.

geo_c
Posts: 2883
Joined: Fri Jul 31, 2020 3:37 am
Has thanked: 2208 times
Been thanked: 880 times

Re: How to eliminate DNS leaks [Bookworm64_10.0.6]

Post by geo_c »

darksun wrote: Fri Jul 26, 2024 6:55 pm
geo_c wrote: Fri Jul 26, 2024 6:43 pm

2. Download the LibreWolf v127..0.1-1 appimage by pasting this link in a browser: https://gitlab.com/api/v4/projects/2438 ... 4.AppImage

I would not use that url as it points to a specific (and old) version of the software.
I'd rather have this link bookmarked https://librewolf.net/installation/linux/ and manually download the latest version, or, for a quicker download, have this direct link bookmarked to get the latest one

Code: Select all

https://gitlab.com/api/v4/projects/24386000/packages/generic/librewolf/latest/LibreWolf.x86_64.AppImage

it is important to use the latest versions as they include known security fixes, among other.

Yes I understand, the reason I'm pointing @Governor to v127 is because I believe he pointed out the recent changes in v128 that he is not on board with, namely that Mozilla will be storing certain data.

geo_c
Old School Hipster, and Such

darksun
Posts: 128
Joined: Tue Dec 19, 2023 10:12 am
Location: behind a vpn
Has thanked: 53 times
Been thanked: 39 times

Re: How to eliminate DNS leaks [Bookworm64_10.0.6]

Post by darksun »

I would not trade off security for that reason if I were you.
Furthermore, if Librewolf is a privacy focused browser they should ship it with that thing removed, Firefox is open source.

I still recommend mullvad web browser over Librewolf , that is my opinion.

Post Reply

Return to “Beginners Help”