Dns hijacking?



  • After setting up pfsense with a dnsleak protection I have been noticing that in the logs both my iphone and ipad are trying to contact an unknown dns server.
    When I google the Ip adress 198.19.254.11:53, I find no user entered comments at all, and the only indication that this IP adress actually belongs to US California is from a IP lookup webpage with a .cn extension.

    The fact that theres no user comments or other information available regarding this IP adress is a bit suspicious.

    Another mystory is that my IPAD doesnt have any mobile network capabilities, it only has wifi.
    And I have entered a custom DNS IP in the wifi configuration, why is my ipad trying to contact an dns server other then the one I have entered?



  • Instead of trying to figure it out, just block all DNS traffic except to your approved DNS or forward it by rule.  If that breaks anything, you'll know about it soon enough.



  • There are many threads on this happening to DNS.  It can happen when using either DNS forwarder or with DNS resolver.  Using DNS resolver with correct settings, DNSSEC and "Harden glu" usually fixes things unless the problem is with the client machine its self.



  • Can dns forwarder be replaced by dns resolver and still provide solid dns leak protection?

    My problem is that the guide I used to setup my pfsense dns leak protection relies on using the dns forwarder:
    https://airvpn.org/topic/11245-how-to-set-up-pfsense-21-for-airvpn/#entry16207

    How do i setup dns resolver to replace dns forwarder in this case?



  • OK - First you have to configure pfsense correctly to use only the DNS you want.

    Then you configure your vpn client machine to only use pfsense.  Thats 1 private IP liksted as DNS.  No more.



  • @kejianshi:

    There are many threads on this happening to DNS.  It can happen when using either DNS forwarder or with DNS resolver.  Using DNS resolver with correct settings, DNSSEC and "Harden glu" usually fixes things unless the problem is with the client machine its self.

    Can you give me a link where this dns leak is being discussed?



  • @Mithrondil:

    @kejianshi:

    There are many threads on this happening to DNS.  It can happen when using either DNS forwarder or with DNS resolver.  Using DNS resolver with correct settings, DNSSEC and "Harden glu" usually fixes things unless the problem is with the client machine its self.

    Can you give me a link where this dns leak is being discussed?

    https://forum.pfsense.org/index.php?topic=87491.0
    https://forum.pfsense.org/index.php?topic=88466.0

    Those are two of the main ones.



  • ok, I think know what whats going on now, thank you google.