Windows 8+ - ensuring DNS lookups are secure

Starting with Windows 8.1, Microsoft introduced a new feature for resolving hostnames to IP addresses. Whenever an application wants to resolve a hostname, a DNS query is sent out over all network adapters found in the system. The answer from the first adapter that responds to the query is used.

If a user wants to tunnel all traffic over a VPN in a secure manner, then this feature is not desirable. In a hostile network environment, a bogus IP address could be returned or even the fact that a DNS lookup for a particular host is made could be considered dangerous.

Starting with OpenVPN 2.3.10, a new option, block-outside-dns, was added to suppress this feature. In this recipe, we will show how to use this option.

Getting ready

Set up the client and server certificates using the first recipe from Chapter 2Client-server IP-only Networks. For this recipe, the server computer was running CentOS 6 Linux and OpenVPN 2.3.11. The client computer was running Windows 8.1 and OpenVPN 2.3.11. Keep the configuration file, basic-udp-server.conf, from the Server-side routing recipe in Chapter 2Client-server IP-only Networks at hand. For the client, keep the configuration file, basic-udp-client.ovpn, from the Using an ifconfig-pool block recipe in Chapter 2Client-server IP-only Networks at hand.

How to do it...

  1. Start the server:
    [root@server]# openvpn --config basic-udp-server.conf
    
  2. Add the following lines to the basic-udp-client.ovpn configuration file:
            verb 5 
            block-outside-dns 
    
  3. Save this configuration file as example9-9.ovpn. Start the OpenVPN client with this configuration.
  4. After the connection has been established, bring up the Show Status window again and look at the last lines of the connection log. The output should be similar to the following:
    How to do it...

    In this log file, the Windows Filtering Platform (WFP) is initialized and special rules are added to block DNS traffic.

  5. Stop the OpenVPN client and check the log file again. You should see a line indicating that the WFP engine is shut down, thereby removing the filtering rules added by OpenVPN:
            ... Closing TUN/TAP interface 
            ... Uninitializing WFP 
    

How it works...

With the block-outside-dns directive, a set of Windows filtering rules are created after the VPN connection has been established. These filter (or firewalling) rules prevent DNS lookups from being sent over all network adapters found on the Windows client, except for queries made over the TAP adapter. When the OpenVPN connection is terminated, the WFP rules are removed.

There's more...

Be careful when using this option with OpenVPN 2.3 when you have multiple simultaneous tunnels open. In some cases, the WFP rules that are added by the first tunnel are not restored properly when the second tunnel is shut down, thereby blocking all DNS traffic.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.15.25.131