Jump to content

John Mason: 10 of 15 Chrome VPN extensions can leak DNS


Radpop

Recommended Posts

John Mason: 10 of 15 Chrome VPN extensions can leak DNS

 

A test conducted by cybersecurity researcher John Mason of theBestVPN found 10 of 15 Chrome VPNs leaked queries from domain name servers (DNS), or the protocol used to translate a normal domain name to an IP address so a browser can load it. The issue stems from a Chrome feature called DNS prefetching, which is designed to reduce latency by guessing what website you’re about to visit and pre-loading its IP address. For example, if you hover over a link, Chrome will make a DNS request, so the site loads faster once you press on it.

 

“VPN extensions shouldn’t leak DNS data as it’s similar to IPs, can be used to see where a user is and one major use of VPNs is anonymity. They should block all kinds of outgoing DNS queries while they are running or route it through them, Mason wrote.”

 

Mason posted a list of the 10 VPN extensions he tested that leaked DNS requests: Hola VPN, OperaVPN, TunnelBear (fixed today), HotSpot Shield (fixed today), Betternet, PureVPN, VPN Unlimited, ZenMate VPN, Ivacy VPN and DotVPN.

 

VPNs that don’t leak: NordVPN, WindScribe, CyberGhost, Private Internet Access and Avira Phantom VPN.

 

Solution: Go to settings and disable the option 'Use a prediction service to help complete searches and URLs typed in the address bar' and 'Use a prediction service to load pages more quickly'.

 

To test if your VPN is vulnerable, do the following test:
- Activate the Chrome plugin of your VPN
- Go to chrome://net-internals/#dns
- Click on “clear host cache”
- Go to any website to confirm this vulnerability

 

 

 

Sources:
https://thebestvpn.com/chrome-extension-vpn-dns-leaks/

https://www.dailydot.com/debug/vpn-leak-dns-data/

 

Link to comment
Share on other sites


  • Replies 10
  • Views 1.3k
  • Created
  • Last Reply

Extensions are not really  vpns  no way they only change ip /dns in you're browser .. A good vpn with it's own software  will change you're ip /dns system wide and not leak because the client has been  auto configured to plug the hole  . If i want to use kodi  or another media player  to stream  , a download manger. p2p software  and extension want protect us  like a vpn does .

 

So there a glorified proxy and many of them are  free  and can't even be trusted  like Hola , witch was caught turning everyone who used it's pc into a botnet  and other free ones sell you're data . So this article is kind of confusing there comparing browsers plugins with real vpns paid and free? 

 

All you have to do is set up a 3rd party dns like opennic  the servers  that don't  log  system wide and no vpn/proxy  will ever leak again you're real dns .  Just because they may not leak on  Windows don't mean they not  leaking in Linux because  many vpns on Linux above don't  have there own software  with dns leak protection and are used with openvpn software instead, so  it's always best to  check  the dns   if its leaking and plug any holes before using a vpn.  :tooth:

 

Here are some sites to check dns on

https://ipleak.net/

https://www.dnsleaktest.com/

Link to comment
Share on other sites


26 minutes ago, steven36 said:

Here are some sites to check dns on

https://ipleak.net/

https://www.dnsleaktest.com/

 

They are but normal way to check DNS leak is useless. DNS leak test services are unable to detect this kind of DNS leak because the DNS requests are only issued under specific circumstances. Right method was described in first post. :excl:  

Link to comment
Share on other sites


58 minutes ago, Radpop said:

 

They are but normal way to check DNS leak is useless. DNS leak test services are unable to detect this kind of DNS leak because the DNS requests are only issued under specific circumstances. Right method was described in first post. :excl:  

For me I dont need  to do this  all i have to do is put in a address that don't resolve like http://www.gonieggoo.com/  if my dns is leaking when i type that in my isps search engine will appear and i know it's leaking  if its not leaking it will say server not found. Always my ISP will give itself away because it will try to resolve the dead link  and when it can't it will open up the search engine . I been using this trick for years and sooner or latter you going to make a mistake are run into a dead site and it will give itself away.DNS Prefetching is nothing new it's a problem in Firefox as well  the difference is you can turn it  off in Firefox in advanced settings .

 

Quote

 

DNS Prefetching

Firefox attempts to speed up loading new websites by using DNS Prefetching, which can cause page load errors with some system configurations. To disable DNS Prefetching:

  1. In the address bar, type about:config and press EnterReturn.

    • The about:config "This might void your warranty!" warning page may appear. Click I'll be careful, I promise!I accept the risk! to continue to the about:config page.
  2. Right-clickHold down the Ctrl key while you click in the list of preferences, select New, and then select Boolean.
  3. In the Enter the preference name field, enter network.dns.disablePrefetch and click OK.
  4. Select true when prompted to set the value and click OK.

 

It has been considered a hole in browsers for years  and is recommenced to be disabled when harding Firefox. Theres all kinds of holes in  browsers many we already know about, if you're and advanced  user  , and there are many holes we don't know about and these are the ones that i'm trying to find out about.

 

    Link to comment
    Share on other sites


    17 minutes ago, steven36 said:

    For me I dont need  to do this

     

    Nice to hear that You are safe. But over 15 000 000 VPN extension users can leak their DNS to ISP because of this issue and any normal DNS leak test can't alarm them. This news are relevant to many.

     

    I don't use any extensions but today I find ipv6 DNS leak before I read this article. This haven't caused me any privacy issue because I had ticked ipv6 off a year ago when NordVPN was leaking ipv6 DNS.

     

    Meanwhile, TunnelBear is fixed.

     

    Avira seems to be good VPN, speedy and safe but German. :thumbsup:

    Link to comment
    Share on other sites


    1 hour ago, Radpop said:

     

    Nice to hear that You are safe. But over 15 000 000 VPN extension users can leak their DNS to ISP because of this issue and any normal DNS leak test can't alarm them. This news are relevant to many.

     

    I don't use any extensions but today I find ipv6 DNS leak before I read this article. This haven't caused me any privacy issue because I had ticked ipv6 off a year ago when NordVPN was leaking ipv6 DNS.

     

    Meanwhile, TunnelBear is fixed.

     

    Avira seems to be good VPN, speedy and safe but German. :thumbsup:

    No matter  what you do there going always be holes in browsers all  of them have a timezone vulnerability  except for tor browser and I have and addon  that work in waterfox ,cyberfox , Firefox ESR that i can change timezones but don't work in new browsers, only thing you can do when using chrome is change you're system clock ,  There is many holes in Firefox you  can disable  that can only be worked around on Chrome .So its best to use Firefox or a fork  as default and just use Chrome for a spare browser,

     

    Firefox prefetching: what you need to know April 27, 2013

    https://www.ghacks.net/2013/04/27/firefox-prefetching-what-you-need-to-know/

     

    Very old hole indeed :P

     

    PS : As far as Avira me got a free  one year giveaway to that one around xmas  for Windows and i tested it,  it was so slow i uninstalled  it and paid for another vpn that I  had been using  that don't have speed issues . I use mine to  dl big files and streaming .

    Link to comment
    Share on other sites


    17 hours ago, steven36 said:

    So its best to use Firefox or a fork...

     

    Firefox existed before Chrome and when Chrome was created, they were two different browsers. Now Chrome is Chrome :win: and Firefox is Chrome's clone. Why have to have two flea bags? Firefox :food: or it's forks can add nothing to Chrome except Tor Browser if needed. There are some good Chrome forks which can add more functionality to browsing, such Yandex or Opera.

     

    17 hours ago, steven36 said:

    Avira me got a free  one year giveaway to that one around xmas  for Windows and i tested it,  it was so slow

     

    Phantom is getting better and better... Did you use their own DNS servers or your own DNS solution. This can make a big difference. I get about 90 % of ISPs speed from any Avira server. :rockon:

    Link to comment
    Share on other sites


    6 hours ago, Radpop said:

    Firefox is Chrome's clone

    This only in the sense of what extensions  and the  compositor it uses  but even this  not a clone its a fork ,  Chrome  uses the  Chromium engine and Firefox uses  Gecko engine so its not even close  .  Firefox  Quantum project is composed of several sub-projects most of them have nothing to do with Chromium. Google Chrome is just a fork itself of Open Source Chromium with closed source stuff added to it anything closed source cant be forked . There are no real cloned browsers in the world of  Open Source thats what  Open Source is all about is forking and being able to use the same components  to make software  . But Firefox is not a Fork  of  Chromium like Chrome is.

     

     

    6 hours ago, Radpop said:

    . Did you use their own DNS servers or your own DNS solution

    I used  it the way it was with there VPN  DNS servers  and this just a few months ago  and they have no Linux support and i still had some days left for my other vpn that gave me no problems for the past few years and has Linux software so i renewed it and removed Phantom from windows . A vpn just for windows is not very interesting to me, i stay on Linux  all the time I  don't really use Windows anymore ,even though i have it and keep it maintained  i may boot in to windows 2 or 3 times a month.

    Link to comment
    Share on other sites


    On 4/4/2018 at 11:05 PM, steven36 said:

    I have and addon  that work in waterfox ,cyberfox , Firefox ESR that i can change timezones but don't work in new browsers

    are you referring to CHANGE TIMEZONE (TIME SHIFT) or any other one ?

    Link to comment
    Share on other sites


    On 4/4/2018 at 6:44 PM, Radpop said:

    Mason posted a list of the 10 VPN extensions he tested that leaked DNS requests: Hola VPN, OperaVPN, TunnelBear (fixed), HotSpot Shield (fixed), Betternet, PureVPN, VPN Unlimited, ZenMate VPN, Ivacy VPN and DotVPN.

     

    VPN Unlimited in interesting name on the leak list. How 'everything' can fail and be repaired in three weeks? :nono:

     

    Restore Privacy tested it :thumbsdown: (1.5/5) 17.1.2018:
    "Despite having all of the privacy and security settings enabled, I still found active IPv6, WebRTC, and DNS leaks... With every server I tested using the Windows client, there were IPv6 leaks, WebRTC leaks and DNS leaks." VPN Unlimited has connection problems and no kill switch, bad combination for privacy. Furthermore, VPN Unlimited is US-based and keeps logs.
    https://restoreprivacy.com/vpn-unlimited-review/

     

    PCMag rated it as excellent :thumbsup: (4/5) 7.2.18: "VPN Unlimited has it all, including affordable and flexible pricing, solid speed test performance, and advanced features."
    http://uk.pcmag.com/vpn-unlimited/78538/review/keepsolid-vpn-unlimited

     

    What are these advanced features plus VPN Unlimited Chrome extension leak? :tooth:


     

    Link to comment
    Share on other sites


    On 4/4/2018 at 9:51 PM, steven36 said:

    For me I dont need  to do this  all i have to do is put in a address that don't resolve like http://www.gonieggoo.com/  if my dns is leaking when i type that in my isps search engine will appear and i know it's leaking  if its not leaking it will say server not found. Always my ISP will give itself away because it will try to resolve the dead link  and when it can't it will open up the search engine . I been using this trick for years and sooner or latter you going to make a mistake are run into a dead site and it will give itself away.DNS Prefetching is nothing new it's a problem in Firefox as well  the difference is you can turn it  off in Firefox in advanced settings .

     

    It has been considered a hole in browsers for years  and is recommenced to be disabled when harding Firefox. Theres all kinds of holes in  browsers many we already know about, if you're and advanced  user  , and there are many holes we don't know about and these are the ones that i'm trying to find out about.

     

    Are you sure this will not open more loop holes?

     

    Also, are there any other configuration that can be made to better protect browser?

    Link to comment
    Share on other sites


    Archived

    This topic is now archived and is closed to further replies.

    • Recently Browsing   0 members

      • No registered users viewing this page.
    ×
    ×
    • Create New...