On Thu, Sep 30, 2021 at 04:06:09PM +0200, Stella Ashburne wrote: > Based on the above description, do you think that update-resolv-conf in > Bullseye will leak the IP addresses of my ISP's DNS resolvers?
It's impossible to tell. DNS is a simple L7 protocol, so DNS queries can be easily routed to any DNS by whoever controls your network. I know because at my home LAN each and every device uses *my* DNS regardless of what it want. I don't need my DNS queries processed by Google and Cloudflare, and every reasonable person caring about their actual privacy will want the same. I had a somewhat different concern - how to prevent public/ISP DNS to see DNS queries that apply to my employer LAN, and direct those to my employer's DNSes. And, of course, how to direct DNS queries concerning Internet resources at the proper place - i.e. public/ISP DNS. I mean, if your concern is to hide your IP from yours ISP - consider using Tor/I2P instead of some random openvpn server operated by $DEITY knows who. If you do not trust your ISP whom you're paying to - there's no reason to trust a random VPN provider. And both Tor and I2P are much easier to setup than any kind of VPN client. Even better yet - do some research on FreedomBox project. These guys did it all for you already. > > Back in the day I solved that problem by using a custom dnsmasq config > > and a handful of netfilter rules, these days I just use network namespaces. > > > Would you like to show me how to use network namespaces to solve the > problems when using update-resolv-conf? The short answer is - it's not possible to do it this way. The long answer is: You need a "networkless environment" in any form. LXC container with lo interface only will do. You write your own wrapper for iproute, that creates a network interface (I use macvlan, but YMMV) inside the container once openvpn "connection" is established, and sets an appropriate IP/route to that interface. You modify update-resolv-conf (or better yet - write your own) which runs resolvconf inside the container. That way you keep your host free from the hassle of modifying /etc/resolv.conf and IP routing table, and keep whatever openvpn advertises you inside the container. It may sound a bit involved, but it's the easiest way for me to deal with the abforementioned problem. Before you ask - no, I won't share whatever scripts I wrote for this. Their contents are private. Reco
