Odriod HC-2 OMV Circumventing DHCP Supplied DNS Servers (DNS Leak) Contacting Multiple Servers After Intial Boot

    • OMV 4.x

    This site uses cookies. By continuing to browse this site, you are agreeing to our Cookie Policy.

    • Odriod HC-2 OMV Circumventing DHCP Supplied DNS Servers (DNS Leak) Contacting Multiple Servers After Intial Boot

      Odroid HC-2 install. Noticed right after first boot OMV tried to circumvent my DHCP supplied DNS servers by putting 1.1.1.1 at top of resolve.conf (constantly rewrites to ensure that 1.1.1.1 is always the first DNS server) and then tried to contact multiple Internet servers. I did not request any system updates. Does anybody know the purpose of all this? Firewall log attached.
      Files
      • OMV.txt

        (8.46 kB, downloaded 36 times, last: )
    • administrator32 wrote:

      Does anybody know the purpose of all this?
      This isn't OMV doing this. It is the armbian image and it is probably a dhclient.conf setting specific to the image.


      administrator32 wrote:

      I did not request any system updates. Does anybody know the purpose of all this? Firewall log attached.
      You didn't read the readme from the download site. One of the first things the system does is fully update.
      omv 4.1.22 arrakis | 64 bit | 4.15 proxmox kernel | omvextrasorg 4.1.15
      omv-extras.org plugins source code and issue tracker - github

      Please read this before posting a question and this and this for docker questions.
      Please don't PM for support... Too many PMs!
    • For anybody that's interested in this I've found the following file in /etc/resolvconf/resolv.conf.d/head. This file has the offending server 1.1.1.1 in it as the only entry. The name of the file is "head" like in first place. I deleted the line in the file and rebooted. Now 1.1.1.1 is no longer listed first or at all in resolv.conf. I don't know if this will last but indeed it does look like an Armbian thing. I do not like it at all.

      The post was edited 1 time, last by administrator32 ().

    • tkaiser wrote:

      Which is even more shitty than 1.1.1.1
      I changed Armbian defaults from 8.8.8.8 to 1.1.1.1 a while ago while still not knowing why 'Armbian headquarters' started to overwrite DNS settings in the first place.

      It's been a long time since I installed omv, and then it was 8.8.8.8
      I did not raise this topic because it seemed rather insignificant. And almost everyone is able to fix in 5s. There is also a large group who does not know about it and does not care.

      I personally prefer dns from ISP. No publicly available ns is faster in my case than those from the ISP and I tested... grc.com/dns/benchmark.htm


      From a privacy point of view, they spy on us wherever they can so....
    • The problem we have is that most people have no idea how one's privacy is compromised by little unpublished/under-published "software quirks" like this and they are not understood by most people. I would recommended all freedom loving people pay attention to things like this and educate yourself if necessary.

      In my case, I route everything through a trusted VPN. I don't care if I'm studying basket weaving I don't want a lifelong record of every website I have ever visited stored at goggle or anywhere else.

      So getting back to this little DNS quirk in Armbian, that little trick would, if I didn't have firewall rules in place to block it, have sent all the DNS requests originating from OMV computer to a commercial DNS provided (clouldflare) who would have stored it for I don't know how long and shared/sold/turned it over to whomever without me ever knowing about it thinking I was using my trusted VPN DNS servers provided by my DCHP configuration. Black mark for Armbian in my book.

      Most people forget about DNS requests when they think about privacy. Recording your DNS requests make a nice concise record of everywhere you visited, from where you connected, along with the date and time. This is called a DNS leak!

      The post was edited 1 time, last by administrator32 ().

    • administrator32 wrote:

      Black mark for Armbian in my book
      You might want to consider reporting this over at Armbian (I won't do it since I gave up on fixing stuff there). But IIRC the 'DNS leak' has been fixed in the meantime with latest images but I don't know whether DNS behavior gets fixed by updates.

      JohnStiles wrote:

      I personally prefer dns from ISP.
      Me as well. But here at OMV we have even guides for installing Pi-Hole (for 'privacy') recommending to set 8.8.8.8 as DNS provider...
    • tkaiser wrote:

      You might want to consider reporting this over at Armbian (I won't do it since I gave up on fixing stuff there). But IIRC the 'DNS leak' has been fixed in the meantime with latest images but I don't know whether DNS behavior gets fixed by updates.Me as well. But here at OMV we have even guides for installing Pi-Hole (for 'privacy') recommending to set 8.8.8.8 as DNS provider...

      Well ... I have a mixed opinion about public ns. On the other hand, people are tracked and data about them are much more collected using other solutions than dns alone. Although the dns data collection at such a scale as 8.8.8.8 is certainly a good $$$

      Personally, I use PiHole which only uses ns from ISP. All traffic is cut out on the firewall and I only allow two specific ns. Although I've been thinking about pfsense + pfblocker lately. These toys from netgate with arm and pfsense look interesting though a little too expensive imho.





      A question from a completely different field.


      Perhaps you are able to recommend some gui for the firewall linux. I have a few users who before the end of 2019 want to move from windows 7 to Mint but ask for a graphic alternative with similar capabilities like for example comodo firewall. Is there anything sensible now that has an active dev or only Gufw? Maybe you know something about the subject ....
    • administrator32 wrote:

      The problem we have is that most people have no idea how one's privacy is compromised by little unpublished/under-published "software quirks" like this and they are not understood by most people. I would recommended all freedom loving people pay attention to things like this and educate yourself if necessary.

      In my case, I route everything through a trusted VPN. I don't care if I'm studying basket weaving I don't want a lifelong record of every website I have ever visited stored at goggle or anywhere else.

      So getting back to this little DNS quirk in Armbian, that little trick would, if I didn't have firewall rules in place to block it, have sent all the DNS requests originating from OMV computer to a commercial DNS provided (clouldflare) who would have stored it for I don't know how long and shared/sold/turned it over to whomever without me ever knowing about it thinking I was using my trusted VPN DNS servers provided by my DCHP configuration. Black mark for Armbian in my book.

      Most people forget about DNS requests when they think about privacy. Recording your DNS requests make a nice concise record of everywhere you visited, from where you connected, along with the date and time. This is called a DNS leak!
      I can agree.
      Although there really is no such thing as a trusted VPN. There is only hope that he is trusted.
      Someone will always collect some % of information on the user.
      It does not matter whether VPN or TOR something will always flow out to the surface somewhere. And let's not forget about javascript dns leak.

      Actually, without a firewall, it is not worth to connect the machine to the network. Many people do not understand this.
      If I told someone to prepare an omv firewall, many would say, but why should I have one, I have an omv behind NAT'.
      Imho the best rule is to have a firewall and block everything in / out and allow only consciously on the selected network traffic.
      Well, sometimes it is also necessary to have traffic control not only on the basis of protocol / ip / port but also to look after the process / application.
    • administrator32 wrote:

      I for one would vote for no updates until requested by the user.
      Updates fix problems and lower the number of times the images need to be updated. What is your reasoning for not updating? Most users using the arm images are not experienced Linux users and may not ever update. If you don't want it updated, install Debian then OMV.

      As for the dns on the image, who cares if they have a permanent record of your system hitting the debian servers. Once the image is up, fix it or block it with your firewall liked you did. I hate adding shit like this to omv-extras to fix this but I will look into it.
      omv 4.1.22 arrakis | 64 bit | 4.15 proxmox kernel | omvextrasorg 4.1.15
      omv-extras.org plugins source code and issue tracker - github

      Please read this before posting a question and this and this for docker questions.
      Please don't PM for support... Too many PMs!
    • tkaiser wrote:

      OMV we have even guides for installing Pi-Hole (for 'privacy') recommending to set 8.8.8.8 as DNS provider..
      It doesn't recommend it. It uses it as an example. The guide now has instructions on running unbound to eliminate using public or isp dns now - [How To] Install Pi-Hole in Docker: Update 01/18/19 - Adding Unbound, a Recursive DNS Server.
      omv 4.1.22 arrakis | 64 bit | 4.15 proxmox kernel | omvextrasorg 4.1.15
      omv-extras.org plugins source code and issue tracker - github

      Please read this before posting a question and this and this for docker questions.
      Please don't PM for support... Too many PMs!