DotVPN DNS Over TLS Killswitch Feature

The DotVPN DNS over TLS Killswitch feature addresses several critical privacy and security concerns:

• DNS Leaks: Without a killswitch, if the DotVPN connection drops, your device may revert to using your default, often less secure, ISP-provided DNS servers. This exposes your DNS queries, revealing browsing activity.

• Unencrypted DNS Traffic: Standard DNS queries are sent in plain text, making them vulnerable to eavesdropping and manipulation. DNS over TLS (DoT) encrypts this traffic, but only when actively used.

• Lack of Automatic Protection: Users may forget to manually configure DNS settings, leaving them vulnerable even when using DotVPN.

• Circumventing VPN Protection: Malicious actors could potentially intercept DNS requests and redirect them, even with an active DotVPN connection, if the DNS settings aren't properly secured.

Fixes: Common Errors

Common errors encountered when implementing DotVPN DNS over TLS killswitch functionality include:

• Incorrect DNS Server Addresses: Using the wrong DNS server addresses will prevent DNS resolution.

• Firewall Interference: Firewalls may block outbound DoT traffic on port 853.

• Configuration Conflicts: Conflicts between network manager settings and system-wide DNS configurations.

• Missing Dependencies: Required packages for DoT, like stubby or systemd-resolved, might be missing.

Diagnosis

To diagnose issues with the DotVPN DNS over TLS killswitch:

1. Check DNS Resolution: Use nslookup google.com to see if DNS resolution is working. If it fails, there's a DNS problem.

2. Verify DNS Server: Use resolvectl status (if using systemd-resolved) or inspect /etc/resolv.conf to see which DNS servers are being used. Ensure they are the correct DoT servers.

3. Firewall Rules: Check firewall rules to ensure outbound traffic on port 853 is allowed.

4. VPN Connection: Verify the DotVPN connection is active and stable.

Fix Commands

Here are commands to configure DotVPN DNS over TLS killswitch (example using systemd-resolved):

1. Edit resolved.conf:

2. sudo nano /etc/systemd/resolved.conf

3. Add/modify the following lines:

4. [Resolve]

5. DNS=1.1.1.1#cloudflare-dns.com 1.0.0.1#cloudflare-dns.com
   DNSOverTLS=yes
   DNSStubListener=no

6. Restart systemd-resolved:

7. sudo systemctl restart systemd-resolved

8. Configure iptables (example):

9. sudo iptables -A OUTPUT -m owner --gid-owner nobody -p udp --dport 53 -j REJECT --reject-with icmp-port-unreachable

10. sudo iptables -A OUTPUT -m owner --gid-owner nobody -p tcp --dport 53 -j REJECT --reject-with icmp-port-unreachable
    sudo iptables -A OUTPUT ! -o tun0 -p udp --dport 53 -j REJECT --reject-with icmp-port-unreachable
    sudo iptables -A OUTPUT ! -o tun0 -p tcp --dport 53 -j REJECT --reject-with icmp-port-unreachable

11. (Replace tun0 with your DotVPN interface name.)

Hardening

To further harden the DotVPN DNS over TLS killswitch:

• Disable DNS Fallback: Ensure your system doesn't fall back to unencrypted DNS if DoT fails.

• Secure DNS Server Selection: Only use reputable and trusted DoT servers.

• Regularly Update: Keep your system and DNS resolver software updated.

• Monitor Logs: Regularly check system logs for DNS-related errors.

Sanity Checks

Perform these sanity checks to ensure the DotVPN DNS over TLS killswitch is working:

1. Disconnect DotVPN: Disconnect from DotVPN and verify that DNS resolution fails. This confirms the killswitch is active.

2. Check DNS Server: With DotVPN connected, use resolvectl status or inspect /etc/resolv.conf to confirm you're using the configured DoT servers.

3. Test DNS Leak: Use online DNS leak test tools to verify your real IP address and ISP DNS servers are not being exposed.