DNS leaks problem

If you’ve already opened the "Tor log" tab in Mask Surf, you might have noticed some notifications about possible data leaks through DNS. These messages look like this: "Your application (using socks4 to port 80) is giving Tor only an IP address. Applications that do DNS resolves themselves may leak information. Consider using Socks4A (e.g. via privoxy or socat) instead. For more information, please see https://wiki.torproject.org/TheOnionRouter/TorFAQ#SOCKSAndDNS".
What are the possible repercussions and how to avoid them?

First of all, all sites, without exceptions, are addressed by their IP addresses. However, since IP addresses of different sites are hard to memorize, engineers came up with the idea of domain names. When you enter a domain name into the address field (for instance, google.com), your browser sends a request to a domain name server (DNS), which returns the IP address of google.com, allowing the browser to navigate to the site.

What are the risks?

In most cases, the provider’s DNS server is used for configuring Internet connections. This way, the provider knows what sites you visited and when. For example, when you visit a page located at http://finance.yahoo.com/q?s=EURUSD=X, your browser sends a DNS request for the IP address of finance.yahoo.com. As the result, your provider knows on which day and at what time you visited finance.yahoo.com. Therefore, by processing DNS requests, the provider knows what sites its clients visit, even if they use Mask Surf Pro that allows them to encrypt the information being sent and received and hide the identity of recipients. Internet providers have your name, address and sometimes your ID details. Third parties also can obtain the details of your browsing activities using formal and informal connections.

How can you mitigate these risks or avoid them altogether?

There are different solutions for this problem. Starting from version 1.3, Mask Surf Everything forwards all DNS requests from all programs to the anonymous Tor network. If you use Mask Surf Pro and you are happy with it, you can partially solve the problem by making minor changes in your Internet connection settings.

There are various public DNS services that can be used instead of your provider’s servers. In this case, your provider won’t be able to collect the information about the sites you visit. For instance, if you use Google public DNS, Google, but not your provider, will have this information. You can use a service that you trust or a service that you believe won’t be interested in obtaining and disclosing your personal information.

For extra security, you should use a public DNS server outside your country. We recommend choosing a service from another region, since it will seriously complicate (even theoretically) the capture of such information for any third parties interested in it. For instance, if you live in Europe, pick a DNS service in North America or Asia. If you live in North America, find a service in Europe or Asia. Similarly, if you are based in Asia, look for services from Europe or North America. If you live in Africa, try any non-African service and so on.

Below is a table containing the addresses of public DNS servers, along with their owners and locations.

NameDNS IPsRegionOwnerUrl
Google Public DNS8.8.8.8
8.8.4.4		North AmericaGooglehttps://code.google.com/speed/public-dns/
OpenDNS208.67.222.222
208.67.220.220		North AmericaOpenDNShttps://www.opendns.com
ScrubIT67.138.54.100
207.225.209.66		North AmericaScrubIThttp://www.scrubit.com
DNS Advantage156.154.70.1
156.154.71.1		distributed servers in 15 locations
on 5 continents		Neustarhttp://www.dnsadvantage.com
Sprint204.117.214.10
199.2.252.10
204.97.212.10		North AmericaSprinthttps://www.sprint.net/index.php?p=faq_dns
Norton DNS198.153.192.50
198.153.194.50		North AmericaSymantec Corporationhttps://dns.norton.com
OpenNIC69.164.196.21 United States
128.173.89.246 United States
67.212.90.199 Canada
89.185.225.28 Czech Republic
217.79.186.148 Germany
178.63.26.172 Germany
82.237.169.10 France
27.110.120.30 New Zealand
192.121.121.14 Sweden
192.121.86.100 Sweden		different regionsThe OpenNIC ProjectUpdated list: http://wiki.opennicproject.org/Tier2
SingTel DNS165.21.83.88
165.21.100.88		AsiaSingTelhttp://www.singnet.com.sg/technical/systeminfo/
BSNL DNS61.1.96.69
61.1.96.71
AsiaBharath Sanchar Nigam Ltd.http://www.ap.bsnl.co.in
PowerNS194.145.226.26
77.220.232.44		EuropeHosting-Agencyhttp://http://www.powerns.de/


Changing your Internet connection settings.

The address of the selected DNS service should be specified in your Internet connection settings as the primary DNS server. This process is described below.

Windows 7
  1. On your Start menu, open the Control Panel.
  2. Under the Network and Internet section, click View network status and tasks.
  3. In the View your active networks section, click the item to the right of Connections:
  4. On the General tab of the Connection Status window, click Properties.
  5. On the Networking tab of the Connection Properties window select Internet Protocol Version 4 (TCP/IPv4), then click Properties.
  6. On the General tab of the Internet Protocol Version 4 (TCP/IPv4) Properties window, in the lower section, select Use the following DNS server addresses, and then type your new DNS IP address.
  7. Click OK and exit all the windows.

Windows XP

  1. On your Start menu, open the Control Panel.
  2. In the Control Panel window, click Network Connections and choose your current connection.
  3. On the General tab of the Connection Status window, click Properties.
  4. On the General tab of the Connection Properties window, scroll down and select Internet Protocol (TCP/IP), then click Properties.
  5. On the General tab of the Internet Protocol (TCP/IP) Properties window, in the lower section, select Use the following DNS server addresses, and then type your new DNS IP address.
  6. Click OK and exit all the windows.

Even after you make these changes, Tor may be reporting about the possibility of DNS data leaks. However, you can rest assured that the necessary steps have been taken and you are safe now. The provider will no longer be able to view your browsing history just by opening a log file. Instead, they will need to analyze the content of specific DNS requests scattered in the general traffic log for port 53. This kind of analysis is possible, but it’s a lot harder and providers rarely resort to it.