NordVPN - DNS leak. iPlayer says I am not in the UK

Help Community Help
,
1

Hello

My setup -

Unifi Dream Machine. NordVPN on a the Dream Machine using an OpenVPN profile - which gives me a static IP address on that network.

2 x Raspberry Pis running PiHole

Each client is given both IPv4 addresses of the RPI Pi Holes by DHCP from the Dream Machine.

Both Pi Holes are set to direct out bound DNS to NordVPNs DNS servers (only)

I am in the UK. VPN server is in the UK too.

Not using ubound

My problem

BBC IPlayer won’t play as it thinks I am not in the UK. Dnsleaks.com shows that I do have a DNS leak. If I put the NordVPN DNS serves into the network settings of each client - it works. But obviously that bypasses pihole which I don’t want. I have added a screenshot from DNS leaks.com

Any suggestions??

Any help much appreciated!

Andrew

IMG_0014
IMG_00142388×1668 351 KB

2

Who is Cogent Comms in this scenario – is that your ISP? If so, it appears that their DNS servers are being handed out to clients. When you manually enter the DNS settings you want, you override these settings and get the expected behaviour.

You said that the UDM is the DHCP server, so is there perhaps an ISP router in the picture which is also doing DHCP? You can check this with the command below, run from one of the Pi-holes

sudo pihole-FTL dhcp-discover

It would be worth manually entering the DNS settings again in a client, to get the behaviour you want, and then running the DNS leaktest again from that client to see what that shows now in comparison.

3

Thanks so much for your help - much appreciated.

I don't know who Cogent Comms are. My ISP here in the UK is EE.

Running the pihole-FTP command (my PiHoles are running in Docker, so I Exec'd into them first) returned the following on both -

root@flair-gb-dns:/# pihole-FTL dhcp-discover
Scanning all your interfaces for DHCP servers
Timeout: 10 seconds
DHCP packets received on interface eth0: 0

To summarise -

UDM Pro IP is 10.0.15.1
Pihole IPs are 10.0.15.2 and 10.0.15.3

The client (MacOS) I am currently on is at 10.1.1.7 Router is shown as 10.1.1.1

On both Piholes, in settings>DNS I only have 2 DNS servers set - 103.86.99.100 and 103.86.96.100. These are NordVPNs DNS servers

dnsleaktest.com gives the following result -

149.102.230.237 unn-149-102-230-237.datapacket.com. Cogent Communications Germany and BBC iPlayer says I am out of the UK.

My Dedicated IP (from NordVPN) starts 185.16.xxx.xxx

However - if on my client, in network settings, I enter the two NordVPN DNS servers shown above, dnsleaktest.com gives me this -

185.16.205.33.205.16.185.baremetal.zare.com.Hydra Communications LtdLondon, United Kingdom and BBC iPlayer works.

Obviously that circumnavigates the Pinhole's so not ideal.

It seems to me as if something in the Pihole is being routed to the Cogent server? I have tried clearing caches etc.

Not an expert at this by any means - very much following my nose, so any help most appreciated.

Thanks,
Andrew

4

Hi again

Sorry to reply to my own post but something odd happened this morning.

Overnight, we lost internet connection completely. Our UNiFi dream machine was offline.

I assumed it was a problem with my ISP - but as soon as I plugged EE’s supplied router in - it came back on line.

All was working the evening before (except for my DNS leak issue in the post above).

I’ve been busy today so I’ve left it on my EE router.

So - could EE have disconnected my line as I am not using standard settings, and running openVPN on their line?

Or am I being paranoid?

Just seems odd that 24 hours after setting up OpenVPN on the router it suddenly cuts off - then comes back in when I plug the supplier standard router in.

Would also love to get to the bottom of my DNS leak if anyone has any ideas.

5

This doesn't seem to be a Pi-hole issue.

What's more, as the DNS servers shown are not those of your ISP, I don't think you are seeing a DNS leakage.

According to DNS leak test procedures as suggested by NordVPN themselves, that would mean that you have no DNS leakage:

If you are connected to a VPN server and the VPN leak test displays DNS servers that don’t belong to your actual ISP, your traffic is secure.

Since you are paying NordVPN for their services, you may just as well consider to invoke NordVPN's support to verify. :wink:
NordVPN would also seem the appropriate target group for an inquiry how to address your location being reported as non-UK: Obscuring your real location is what VPNs could be expected to do.

8

Thanks for this. I’m rather new to DNS leaks so still learning.

The reason I thought the issue could be with pihole, is because when I put NordVPNs own DNS servers in the TCP/IP settings on the client (my Mac, IPad etc), only those DNS servers show on the leak test, and I am able to watch bbc iPlayer here in the UK. As soon as I revert back to using pihole DNS, iPlayer thinks I am outside of the UK - even though the forwarding DNS servers in pihole are both set to the same NordVPN servers.

But it’s interesting to hear what you say, and I hadn’t read that paragraph explaining that as long as the DNS servers are not my ISPs, I should be good.

I will drop nordvpn a line too.

More suggestions / thoughts welcome!

Thanks again
Andrew

9

That's very doubtful, they should not care how you use your line, it's their job to route your packets. That said you can check their T&Cs and see if they have anything specifically related to VPN usage.

I think that is because these Cogent servers are being served to your client from somewhere, instead of (or as well as) the Pi-hole or Nord VPN servers you are expecting. When you put in the Nord VPN servers explicitly, you essentially remove those servers and get the expected behaviour. So it looks indeed like it is not a Pi-hole issue, just a case of Pi-hole helping reveal that this is happening.

Some things to explore beyond Pi-hole:

Is this EE connection via their mobile network or is it fixed line (ie after it goes out from your EE router)? I found this post where someone is complaining that EE's older 4G mobile service is "overriding" their DNS with German DNS servers. They don't mention which servers but it sounds suspiciously similar.

Perhaps CGNAT makes these leaktest services unreliable, depending on how they draw their conclusions. I'm not too sure here.

Worth dropping a support mail into EE and asking them to clarify if they use these servers anywhere.

When you go into your Mac's DNS settings, are you seeing the Cogent servers in there in grey before you change them? If so then they're being handed to your Mac by something, or some installed software has added them and is messing you around. Perhaps installed software is the cause.

Try from another client, eg a smartphone or a Windows machine perhaps, just to compare.

If you get to the bottom of it it would interesting to know what it was!

10

Thanks for this. Yes - got me intrigued too.

To answer your questions

  • I’m on EE full fibre - so not mobile broadband
  • I’ve contacted their support at EE and they said no issue running a VPN Server on their line.
  • my router is handing out DNS servers via DHCP so the greyed DNS servers in my Macs TCP/IP settings are 10.0.15.2 and 10.0.15.3 - which are my two Pi-hole instances.
  • I’ve tried from an iPhone, a MacMini and an iPad. All with the same results as below.

Just tested it again and I am still getting the below behaviour.

SETTINGS - DNS on Mac Client set to 10.0.15.2 and 10.0.15.3 so using Pi-hole. Forwarding DNS servers in both Pi-holes set to 103.86.96.100 and 103.86.99.100 (NordVPN DNS servers) connecting to EE with NordVPN and dedicated IP of 185.16.205.xx

RESULT - The Cogent DNS servers x 2 (149 102.230.229 and 149 102.230.237) in Germany appear in the leak test and iPlayer does not work in the UK.

SETTINGS - DNS on Mac client set to 103.86.96.100 and 103.86.99.100 (NordVPN DNS servers) connecting to EE with NordVPN and dedicated IP of 185.16.205.xx

RESULT - only 1 DNS server appears in the leak test with an IP of 185 16.205.3 which i believe belongs to NordVPN and has a similar IP as my assigned and dedicated IP from NordVPN (185.16.205.xx). BBC iplayer works in the UK

Could this be a caching issue? Though I did flush the caches and restart DNS on both pinhole's when testing.

Thanks again
Andrew

11

No, it is not a caching issue.

What you observe seems what would be expected if you use NordVPN.

By the link to NordVPN's suggested DNS leak procedure, its is already clear that your leak test results would indicate that your VPN is working.

The main advantage of buying into a VPN service is that they hide your IP address from the sites you visit. I'd go as far as assuming that this would be the biggest selling point for using a VPN service.
Thus, it would be expected that the IP that a website sees as the origin of traffic from your network may be located anywhere in the world.
NordVPN offers a website to check your current IP and geo-location at What is my IP address location? Find out here | NordVPN. Visiting that site before and after you connect to NordVPN should show your normal public IP and coarse location at first, and then your VPN assigned IP address and disguised location.

It would not be uncommon that VPN service providers may let you pick the country that you want your traffic appear to originate from, but that is a question for your VPN service provider (edit: for yours, see e.g. How to Change IP and Location: VPN & other methods | NordVPN).

Again, if you haven't already done so, you should inquire with NordVPN to seek advice on your questions.

12

Thanks for this

Do you know why I am getting different results when using Pi-hole?

When I spoke to NordVPN support, they just said the issue must be with Pi-hole as it only occurs when I route DNS request through my Pi-hole instances.

Suspect they will just keep telling me to ditch Pi-hole which I don’t want to do!

13

NordVPN does camouflage your IP and geo-location.
That seems the likely reason why BBC IPlayer would reject you as non-UK access.

You should be able to verify that using NordVPNs IP check in the way I've described above.

14

Why would he get different results depending solely on whether Pi-hole is being used or not to reach the same NordVPN servers? The two DNS flows:

Client (connected to NordVPN) --> NordVPN DNS servers
                              |-> UK presence works
                              '-> DNS leaktest shows NordVPN IPs

Client (connected to NordVPN) --> Pi-hole --> NordVPN DNS servers
                              |-> UK presence fails
                              '-> DNS leaktest shows mysterious German Cogent IPs
1 Like
15

That's not the setup as I understand it from Andrew_Davies's description.
Clients are not connected to NordVPN - the router is, acting as a VPN gateway:

I have no explanation for that observation, yet either way, it's the client that communicates with that BBC player, not Pi-hole, so I'd expect the client to be rejected either way.

But as suggested, investigating public IPs in connected and disconnected states would give an immediate indication of the disguised NordVPN IP's presumed geo-location, allowing to verify if that player's rejection could be attributed to NordVPN's IP.

16

Simpler option is just run curl ipinfo.io from the shell. But there's more than one way to find the information.

17

Must admit - I am enjoying this and learning loads! Thanks again.

Quite a big update after some more testing.

My router (Unifi Dream Machine Pro) is at 10.0.15.1. To test, I have just my laptop connected to it on hardwire. I've deleted all VLANS / networks etc and disconnected everything else (Raspberry PIs, cameras, clients, WAPs everything)

In internet settings on the router, I have specified the 2 NordVPN DNS servers - 103.86.96.100 and 103.86.99.100. In LAN settings for the network, DNS is set to auto - so clients get the router IP (10.0.15.1)

All traffic it set to route over the NordVPN and my IP location is shown as correctly London. My dedicated IP address is shown correctly on What is my IP address location? Find out here | NordVPN too.

Now on my laptop, the greyed out DNS server in TCP/IP is of course 10.0.15.1 (my router).

dnsleaktest.com results in the 2 x pesky Cogent servers and BBC iPlayer does not run (says only available in the UK)

But as soon as I change the DNS settings on my Mac to the 2 NordVPN DNS servers - 103.86.96.100 and 103.86.99.100 - BBC iPlayer works.

So does this mean the fault / leak/ odd DNS comes from my Unifi Dream Machine Pro? As has been said, it is not the Pi Holes (phew) as neither are even powered on.

I tested this several times, and it was very consistent behaviour (though only if I physically disconnected the ethernet cable between tests). Also tested on an iPhone (once I plugged all the WiFi back in) and got the same result.

Andrew

18

Good testing. A bit more digging for this Cogent Comms I found a post referencing UDM.

It doesn't look like a NordVPN related thing because explicitly setting those takes the UDM out the loop and gives the results you expect.

That leaves the UDM and your original EE router.

The DNS leaktest site works by creating random subdomains for your client to resolve. Its authoritative DNS server sees those requests coming in and so can tell which DNS servers are ultimately being used by the client to perform the resolution.

Since those hostnames are uniquely presented to your client, and since your client is using the UDM for DNS, it seems the cause has to be the UDM and some artifact of how it handles DNS under the hood. I don't know how iPlayer detects location but it appears related to the same artifact.

I'm conscious of monopolising the thread with non-Pi-hole related stuff so should probably leave it there, but it was interesting. In summary:

  • Pi-hole doesn't look to be a cause or involved, it was just along for the ride :slight_smile:
  • NordVPN also looks to have been ruled out because it works when used explicitly on the client
  • The UDM looks implicated and looks like it's one for their support channels
  • The EE router may be involved, depending on what the UDM is asking it to do, eg could the UDM be using the EE router as its DNS, and the EE is using some form of OpenDNS (ref the prior reference to "German servers" albeit on their wireless router)? You could perhaps remove the UDM entirely and see if you can observe those Cogent servers in any way using just the EE router.

If you get to the bottom of it by all means pop a followup post in this thread for closure :slight_smile:

19

Thanks for that - all clear and yes, seems like it is one for Unifi.

Just so you are aware though, there is no EE router involved. I am on full fibre, so my Dream Machine is connected directly to an ONT via ethernet (the incoming fibre then connects to the ONT)

Will keep you posted and thanks again,
Andrew

1 Like
20

When I set my Pi-hole to use NordVPN's servers (103.86.96.100 and 103.86.99.100) as upstream, dnsleaktest.com would show:

IP Hostname ISP Country
212.102.33.111 unn-212-102-33-111.cdn77.com. Datacamp Limited New York, United States
149.102.252.109 unn-149-102-252-109.datapacket.com. Cogent Communications New York, United States

This would suggest that those NordVPN's IP addresses just act as a proxy, forwarding DNS to some arbitrary actual DNS resolvers near one of their exit nodes. It may also hint at them are using Cogent's infrastructure to deploy their services.
I think it also makes it seem a little bit odd that an IP similar to your own would show up in your DNS leak test.

But perhaps this is not related to your network equipment.
So far, you've reported unwanted behaviour for BBC's player only - maybe that's only related to that BBC player then.

If you'd force me to speculate, I'd be leaning to guess that the BBC player site is attempting to thwart access from unsolicited countries not only by inspecting the requestor's IP: They may be applying the same methods as the DNS leak test site to determine the likely country of origin of your DNS servers and reject your request if they think its non-UK.
That would require JavaScript to be enabled in your browser.
In theory, you could try to disable JS, but I guess that would be also required to play the videos, so that won't produce any additional insights.

Just a guess, though. :wink:

1 Like
21

SOLVED!! Or I am pretty sure it is.

What worked for me was this - I suspect I should have had it set up this way in the first place!

  • DNS Servers in Internet settings (WAN) on my router (UDM Pro) set to the IPs of my two Pi Hole instances on the LAN
  • Clients being given the same IPs for the Pi Holes for DNS
  • Forwarding DNS in Pi Hole set to the NordVPN DNS servers

One of the things that was tripping me up, is that the NordVPN DNS Servers are only accessible when connected to their VPN. I used dig in a terminal to diagnose this. Only worked properly when I was on the VPN

But the main thing I was overlooking were the DNS settings on the WAN side of my router. I'd initially had it set to Cloudflare, Google or the Nord DNS servers which it couldn't always reach. Setting them to the Pi Hole instances worked. (Dohhhh)

In my initial set up - I only wanted NordVPN to be set on one VLAN, but if I want to route DNS through Pi Hole (which I do) - it is either the entire network or nothing. But that is fine (This only works if DNS on my WAN are set to Pi Hole so that means the entire network)

Feels a little obvious now - but I had real fun diagnosing it!

Thanks again to all who contributed to this thread - much appreciated.

Next is to set up Unbound on both Pi Holes!

Cheers
Andrew

22

Likely, unbound would not work in your setup.

Commonly, VPN service client software would force DNS requests to the VPN service provider's DNS resolvers inside the VPN tunnel, in an effort to prevent DNS leakage.
But this would also prevent unbound from talking to actual auhoritative name servers, resulting in DNSSEC validation failures for any and all DNS requests.

1 Like