Proton

5188 readers

22 users here now

Empowering you to choose a better internet where privacy is the default. Protect yourself online with Proton Mail, Proton VPN, Proton Calendar, Proton Drive. Proton Pass and SimpleLogin.

Proton Mail is the world's largest secure email provider. Swiss, end-to-end encrypted, private, and free.

Proton VPN is the world’s only open-source, publicly audited, unlimited and free VPN. Swiss-based, no-ads, and no-logs.

Proton Calendar is the world's first end-to-end encrypted calendar that allows you to keep your life private.

Proton Drive is a free end-to-end encrypted cloud storage that allows you to securely backup and share your files. It's open source, publicly audited, and Swiss-based.

Proton Pass Proton Pass is a free and open-source password manager which brings a higher level of security with rigorous end-to-end encryption of all data (including usernames, URLs, notes, and more) and email alias support.

SimpleLogin lets you send and receive emails anonymously via easily-generated unique email aliases.

founded 1 year ago

MODERATORS

[email protected]

VPN DNS leak - DoH and network.trr.mode in Firefox (lemmings.world)

submitted 2 months ago* (last edited 2 months ago) by [email protected] to c/[email protected]

3 comments fedilink hide all child comments

Some feedback regarding Proton VPN documentation and some confusion regarding Firefox DNS configuration:

https://protonvpn.com/support/browser-extensions#firefox says:

"By default, Firefox does not route DNS queries through the HTTPS connection to our VPN servers" and then is mentioned a workaround to fix it.

That suggest alarming thing, that ProtonVPN Firefox user has to do some custom workaround in order to be private (prevent a DNS leak).

On another hand, https://protonvpn.com/support/dns-leaks-privacy says:

"DNS queries are routed through the VPN tunnel to be resolved on our servers"

these statements are a bit confusing/contradicting (though Proton later explains that this latest statement does not apply on a browser extension VPN apps) and Proton further adds at https://protonvpn.com/support/dns-leaks-privacy/#dns-over-https that the DNS leak can happen also due to enabled DoH feature in web browser.

Solution: ProtonVPN browser extension should (if possible) warn user in case it fails to process DNS and as a result, it is leaked. Vote for this feature request

Another "issue" is with the above mentioned/linked workaround (here I am speaking only about Firefox), this workaround: go to "about:config into the URL bar and hit . At the warning, click Accept the risk and continue → search for network.trr.mode"

In my case I had this set that variable to 5 which means DoH "Off by choice", Proton in said tutorial suggest value 3 instead, which means (According to https://wiki.mozilla.org/Trusted_Recursive_Resolver#DNS-over-HTTPS_Prefs_in_Firefox ) "Only use TRR, never use the native resolver.".

This confuses me since it looks like an opposite to what i have now, while any DNS leak site:

https://www.dnsleaktest.com

https://ipleak.net

does NOT report leak in my case nor in case i set network.trr.mode to 3. A bit weird but i guess no big deal?

Thanks for your feedback in advance.

top 3 comments

sorted by: hot top controversial new old

[–] [email protected] 4 points 2 months ago (1 children)

Just my 2cent don't take is to seriously, but having an extansion to act as VPN is a bad idea IMO. Same goes for password managers.

I would rather suggest to install wireguard on your machine and tunnel all your traffic to protonVPN with a config file you can download from them.

But that adds extra work to put into place (a few iptables lines) and I get why extensions are popular (ease of install and forget).

Sorry if it doesn't add something to your actual question, but we shouldn't rely to much on extensions, those are mostly open holes for privacy and security.

[–] [email protected] 1 points 2 months ago (1 children)

What is the benefit of installing wireguard over the proton VPN app?

[–] [email protected] 1 points 2 months ago* (last edited 2 months ago)

Not saying it's better than a native app but it's probably more secure than an extension.

One benefit I could think of is customization of your configuration. I'm pratically a newbie in networking so take everything with a grain of salt, because a wrongly configured network device is as bad a not having one.

However, being able to re-route everything to a corresponding wireguard tunnel adding specific rules to each devices, give you more controle of your network flow (Yes this is more advanced stuff and I only scratched the surface of what is possible). There's way more to it and I lack the proper knowledge, but reading here and there, suggests that extensions are really bad for security/privacy. Also, the more addons you have, the more fringerprintable you are (yes i'm probably over simplifing...)

Sorry if I lack the technical terms, I'm just a tinkerer and like learning new stuff. If there's a native app for every device go for it, otherwise I would suggest to find a way to re-route your traffic through a tunnel without the help of a browser extension.

But hey I'm just some random on the web without any degree, so whatever 🫠