Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated: 1 00:00:01,480 --> 00:00:09,420 So I've just been talking about how DNS is very useful for sending your DNS queries through to stop 2 00:00:09,540 --> 00:00:14,230 local observation and also general observation of your DNS queries. 3 00:00:14,310 --> 00:00:19,420 So to stop people monitoring where you're going to now that's all well and good. 4 00:00:19,620 --> 00:00:28,140 But unfortunately when using DNS is DNS is can leak data including your DNS queries. 5 00:00:28,140 --> 00:00:32,640 Also IP V-6 and it can link all types of data. 6 00:00:32,760 --> 00:00:40,650 If the VPN disconnects accidentally when in use there for example instead of sending the DNS query to 7 00:00:40,650 --> 00:00:47,880 the DNS server through the tunnel they send outside of the tunnel instead maybe to your Internet service 8 00:00:47,880 --> 00:00:52,390 providers IP address revealing all the sites that you're visiting. 9 00:00:52,500 --> 00:00:54,560 And this is a known issue. 10 00:00:54,570 --> 00:01:02,130 It's been a known issue for a long time with VPN providers and yet some still leak DNS is so shockingly 11 00:01:02,130 --> 00:01:03,010 poor. 12 00:01:03,150 --> 00:01:09,310 Any VPN provider that does this should be exposed for just being simply incompetent. 13 00:01:09,690 --> 00:01:14,280 And the same way that DNS can leak out of the VPN tunnel. 14 00:01:14,400 --> 00:01:22,530 So can IP version 6 version 6 is the latest version of the Internet protocol but it's not really used 15 00:01:22,530 --> 00:01:30,690 on the internet but IP V-6 packet can be sent out still revealing your identity in the same way that 16 00:01:30,690 --> 00:01:33,150 an IP V-6 address can. 17 00:01:33,540 --> 00:01:43,240 And if you look at this report here a glance through the VPN looking glass IP V-6 leakage and DNS hijacking 18 00:01:43,240 --> 00:01:45,480 in commercial VPN clients. 19 00:01:45,480 --> 00:01:54,130 So this is a good report on VPN service providers and how they're poor service deanonymizes you. 20 00:01:54,210 --> 00:02:01,560 And if we scroll down we can see a number of the VPM providers that are tested and what their results 21 00:02:01,560 --> 00:02:07,710 were and you can see here IP V-6 leaking and DNS hijacking. 22 00:02:07,710 --> 00:02:11,200 So not particularly brilliant results there. 23 00:02:11,690 --> 00:02:17,210 The serious leak situation is when the VPN drops. 24 00:02:17,340 --> 00:02:26,520 So here or here when you're actually using the VPN and it can dropout for whatever reason Open VPN and 25 00:02:26,520 --> 00:02:31,370 other VPN services default to continuing to send traffic. 26 00:02:31,470 --> 00:02:38,670 So if the VPN drops for any reason at all then your traffic can start to send directly to the destination 27 00:02:38,670 --> 00:02:39,060 . 28 00:02:39,060 --> 00:02:45,420 So this is a huge problem as a VPN can die any time really for any reason you have a local problem the 29 00:02:45,510 --> 00:02:47,420 VPN server as a problem. 30 00:02:47,550 --> 00:02:54,270 So you cannot have a VPN that dies and then continues to send traffic to the destination that would 31 00:02:54,270 --> 00:02:56,360 completely de anonymize you. 32 00:02:56,760 --> 00:02:59,750 So let's talk through how we can stop this leakage. 33 00:02:59,790 --> 00:03:07,320 First let's talk about IP V-6 because that's the simplest to prevent as you just simply need to disable 34 00:03:07,320 --> 00:03:11,730 IP V-6 which is pretty simple in most operating systems. 35 00:03:11,790 --> 00:03:17,670 Now you need to research how you do this in the operating systems that you're using but you pretty much 36 00:03:17,670 --> 00:03:22,860 can guarantee that you won't be using IP V-6 in ninety nine point nine nine nine nine percent of cases 37 00:03:22,860 --> 00:03:23,160 . 38 00:03:23,220 --> 00:03:31,200 And if you are using it you already know about it but it's pretty easy to disabling most operating systems 39 00:03:31,220 --> 00:03:31,410 . 40 00:03:31,620 --> 00:03:36,830 And here's some links as to how to disable it so there's windows version 7. 41 00:03:37,110 --> 00:03:41,040 And you just click here. 42 00:03:41,040 --> 00:03:44,490 This is a good one for Mac OSX. 43 00:03:44,700 --> 00:03:47,020 You just run these on the command line. 44 00:03:47,340 --> 00:03:49,450 Changing the word ether. 45 00:03:49,460 --> 00:03:57,510 For whatever your doctor is called and here that's the Wi-Fi adapter you just switch those off his Linux 46 00:04:00,020 --> 00:04:03,310 as a good link here for I to disable it in Linux. 47 00:04:03,390 --> 00:04:05,580 So that's disabling IP V-6. 48 00:04:05,580 --> 00:04:10,950 Now we can also block all non VPN traffic. 49 00:04:10,950 --> 00:04:19,080 So that would include IPV six DNS leaks and any leaks if the VPN died by a combination of techniques 50 00:04:19,080 --> 00:04:19,650 . 51 00:04:19,650 --> 00:04:29,820 So probably the most common one is to use a VPN client with a built in DNS IP V-6 leak protection and 52 00:04:29,850 --> 00:04:31,150 kill switch. 53 00:04:31,160 --> 00:04:39,300 So when the VPN drops and as an example of one here now I'm not recommending Sebago some just showing 54 00:04:39,540 --> 00:04:45,490 where the configuration is here so you can see it's forcing them to use their DNS servers here. 55 00:04:45,540 --> 00:04:53,190 We can switch off and specify our own DNS servers that you can disable IP V-6 also disable with the 56 00:04:53,190 --> 00:04:54,950 operating system yourself. 57 00:04:55,080 --> 00:04:59,970 And it's got a built in kill switch that there is no option to switch off was why would you ever want 58 00:04:59,970 --> 00:05:05,570 to switch off a kill switch for when the VPN disconnects it closes. 59 00:05:07,600 --> 00:05:16,070 And preferably that client has some sort of internal firewall because it has to be implemented correctly 60 00:05:16,310 --> 00:05:20,050 for it to work but you're not always going to know how it's implemented. 61 00:05:20,060 --> 00:05:26,630 An example of poor implementation could be only does a DNS check when it's first started and maybe the 62 00:05:26,630 --> 00:05:32,340 DNS is fine then but then the DNS gets changed later and the DNS client isn't checking later. 63 00:05:32,330 --> 00:05:39,060 So that's where a firewall within that just permanently blocks these things is better and all good providers 64 00:05:39,380 --> 00:05:40,910 will provide these features. 65 00:05:41,150 --> 00:05:47,900 And you pretty much good if a VPN client blocks these things I mean you shouldn't have any problems 66 00:05:47,900 --> 00:05:49,610 with these leakages. 67 00:05:49,620 --> 00:05:55,300 But really if you want to take it to the next level make sure that it's not doing any leaking. 68 00:05:55,440 --> 00:05:58,730 Obviously you can do testing which we're going to talk about later. 69 00:05:58,740 --> 00:06:03,120 The next thing to really do is to block it with firewalls. 70 00:06:03,410 --> 00:06:11,280 You can use host based firewalls on the device where you have the VPN client to block VPN leaks and 71 00:06:11,270 --> 00:06:17,510 we discuss host based firewalls in the section on firewalls so you should be familiar with these firewalls 72 00:06:17,510 --> 00:06:17,810 . 73 00:06:17,900 --> 00:06:23,120 If you've gone through that section so let's start with Windows. 74 00:06:23,190 --> 00:06:29,570 And of course you can use the Windows Firewall which you see here in front of you and you can also use 75 00:06:29,570 --> 00:06:31,640 the Windows Firewall control. 76 00:06:31,640 --> 00:06:33,470 I talked about to help you. 77 00:06:33,620 --> 00:06:42,290 You can block all traffic but the VPN to the VPN server and you can block applications as well. 78 00:06:42,870 --> 00:06:48,450 If you check out this link here that I'll give you some further guidance on how you can do that. 79 00:06:49,160 --> 00:06:57,010 And of the files that I recommend is tiny while you can also block VPN leaking using this. 80 00:06:57,090 --> 00:07:03,530 There is also the free Comodo firewall which is a viable option but make sure you've gone through the 81 00:07:03,530 --> 00:07:09,200 section on firewalls and Comodo where I mentioned some of the downsides of Comodo. 82 00:07:09,950 --> 00:07:14,520 Here's a link here which will help you block all anon VPN traffic. 83 00:07:14,840 --> 00:07:22,430 And there's also some advice here on building your own VPN kill switch with Windows using Comodo. 84 00:07:22,550 --> 00:07:28,280 There are applications you can use which will monitor your VPN connection and then kill it. 85 00:07:28,280 --> 00:07:30,710 This is VPN or VB. 86 00:07:30,710 --> 00:07:37,130 NET Mohn which prevents unsecured connections after your VPN connection goes down. 87 00:07:37,190 --> 00:07:47,070 It simply closes specified applications when the VPN connection is down and a similar product is VPN 88 00:07:47,060 --> 00:07:47,860 check. 89 00:07:47,980 --> 00:07:54,370 But unfortunately the version that you really want is the pro version and that is a pay version. 90 00:07:54,380 --> 00:08:02,090 So those are the VPN leak host based protection methods for Windows host based leak protection now for 91 00:08:02,150 --> 00:08:02,910 Mac. 92 00:08:03,120 --> 00:08:09,770 You can use your P.F. firewall which we've gone through you know to block your leaks. 93 00:08:10,250 --> 00:08:12,260 And for more information on how to do that. 94 00:08:12,380 --> 00:08:14,830 Have a look at this link here. 95 00:08:14,880 --> 00:08:18,730 Also a guide here on leak protection for using P.F.. 96 00:08:18,770 --> 00:08:25,090 If you want to make it a little bit easier on yourself you can use ice floor as the gooey for P.F.. 97 00:08:25,340 --> 00:08:31,300 But really the best thing to use would be Morris to do leak protection. 98 00:08:31,550 --> 00:08:39,050 And there is even a video here that they put together which talks to exactly this blocking everything 99 00:08:39,090 --> 00:08:41,990 but VPN traffic using Morris. 100 00:08:42,000 --> 00:08:48,820 Morris we have covered in its own section it is a firewall gumi for P.F. firewall. 101 00:08:49,590 --> 00:08:55,450 And finally little snitch will also allow you to do leak protection. 102 00:08:55,760 --> 00:09:04,200 Linux nown preventing VPN leaks first an obvious choice is to use IP tables to block your VPN leaks 103 00:09:04,210 --> 00:09:04,360 . 104 00:09:04,520 --> 00:09:08,190 Check out owling there for guidance on that. 105 00:09:08,370 --> 00:09:14,010 Also there is this which is VPM FEIBEL what this does it. 106 00:09:14,150 --> 00:09:20,810 As it says here it forbids outgoing traffic after the VPN software has broken down. 107 00:09:20,820 --> 00:09:26,240 It works with open VPN which is fine that's what we want it for and it works on Debian. 108 00:09:26,250 --> 00:09:27,900 So that's worth looking at. 109 00:09:28,280 --> 00:09:32,140 And another option is a VPN daemon or daemon. 110 00:09:32,150 --> 00:09:38,660 Now this monitor is your network manager for VPN disconnects and when a disconnect happens it will kill 111 00:09:38,660 --> 00:09:40,880 a particular application that you choose. 112 00:09:40,880 --> 00:09:48,150 During set up and you wanted to kill the network manager ter another kill switch you'd want to both 113 00:09:48,140 --> 00:09:54,500 block with a firewall and have a kill switch as the best option. 114 00:09:54,530 --> 00:10:02,370 You can also set up a virtual machine as a VPN client as part of doing nested VPN. 115 00:10:02,370 --> 00:10:09,020 So for example you could have P.F. sense and you set this up so this only allows VPN traffic it would 116 00:10:09,020 --> 00:10:12,780 be using the internet gateway to this machine. 117 00:10:12,780 --> 00:10:18,060 And if the VPN drops then there'd be no Internet connection through the gateway. 118 00:10:18,170 --> 00:10:20,330 That's another way of blocking leaks. 119 00:10:20,340 --> 00:10:26,930 Now if you're using Windows 10 which really you shouldn't be if privacy is what you're looking for Windows 120 00:10:26,930 --> 00:10:34,830 10 as you might expect is in an extra special way trying to force the West to leave DNS. 121 00:10:34,840 --> 00:10:36,800 That's even harder to stop. 122 00:10:36,840 --> 00:10:45,020 And here there is a open VPN plug in to fix Windows DNS leaks Windows 10 DNS resolver sends DNS requests 123 00:10:45,090 --> 00:10:51,750 impera to all available network interfaces and uses the fastest reply to come. 124 00:10:51,920 --> 00:10:58,670 If you use DNS from the local network this problem allows your ISP or a hacker the Wi-Fi app to hijack 125 00:10:58,670 --> 00:11:01,340 your DNS records and steal your data. 126 00:11:01,500 --> 00:11:03,240 Even if you use a VPN. 127 00:11:03,410 --> 00:11:09,980 So looking to using this is more information on it here and our Windows 10 is not particularly great 128 00:11:09,980 --> 00:11:10,800 with VPN. 129 00:11:10,940 --> 00:11:16,920 But I mean again I mean I can't say enough but you don't really want to be using Windows 10 but these 130 00:11:16,910 --> 00:11:19,520 are potential ways to get around to beginning to research. 131 00:11:19,670 --> 00:11:24,480 And you need to keep on top of this as well because Microsoft might change something and then it's going 132 00:11:24,470 --> 00:11:28,710 to start leaking DNS again and your VPN is totally pointless. 133 00:11:28,830 --> 00:11:39,200 If you want to test if your VPN is leaking your DNS connect via VPN and then run a test here and this 134 00:11:39,200 --> 00:11:42,260 one is not this is using the DNS as a VPN. 135 00:11:42,260 --> 00:11:49,490 I happen to have connected to some more information you can check this out which has some of the preventative 136 00:11:49,500 --> 00:11:51,680 measures for DNS leaks. 137 00:11:51,770 --> 00:11:57,620 So that's a lot of ways of preventing leaks but I think I would generally recommend making sure your 138 00:11:57,620 --> 00:12:04,850 client doesn't allow leaks and then some way you have a firewall that blocks it and then that should 139 00:12:04,860 --> 00:12:05,800 be good enough. 140 00:12:05,850 --> 00:12:11,810 And then as a final check you can run a network analyzer like wireshark just to make sure that there's 141 00:12:11,820 --> 00:12:16,780 no leaking and then you'll be fine and we'll talk about doing that later. 15699