DNS leak turns neurorouting into ordinary single-hop VPN

Discussion in 'Services - Questions & Answers (Q&A)' started by Graves, Jun 10, 2018.

Tags:
  1. G

    Graves New Member

    TLDR: While using neurorouting, your DNS requests are made through a DNS server that is persistently and geographically associated with the Perfect Privacy (PP) server the user first connects to, rather than with the PP server that the user exits the PP network from gets their external IP address from. This means that to any website/destination that bothers to check your DNS, all of the additional server hops that neurorouting routes you through might as well not have happened; neither the multi-hop benefits nor the 'you get a different IP for every connection you make' benefits of neurorouting are effective this way.

    Long version copy-pasted from reddit:
    I recently registered for a month of Perfect Privacy VPN to try out their neurorouting feature, about which I was very enthusiastic. Neurorouting functions as a dynamic optimized multi-hop configuration. You turn it on and connect to a server, which then functions as your entry server, and once within the perfect privacy network they will flexibly route your request through another 2+ of their servers to get you as geographically close to the destination address of each individual connection attempt as possible. This has the usual benefits of multi-hop, and keeps your traffic safer and encrypted within the PP network for as much of the distance as possible.

    But most importantly, neurorouting means you have a different external IP for each connection you make*, even if you run a whole bunch of simultaneous connections. This is a major privacy improvement over a traditional VPN, because now the browser tab in which you open your email and the connection that your antivirus has running to its update servers can't be correlated to the browser tab in which you browse your privacy-sensitive websites. This is pretty major if you like to have different tabs open, or simultaneously download your email for several addresses that you don't want linked to each other, or anything like that. Even Tor doesn't offer this, requiring you to close one connection and start a new identity before opening the next if you don't want two accounts linked to each other.

    Or so I hoped. But running their service and doing a few standard VPN tests, it turns out that even with neurorouting turned on and DNS leaks blocked by the usual means, perfect privacy will always send your DNS requests through a DNS server that is persistently linked to the perfect privacy entry server you connected to, and most of the time in the same country as it too.

    So instead of having an ordinary VPN that leaks your real ISP through your DNS requests as with ordinary DNS leaks, you have an expensive VPN with a cutting edge dynamic multi-hop feature that is effectively reduced to an ordinary single-hop VPN because it'll always give you the same DNS server even as it dynamically adjusts your external IP.

    As I understand it, the way neurorouting should work is that to anyone you connect to on the internet, you look indistinguishable from anyone else in the group of neurorouting-enabled perfect privacy users, as well as from any neurorouting-disabled perfect privacy users that happen to connect through the same perfect privacy exit server through another type of config. But with this leak, instead to any website using DNS-leak checks, your traffic can be narrowed down as coming from the much smaller group of neurorouting-enabled perfect privacy users who happen to have your particular entry server selected. Effectively, you'll be several times more recognizable than you would be if you hadn't had neurorouting enabled at all**.

    I mailed at length with perfect privacy customer support about this, but they don't seem to understand why this presents a serious problem with their feature, so now I'm posting here to warn anyone else interested in the neurorouting feature for the same reasons I was.

    *Strictly speaking, you don't have a different IP for each connection you run, but rather for each of many geographical areas of the world defined by their nearest proximity to a single perfect privacy server.

    ** I know that any VPN worth their salt will assign you an exit IP shared by several other users, somewhat mitigating the risk of having simultaneous connections linked to each other. I also know about browser fingerprinting and similar tricks that can be used in addition to tracking your IP and DNS to try to narrow down your identity to track it across different connections. While important, I don't think those things matter much here because this post is about a problem affecting the added value of having this expensive VPN with neurorouting enabled.
     
  2. ItsFe

    ItsFe Member

    I just tested this on ipx.ac and these were my results. I connected to Steinsel, and ipx.ac tells me my IPv4 address is from the Netherlands. The IPv6 address is still the same, but Neurorouting for IPv6 will be enabled soon (according to the PP team).
    The issue with the DNS does exist, but I also ran into another problem - the WebRTC check detects an IP from Norway.

    Entry Node: Steinsel, Luxembourg
    IPv4: Rotterdam, Netherlands (which is fine)
    IPv6: Steinsel
    DNS: Steinsel
    WebRTC: Oslo, Norway
     
  3. PP Lars

    PP Lars Staff Member

    That because ipx.ac is hosted somewhere near amsterdam. If you check our checkip.perfect-privacy.com with neurorouting you will see either frankfurt or amsterdam,because thats were our 2 checkip servers are located.

    Thats also most likely correct. Webrtc uses for example mozillas public stun servers, so you see an ip close the the stun server that was used to initialize the webrpc connection. That might well be norway.

    Neurorouting works on IP basis. You if you connect to any ip, your connection is routed to an exit node near that ip.
    So your assumption that "the user gets an external ip" is wrong. Your packets are routed do different external ips depending on their target address.

    No thats not the point of neuro-routing. The point is to reduce the "flight time" of packets on the normal, unencrypted internet, not to prevent that the target website from guessing your entry server. if you want that, use multi hop.
    So lets say you are connected to Amsterdam, but visit a crappy unencrypted website in australia. With normal VPN, your packets travel though all country between amsterdam to australia unencrypted, any everybody in between could spy on or manipulate that connection. With neuro routing you get as close as possible with a well encrypted connection, no matter what.

    It does not. Multi hop and Neuro Routing are 2 different things protecting from different attacks.
    Multihop protects well against:
    - Attacker spying on input and output of one VPN server to correlate traffic
    - Websites trying to guess your entry node
    - Single compromised PP server
    Neurorouting protects against the scenario described above and gives some anti geo blocking comfort because you most likely exit in the correct country.


    If you want everything, use multihop + neurorouting. :)

    Regards
    Lars
     
    Graves and ItsFe like this.
  4. G

    Graves New Member

    Hi Lars; thanks for responding!

    No, that's the way I understood it; my post must have been unclear instead. The PP exit node depends on the destination IP, and as an extension of that so does your external IP. This feature was my main reason for purchasing a PP subscription.

    Thanks for explaining; this is (partially) new to me. Reading up on neurorouting, I'd assumed it combined three features:
    1) Minimizing unencrypted traffic outside of the PP network, thereby mitigating traffic snooping and manipulation. This feature is unaffected by the DNS problem outlined in the OP.
    2) Introducing extra server hops that change between connection attempts (flexible multi-hop), thereby mitigating the risk of entry-exit traffic correlation. This feature is compromised by the DNS problem, since the entry node can be guessed from the DNS server.
    3) Variable external IPs depending on the destination of each connection, which helps keep different contextual identities separate. This feature is also compromised by the DNS problem, since all connections do have the same DNS server IP.

    If I understand you right, you're saying that only feature 1) is intentended to be a functional privacy feature. That does address the DNS problem I posted about, since feature 1) isn't affected by this. However, this is disappointing news compared to what neurorouting seemed to offer on the surface, and I think there's perhaps a communication problem going on here.

    Regarding feature 2), the restoreprivacy.com neurorouting article, which is the first or second result for 'neurorouting' web searches and a strong proponent of your feature, remarks that "One of the biggest advantages with this feature is that it now gives all users a simple and powerful multi-hop configuration.". And it would be great if this were a true feature of neurorouting, since you only offer multi-hop through your proprietary software, which isn't available for all platforms and requires additional trust compared to the industry standard of using the open source openVPN client. Additionally, wouldn't activating neurorouting and multi-hop simultaneously like you suggest add (an) additional redundant node(s) to the connection, further slowing it down? Considering the above, and that neurorouting on it's own does hop across multiple PP nodes, it isn't clear to me at all why it should not be designed to also offer the usual multihop benefits - the only obstacle to this that I can see is the DNS problem outlined in my OP, which should be easy to address. It even strikes me that neurorouting offering multihop benefits would do a better job of preventing entry-exit analyses than ordinary multi-hop, since the exit node isn't stable across connection.

    Feature 3) seems like another major selling point you're missing out on purely due to the DNS problem. If you read for example the WhoNix privacy article on separating contextual identities or not mixing modes of anonymity then you'll get why having separate external IPs across different connections is a big step forward from a privacy perspective. Or it would be, if the DNS server address wasn't the same for each of them, linking them despite the feature.

    Conclusion: If you're saying that your ambitions for neurorouting are limited to feature 1), then the DNS problem I outlined is not in fact a problem. But it seems to me like features 2) and 3) are low-hanging fruit for adding additional attractive privacy features to your service; as far as I can see, the DNS problem is the only obstacle to both of them being effective privacy features, and fixing this by having the PP-assigned DNS server correspond to the exit node instead of the entry node doesn't seem complicated to my inexpert eyes. I personally subscribed mainly for feature 3), and although I let my subscription time out when I realized it wasn't working as I'd hoped, I'd resubscribe if you got it working. It strikes me that having just feature 1) working makes neurorouting kind of like the HTTPS-everywhere browser extension, except that neurorouting works for non-browser connections but still leaves a small unencrypted gap between the exit node and the destination - it's a cool implementation, but not all that exciting results-wise.

    Regards,
    Graves
     
    Last edited: Jul 3, 2018