DNS leak turns neurorouting into ordinary single-hop VPN

Discussion in 'Services - Questions & Answers (Q&A)' started by Graves, Jun 10, 2018.

  1. G

    Graves New Member

    TLDR: While using neurorouting, your DNS requests are made through a DNS server that is persistently and geographically associated with the Perfect Privacy (PP) server the user first connects to, rather than with the PP server that the user exits the PP network from gets their external IP address from. This means that to any website/destination that bothers to check your DNS, all of the additional server hops that neurorouting routes you through might as well not have happened; neither the multi-hop benefits nor the 'you get a different IP for every connection you make' benefits of neurorouting are effective this way.

    Long version copy-pasted from reddit:
    I recently registered for a month of Perfect Privacy VPN to try out their neurorouting feature, about which I was very enthusiastic. Neurorouting functions as a dynamic optimized multi-hop configuration. You turn it on and connect to a server, which then functions as your entry server, and once within the perfect privacy network they will flexibly route your request through another 2+ of their servers to get you as geographically close to the destination address of each individual connection attempt as possible. This has the usual benefits of multi-hop, and keeps your traffic safer and encrypted within the PP network for as much of the distance as possible.

    But most importantly, neurorouting means you have a different external IP for each connection you make*, even if you run a whole bunch of simultaneous connections. This is a major privacy improvement over a traditional VPN, because now the browser tab in which you open your email and the connection that your antivirus has running to its update servers can't be correlated to the browser tab in which you browse your privacy-sensitive websites. This is pretty major if you like to have different tabs open, or simultaneously download your email for several addresses that you don't want linked to each other, or anything like that. Even Tor doesn't offer this, requiring you to close one connection and start a new identity before opening the next if you don't want two accounts linked to each other.

    Or so I hoped. But running their service and doing a few standard VPN tests, it turns out that even with neurorouting turned on and DNS leaks blocked by the usual means, perfect privacy will always send your DNS requests through a DNS server that is persistently linked to the perfect privacy entry server you connected to, and most of the time in the same country as it too.

    So instead of having an ordinary VPN that leaks your real ISP through your DNS requests as with ordinary DNS leaks, you have an expensive VPN with a cutting edge dynamic multi-hop feature that is effectively reduced to an ordinary single-hop VPN because it'll always give you the same DNS server even as it dynamically adjusts your external IP.

    As I understand it, the way neurorouting should work is that to anyone you connect to on the internet, you look indistinguishable from anyone else in the group of neurorouting-enabled perfect privacy users, as well as from any neurorouting-disabled perfect privacy users that happen to connect through the same perfect privacy exit server through another type of config. But with this leak, instead to any website using DNS-leak checks, your traffic can be narrowed down as coming from the much smaller group of neurorouting-enabled perfect privacy users who happen to have your particular entry server selected. Effectively, you'll be several times more recognizable than you would be if you hadn't had neurorouting enabled at all**.

    I mailed at length with perfect privacy customer support about this, but they don't seem to understand why this presents a serious problem with their feature, so now I'm posting here to warn anyone else interested in the neurorouting feature for the same reasons I was.

    *Strictly speaking, you don't have a different IP for each connection you run, but rather for each of many geographical areas of the world defined by their nearest proximity to a single perfect privacy server.

    ** I know that any VPN worth their salt will assign you an exit IP shared by several other users, somewhat mitigating the risk of having simultaneous connections linked to each other. I also know about browser fingerprinting and similar tricks that can be used in addition to tracking your IP and DNS to try to narrow down your identity to track it across different connections. While important, I don't think those things matter much here because this post is about a problem affecting the added value of having this expensive VPN with neurorouting enabled.
  2. ItsFe

    ItsFe Member

    I just tested this on ipx.ac and these were my results. I connected to Steinsel, and ipx.ac tells me my IPv4 address is from the Netherlands. The IPv6 address is still the same, but Neurorouting for IPv6 will be enabled soon (according to the PP team).
    The issue with the DNS does exist, but I also ran into another problem - the WebRTC check detects an IP from Norway.

    Entry Node: Steinsel, Luxembourg
    IPv4: Rotterdam, Netherlands (which is fine)
    IPv6: Steinsel
    DNS: Steinsel
    WebRTC: Oslo, Norway
  3. PP Lars

    PP Lars Staff Member

    That because ipx.ac is hosted somewhere near amsterdam. If you check our checkip.perfect-privacy.com with neurorouting you will see either frankfurt or amsterdam,because thats were our 2 checkip servers are located.

    Thats also most likely correct. Webrtc uses for example mozillas public stun servers, so you see an ip close the the stun server that was used to initialize the webrpc connection. That might well be norway.

    Neurorouting works on IP basis. You if you connect to any ip, your connection is routed to an exit node near that ip.
    So your assumption that "the user gets an external ip" is wrong. Your packets are routed do different external ips depending on their target address.

    No thats not the point of neuro-routing. The point is to reduce the "flight time" of packets on the normal, unencrypted internet, not to prevent that the target website from guessing your entry server. if you want that, use multi hop.
    So lets say you are connected to Amsterdam, but visit a crappy unencrypted website in australia. With normal VPN, your packets travel though all country between amsterdam to australia unencrypted, any everybody in between could spy on or manipulate that connection. With neuro routing you get as close as possible with a well encrypted connection, no matter what.

    It does not. Multi hop and Neuro Routing are 2 different things protecting from different attacks.
    Multihop protects well against:
    - Attacker spying on input and output of one VPN server to correlate traffic
    - Websites trying to guess your entry node
    - Single compromised PP server
    Neurorouting protects against the scenario described above and gives some anti geo blocking comfort because you most likely exit in the correct country.

    If you want everything, use multihop + neurorouting. :)

    ItsFe likes this.