[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] OpenVPN security question

  • Subject: Re: [Openvpn-users] OpenVPN security question
  • From: Jan Just Keijser <janjust@xxxxxxxxx>
  • Date: Wed, 16 Jan 2008 03:31:07 +0100

bart wrote:
> I have just two last questions:
> 1)  Previous posts indicate that my employer is less likely to notice my surf
> history if only the company DNS is used and not the company gateway. Can you
> please describe this a bit more to someone who doesn't have a sys admin
> background? Why is it easier for them or more likely for them to examine gateway
> traffic than DNS lookups?
let's pretend I am an evil sys admin at your company :-)
If I want to know what you've been doing at home I would make sure all 
your traffic gets routed thru the company gateway, so I can see which 
pages you have downloaded from a particular site.
The DNS server logs will show only which web host names you have 
requested and not WHAT you have done with those web host names. You 
could do something like
  nslookup www.competitor1.com
  nslookup www.competitor2.com
  nslookup www.monsterboard.com
and from the DNS logs I would not be able to tell whether you simply did 
an nslookup or whether you actually visited the site.
Also, DNS server logs tend to be HUGE , with no easy filtering on which 
client requests which hostname. So, in theory, I could trace which 
hostnames you have been looking up (and perhaps visiting) but it would 
be much more of a hassle then if I "simply and accidentally" redirected 
all your traffic through the company gateway, where I can do more 
filtering and see much more about what you're doing at home.
> 2) If they were to examine DNS logs and find something they didn't like, would
> these logs definitively show that I accessed these sites from my home PC and not
> from work? Would they even definitely know it had been from my home PC, and not
> from someone else using OpenVPN?
the DNS log will show the client IP that requested a hostname, plus a 
timestamp in most cases. I (remember, I'm in evil sys admin mode ;-)) 
could then combine this info with the openvpn server logs to determine 
that you were using that particular client IP at the time. So yes, if I 
really wanted to, I could list all sites that you have looked up through 
DNS. Again, I would not be able to tell if you merely did an 'nslookup' 
or if you actually visited the site.



Openvpn-users mailing list