Using PIA on networks with 'hostile' DNS (dns filtering, dns transparent proxy, etc)
TLDR, The OS X desktop client works in some hostile dns networks when the android and ios clients wont.
So first, just wanted to say I am a happy customer and that I don't have an issue that needs resolved (as in customer support, etc). However I have noticed on a few networks (while traveling, hotels, etc) where I can't connect and I reproduced a similar issue on my home network as an experiment.
The setup:
With my home router running a DHCP server that hands out OpenDNS FamilyShield DNS (208.67.222.123, 208.67.220.123) which blocks things via dns filtering... even blocks this website (most blocked sites give you a pretty block page from opendns, but this site actually shows NET::ERR_CERT_AUTHORITY_INVALID because of the HSTS)
The OS X clients connect just fine.
The iOS and Android mobile clients however, will show as logged out and will not authenticate and let you log in at all.
You say, ok, not big deal, just change your device DNS to 8.8.8.8 or something else right? Sure..on most networks, but I have run into networks running transparent DNS proxies. I set that up on my home network (Peplink Router FTW) using service forwarding (Forward Outgoing DNS Requests to Local DNS Proxy) and then DNS resolvers set to those same OpenDNS filtering dns ips.
Now.. no matter what DNS you want to use on the device, those requests are always forwarded to the DNS servers my router INSISTS I use. This can be done on captive portal type wifi and other situations I would guess.
dnsleaktest.com is a nice little tool that tells you what DNS you are using from the perspective of the outside world. You can see my router hijacking my DNS (when not using VPN that is. With VPN my router can't hijack the DNS.. THIS IS NOT A PIA VPN DNS LEAK Issue at all, just an issue when trying to get connected to PIA in the first place. Once the tunnel is up, PIA has you covered!)
So... just a fun little experiment and the general question, Can PIA mobile clients be made to 'login' and connect even when in a 'hostile' DNS environment?
So first, just wanted to say I am a happy customer and that I don't have an issue that needs resolved (as in customer support, etc). However I have noticed on a few networks (while traveling, hotels, etc) where I can't connect and I reproduced a similar issue on my home network as an experiment.
The setup:
With my home router running a DHCP server that hands out OpenDNS FamilyShield DNS (208.67.222.123, 208.67.220.123) which blocks things via dns filtering... even blocks this website (most blocked sites give you a pretty block page from opendns, but this site actually shows NET::ERR_CERT_AUTHORITY_INVALID because of the HSTS)
The OS X clients connect just fine.
The iOS and Android mobile clients however, will show as logged out and will not authenticate and let you log in at all.
You say, ok, not big deal, just change your device DNS to 8.8.8.8 or something else right? Sure..on most networks, but I have run into networks running transparent DNS proxies. I set that up on my home network (Peplink Router FTW) using service forwarding (Forward Outgoing DNS Requests to Local DNS Proxy) and then DNS resolvers set to those same OpenDNS filtering dns ips.
Now.. no matter what DNS you want to use on the device, those requests are always forwarded to the DNS servers my router INSISTS I use. This can be done on captive portal type wifi and other situations I would guess.
dnsleaktest.com is a nice little tool that tells you what DNS you are using from the perspective of the outside world. You can see my router hijacking my DNS (when not using VPN that is. With VPN my router can't hijack the DNS.. THIS IS NOT A PIA VPN DNS LEAK Issue at all, just an issue when trying to get connected to PIA in the first place. Once the tunnel is up, PIA has you covered!)
So... just a fun little experiment and the general question, Can PIA mobile clients be made to 'login' and connect even when in a 'hostile' DNS environment?
Comments
I am hoping that the client can be improved to just work. And I know that its possible to setup the vpn connection in more manual ways also, but I like the idea of using the PIA provided client since they update it and watch for issues and could roll out an important security tweak. Plus I think its a good idea to reduce the number of customers who have ANY type of manual connections, because it just makes it harder for them to radically shift underlying infrastructure if they need to. The app gives them a nice update delivery system. (I think like that because I work in software myself, that's just smart product management)
but, if you change your vpn location, that works and data starts to flow. so thats a bit of a workaround.