Opened 3 years ago

Closed 3 years ago

#659 closed Bug / Defect (fixed)

NCSI reports No Internet with block-outside-dns

Reported by: tunnelboy Owned by:
Priority: major Milestone:
Component: Networking Version: OpenVPN 2.3.10 (Community Ed)
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords: block-outside-dns win7
Cc: valdikss

Description

Hello,

On a Windows 7 laptop, openvpn client 2.3.10 with "block-outside-dns" option enabled interferes with Microsoft NCSI active probing.

As a result, after seconds of establishing the tunnel, Windows assumes there is no Internet connectivity on the native network interface (I tried Wifi and Ethernet). There is Internet connectivity, the problem is that Windows reports a wrong state.

When I disconnect the tunnel, NCSI works well again and Windows reports "Connection to Internet" on the native network adapter, as expected. If I connect with "block-outside-dns" disabled, NCSI works fine as well.

On Windows 10 or Windows 8.1 laptops I haven't seen this problem.

Environment:

OpenVPN 2.3.10 Windows-MSVC [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6]

Windows version 6.1 (Windows 7)

library versions: OpenSSL 1.0.2e 3 Dec 2015, LZO 2.06

Windows Firewall turned off
IPv4 only connectivity

Client.configuration:

client
dev tun
comp-lzo yes
ns-cert-type server
remote-cert-tls server
tls-client
resolv-retry infinite
reneg-sec 0
nobind
redirect-gateway
server-poll-timeout 10
dhcp-renew
dhcp-release

Some wireshark findings:

On other Windows versions, I can see the following expected traffic upon connecting to the tunnel:

On the TAP adapter interface

  1. NlaSvc? makes a DNS request to resolve www.msftncsi.com
  2. NlaSvc? receives DNS response
  3. NlaSvc? makes an HTTP request to http://www.msftncsi.com/ncsi.txt
  4. NlaSvc? checks HTTP 200 OK and content of file

On Windows 7, this traffic is missing from TAP adapter or native network adapter.

While connected to the tunnel, I can ping and DNS resolve www.msftncsi.com, dns.msftncsi.com. I can also get the ncsi.txt file manually via browser.

Questions:

How is the filtering of DNS packets outside the TAP adapter interface / generated by other applications than openvpn.exe impacting the NCSI?

Could you clarify why this only happens on windows 7?

Could you propose a solution that doesn't involve shutting down NCSI active probing while tunnel on?

Thanks for looking into this.

Change History (6)

comment:1 Changed 3 years ago by Gert Döring

You don't strictly *need* --block-outside-dns on win7 - this is more a hack for win8 and later versions, as their DNS resolvers are just braindead. So I'd just not use it.

comment:2 Changed 3 years ago by Gert Döring

Cc: valdikss added

comment:3 Changed 3 years ago by tunnelboy

I enabled it to prevent DNS leaks when there is IPv6 connectivity on Windows 7. I've observed that on scenarios with an ISP-provided DNS server that has an IPv6 address, windows 7 prefers sending DNS requests to that one instead of the DNS server inside the tunnel (this one has only IPv4 address). Since the block-outside-dns also blocks IPv6 requests I wanted to give it a try.

To clarify: Described behaviour happens under IPv4 only connectivity. Didn't have a chance to try on IPv4, IPv6.

So should I stay away from enabling block-outside-dns on Windows 7?

Thanks

Last edited 3 years ago by tunnelboy (previous) (diff)

comment:4 Changed 3 years ago by selvanair

Have you tried this hotfix for win7 that appears to fix something similar?
https://support.microsoft.com/en-us/kb/2964643

comment:5 Changed 3 years ago by tunnelboy

Hi selvanair,

I've tried it, and it solves the problem, thanks a lot!

comment:6 Changed 3 years ago by Gert Döring

Resolution: fixed
Status: newclosed

@selvanair: thanks for researching this and adding a pointer to this hotfix - with that, I think we can close this trac ticket, as it's really outside the scope of OpenVPN *and* a proper fix is referenced. Yay :-)

Note: See TracTickets for help on using tickets.