I downloaded PureOS 10, verified it and put it on a USB. Then I booted my computer to the PureOS live USB. I connected an ethernet cable from the computer directly to my ISP provided modem (which is a simple cable modem, not one of those fancy ISP modem+router+wifi boxes).
Then I went to six different dns leak test websites, and they all show that I am using some Google DNS servers and some DNS servers of my ISP.
Why do the dns leak test sites show some Google DNS servers? Does PureOS cause this in some way? Does it fall back on Google DNS servers or something?
A live boot environment, almost by definition, has to use DHCP rather than a static IP address. So you would want to check whether that is the case and if so where the DHCP server is running and if so how the DHCP server is configured i.e. what it is handing out (in particular what DNS server it is handing out).
I’m not sure that this will work for you but the incantation is
resolvectl status
and in the output from that it will list such things as Current DNS Server and DNS Servers so you can at least start to verify whether you are using a Google DNS server.
It is difficult to debug someone else’s network without knowing how it is set up but if you truly have a single computer connected directly to the internet via a simple cable modem then it is possible that you are getting DNS servers from your ISP alone.
However I have seen “simple” cable modems that are actually not quite so simple, so that they themselves intervene in your connection to the internet i.e. you would have to rule out that the cable modem is handing out the offending DNS server.
Not sure but it might be the default systemd fallback DNS that gets used:
Quoting a comment by poettering (systemd author) there:
we currently use cloudflare and google as upstream defaults. There’s a build time option to change these defaults and we invite downstreams to make use of that to adjust these servers to what’s most suitable to their userbase. Moreover, users can depart from that too.
Anyway, let’s close this, as this is really just a default if downstreams don’t specify anything explicitly. If you are unhappy with the choice your downstream distro made, please talk to them. Thank you for understanding.
So according to him a downstream distro (e.g. PureOS) should specify something explicitly if they do not like the systemd default which is Google.
Well, um, I’m pretty sure PureOS would not approve of a default of Google.
The safest default is not to allow a default DNS server at all and instead to do full traversals from the DNS root servers (with caching of course). I get that a tiny embedded device might not want to do that but that wouldn’t apply to any of Purism’s current hardware (and by tiny I’m talking well below, say, even the most entry level Raspberry Pi).
I’m unclear on why systemd wants a default DNS server at all.
You of course do want something that will work out-of-the-box in the widest possible set of circumstances.
If it is really picking up the systemd default then that suggests that the OP’s network environment is not working properly.
Yes and no.
It depends what any other hypothetical intervening device (typically a router) would be doing. In particular, if you are using IPv6 then you don’t get the default firewalling that IPv4 NAT gives you anyway. However if your router would have a half-decent explicit firewall then, yes, you just lost that potential protection.
Theoretically you could still have an intervening Layer 2 device (switch) doing Layer 3 and/or Layer 4 filtering - but that wouldn’t apply to most users I would think.
So, yes, you would really really want to have firewall software installed and configured on the single computer if you use that network configuration - and that is doubly dangerous if you then do USB live boot - because you might have working firewall software when you boot normally but not when you do USB live boot.
Some ISPs provide really basic firewalling by default e.g. block Microsoft file sharing ports by default and you need to visit the ISP’s web site to maintain your account in order to disable that. That might not help Linux users - and it depends completely on what your ISP offers.
The PureOS live boot environment does use DHCP. The DHCP server belongs to my ISP. Normally it assigns an IP to my router, which is normally what is plugged into the modem. But for the purpose of this troubleshooting, to rule out the router as the cause of the issue, I don’t use the router. Instead I plug the computer directly into the modem.
resolvectl status
gives the output: Failed to get global data: Unit dbus-org.freedesktop.resolve1.service not found.
However when I go into the wired network settings it shows the DNS servers that got handed out. They are the known listed primary and secondary DNS servers of my ISP.
But then when I visit any DNS leak test website, the results show some instances of those ISP DNS servers and some instances of DNS servers with IPs belonging to Google.
For this troubleshooting I truly do have a single computer connected directly to the internet via a simple cable modem.
What difference does this even make? You still connect to your ISP which is able to see all your traffic requests, your IP and they likely log everything anyway as per three letter agencies.
If you are trying to track down how the IP address is getting set and, more specifically, how the DNS server IP address is getting set then it surely makes a difference what the nature of the intervening network equipment is. Bridge. Half-bridge. Router. …
Just getting in there and doing it … and the corollary to that: make sure that you have more than one computer so that if you break one then you still have a working one and one that might help to fix the one you broke.
