Jump to content

Torguard and DNS intercept

Rate this topic


Recommended Posts


Looks like that Torguard's VPN servers have implemented a DNS intercept mechanism via firewall. Basically every DNS query directed to any DNS resolver is now redirected to Torguard's own resolver. The correct behavior would be to route the DNS query through the VPN to the intended destination.


This breaks any setup with a local (i.e. domestic) DNS cache and resolver, because the intercept occurs whether the DNS queries have the recurse flag set or not.


I have created a support ticket, but support claim there's no any DNS intercept in place. Unfortunately they are wrong.


Here I am tracing the path to Google's main DNS resolver, using UDP and port 53, to trick the firewall into believing it is seeing a DNS query:

traceroute to (, 30 hops max, 53 byte packets
 1  google-public-dns-a.google.com (  26.863 ms  116.366 ms  53.804 ms
According to the output, the endpoint of Torguard's VPN is Google's DNS resolver  :D
Let's try this with OpenDNS
dig +short which.opendns.com txt @ +tcp
"I am not an OpenDNS resolver."
(it is the standard test provided by OpenDNS to check if your ISP intercepts DNS queries, and torguard fails it).
More evidence:
dig www.google.com @ +short
The above is asking to provide the answer to a DNS query. And it does, which should be impossibile, because can't answer any DNS query because it is NOT a DNS server. Hence it is obvious that the answer comes from somewhere else (i.e. torguard's VPN server).
I really hope support fix it, because if I considered acceptable that a 3rd party could hijack and/or mess with DNS queries I wouldn't be using a secure VPN connection in the first place.
Link to post
Share on other sites

+1 here, i'm running unbound and I've noticed whatever they are doing is also breaking dnssec checks, i'm not really sure how it's broken it yet but unless i set val-permissive-mode to yes none of my dns requests come back.

Link to post
Share on other sites



We have a system we implemented for DNS over the last week or so, we use a local DNS resolver on every endpoint, i.e. they directly find out information about the root servers, top level domains and authoritative name servers. we are taking in all the feedback and making changes as needed.


We wil have a fix for most of these very soon and will give you the "option" to use these on our software.



Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Create New...