Browsers use the Domain Name System (DNS) to bridge the gap between internet IP addresses (numbers) and website domain names (words).
When a web name is entered, it is sent first to a DNS server where the domain name is matched to the associated IP address so that the request can be forwarded to the correct computer.
This is a huge problem for privacy since all standard internet traffic must pass through a DNS server where both the sender and destination are logged.
That DNS server usually belongs to the user’s ISP, and is under the jurisdiction of national laws. For example, in the UK, information held by ISPs must be handed to law enforcement on demand. Similar happens in the USA, but with the added option for the ISP to sell the data to marketing companies.
While the content of communications between the user’s local computer and the remote website can be encrypted with SSL/TLS (it shows up as ‘https’ in the URL), the sender and recipient addresses cannot be encrypted. As a result, every destination visited will be known to whoever has legal (or criminal) access to the DNS logs – that is, under normal circumstances, a user has no privacy over where he goes on the internet.
VPNs are designed to solve this problem by creating a gap between the user’s computer and the destination website. But they don’t always work perfectly. A series of issues means that in certain circumstances the DNS data can leak back to the ISP and therefore into the purview of government and marketing companies.
The problems are known as DNS leaks. For the purpose of this discussion on DNS leaks, we will largely assume that your VPN uses the most common VPN protocol, OpenVPN.
What is a DNS leak?
A VPN establishes an encrypted connection (usually called a ‘tunnel’) between your computer and the VPN server; and the VPN server sends your request on to the required website. Provided the VPN is working correctly, all your ISP will see is that you are connecting to a VPN – it cannot see where the VPN connects you. Internet snoopers (government or criminal) cannot see any content because it is encrypted.
A DNS leak occurs when something unintended happens, and the VPN server is bypassed or ignored. In this case, the DNS server operator (often your ISP) will see where you are going on the internet while you believe he cannot.
This is bad news, since it defeats the purpose of using a VPN. The content of your web traffic is still hidden (by the VPN’s encryption), but the most important parts for anonymity – your location and browsing data – are left unprotected and most likely logged by your ISP.
How to tell if my VPN has a DNS leak?
There’s good news and bad news for detecting a DNS leak. The good news is that checking whether your VPN is leaking your DNS requests is quick, easy and simple; the bad news is that without checking, you’re unlikely to ever know about the leak until it’s too late.
There are many in-browser tools to test whether your VPN has a DNS or other form of data leak, including some made by VPN providers such as AirVPN or VPN.ac. If you’re not sure what to do, you could simply go to ipleak.net while you believe your VPN to be operational. This site will automatically check for a DNS leak (and, incidentally, provides a lot more information as well).
- Enter ipleak.net into your browser’s address bar.
- Once the web page loads, the test begins automatically and you will be shown an IP address.
- If the address you see is your IP address and shows your location, and you are using a VPN, this means you have a DNS leak. If your VPN’s IP address is shown, then it’s working normally.
If possible, it’s a good idea to test with multiple online checkers.
Figure 1 shows ipleak.net used with a badly configured VPN. It returns the correct IP address. This is a DNS leak.
Figure 2 shows ipleak used with ExpressVPN configured to use a Belgian server (ExpressVPN lets you select from a range of different countries). There is no DNS leak apparent.
For most users, performing this check before continuing to browse other sites will be sufficient. For some users, this won’t be a perfect solution, as it requires you to connect to the internet and send DNS requests to access the checker tools.
It is possible to test for DNS and other leaks without using one of these websites, although it requires you to know your own IP address and how to use the Windows command prompt, It also requires a trusted test server for you to ‘ping’ directly; this could be a private server you know and trust, or one of the following public test servers:
To do this, open the command prompt (go to the start menu, type “cmd” and press Enter), and then enter the following text:
- ping [server name] -n 1
Replace [server name] with the address of your chosen test server (for example “ping whoami.akamai.net -n 1”), and press Enter. If any of the IP addresses found in the resulting text match your personal or local IP, it’s an indicator that a DNS leak is present; only your VPN’s IP address should be shown.
Figure 3 shows the result with ExpressVPN running. Notice that the only IP address returned is the Belgian IP as shown in Figure 2. There is no DNS leak apparent.
If you find that that your VPN has a DNS leak, it’s time to stop browsing until you can find the cause and fix the problem. Some of the most likely causes of a DNS leak and their solutions are listed below.
DNS Leaks Problems and Solutions
The Problem #1: Improperly configured network
This is one of the most common causes of DNS leakage for users who connect to the internet through different networks; for example, someone who often switches between their home router, a coffee shop’s WiFi and public hotspots. Before you connect to your VPN’s encrypted tunnel, your device must first connect to the local network.
Without the proper settings in place you can be leaving yourself open to data leaks. When connecting to any new network, the DHCP settings (the protocol that determines your machine’s IP address within the network) can automatically assign a DNS server to handle your lookup requests – one which may belong to the ISP, or one that may not be properly secured. Even if you connect to your VPN on this network, your DNS requests will bypass the encrypted tunnel, causing a DNS leak.
In most cases, configuring your VPN on your computer to use the DNS server provided or preferred by your VPN will force DNS requests to go through the VPN rather than directly from the local network. Not all VPN providers have their own DNS servers though, in which case using an independent DNS server such as OpenDNS or Google Public DNS should allow DNS requests to go through the VPN rather than directly from your client machine. Unfortunately, changing the configuration in this way depends a great deal on your specific VPN provider and which protocol you’re using – you may be able to set them to automatically connect to the correct DNS server no matter which local network you connect to; or you may have to manually connect to your preferred server each time. Check the support for your VPN client for specific instructions.
If you have to manually configure your computer to use a chosen independent DNS server, you can find step-by-step instructions in the section ‘Change your settings to a trusted, independent DNS server’ below.
The Problem #2: IPv6
Usually, when you think of an IP address, you think of a 32-bit code consisting of 4 sets of up to 3 digits, such as 220.127.116.11 (as described above). This is IP version 4 (IPv4), currently the most common form of IP address. However, the pool of available unused IPv4 addresses is getting very small, and IPv4 is being replaced (very slowly) by IPv6.
IPv6 addresses consist of 8 sets of 4 characters, which can be letters or numbers, such as 2001:0db8:85a3:0000:0000:8a2e:0370:7334.
The internet is still in the transition phase between IPv4 and IPv6. This is creating a lot of problems, especially for VPNs. Unless a VPN explicitly has IPv6 support, any request to or from your machine sent over IPv6 – or sent using a dual-stack tunnel to convert IPv4 to IPv6 (see Teredo below) – will completely bypass the VPN tunnel, leaving your personal data unprotected. In short, IPv6 can disrupt up your VPN without you being aware of it.
Most websites have both IPv6 addresses and IPv4 addresses, though a significant number are still IPv4-only. There are also a few websites which are IPv6 only. Whether your DNS requests are for IPv4 or IPv6 addresses will usually depend on your ISP, your network equipment (such as wireless router) and the specific website you’re trying to access (with implementation of IPv6 still incomplete, not all users will be able to access IPv6-only websites). The majority of DNS lookups will still be IPv4, but most users will be unaware of whether they are making IPv4 or IPv6 requests if they are able to do both.
A study by researchers from Sapienza University of Rome and Queen Mary University of London in 2015 examined 14 commercial VPN providers, and found that 10 of them – a disturbingly high proportion – were subject to IPv6 leaks.
- Hotspot Shield Elite
While IPv6 leakage is not strictly the same as a standard DNS leak, it has much the same effect on privacy. It is an issue that any VPN user should be aware of.
If your VPN provider already has full support for IPv6 traffic, then this kind of leak shouldn’t be a problem for you. Some VPNs without IPv6 support will instead have the option to block IPv6 traffic. It’s recommended to go for an IPv6-capable VPN in any case, as dual-stack tunnels could conceivably still bypass an IPv6 block. (See Teredo below.) The majority of VPNs, unfortunately, will have no provision made for IPv6 and therefore will always leak IPv6 traffic. Make sure you know before using a commercial VPN whether they have made provisions for IPv6, and only choose one which has full support for the protocol.
The Problem #3: Transparent DNS Proxies
Some ISPs have adopted a policy of forcing their own DNS server into the picture if a user changes their settings to use a third-party server. If changes to the DNS settings are detected, the ISP will use a transparent proxy – a separate server that intercepts and redirects web traffic – to make sure your DNS request is sent to their own DNS server. This is effectively the ISP ‘forcing’ a DNS leak and trying to disguise it from the user. Most DNS-leak detection tools will be able to detect a transparent DNS proxy in the same way as a standard leak.
Fortunately, recent versions of the OpenVPN protocol have an easy method to combat transparent DNS proxies. First, locate the .conf or .ovpn file for the server you wish to connect to (these are stored locally and will usually be in C:\Program Files\OpenVPN\config; see the OpenVPN manual for more details), open in a text editor like notepad and add the line:
Users of older versions of OpenVPN should update to the newest OpenVPN version. If your VPN provider does not support this, it may be time to look for a newer VPN. As well as the OpenVPN fix, many of the better-made VPN clients will have their own provisions built-in for combating transparent DNS proxies. Refer to your specific VPN’s support for further details.
The Problem #4: Windows 8, 8.1 or 10’s insecure “features”
Windows operating systems from 8 onward have introduced the “Smart Multi-Homed Name Resolution” feature, intended to improve web browsing speeds. This sends out all DNS requests to all available DNS servers. Originally, this would only accept responses from non-standard DNS servers if the favorites (usually the ISP’s own servers or those set by the user) failed to respond. This is bad enough for VPN users as it greatly increases the incidence of DNS leaks, but as of Windows 10 this feature, by default, will accept the response from whichever DNS server is fastest to respond. This not only has the same issue of DNS leakage, but also leaves users vulnerable to DNS spoofing attacks.
This is perhaps the most difficult kind of DNS leak to fix, especially in Windows 10, because it’s a built-in part of Windows and can be almost impossible to change. For VPN users using the OpenVPN protocol, a freely-available open-source plugin (available here) is possibly the best and most reliable solution.
Smart Multi-Homed Name Resolution can be switched off manually in Windows’ Local Group Policy Editor, unless you’re using a Home Edition of Windows. In this case Microsoft simply doesn’t allow you the option of switching off this feature. Even if you are able to switch it off this way, Windows will still send the request to all available servers in the event that the first server fails to respond. It’s highly recommended to use the OpenVPN plugin to fully address this issue.
It may also be helpful to check US-CERT’s guidelines here as well. Smart Multi-Homed Name Resolution has such significant security issues associated with it that the government agency issued its own alert on the subject.
The Problem #5: Teredo
Teredo is Microsoft’s technology to improve compatibility between IPv4 and IPv6, and is an in-built feature of Windows operating systems. For some, it’s an essential transitional technology that allows IPv4 and IPv6 to coexist without issues, enabling v6 addresses to be sent, received and understood on v4 connections. For VPN users, it’s more importantly a glaring security hole. Since Teredo is a tunneling protocol, it can often take precedence over your VPN’s own encrypted tunnel, bypassing it and thus causing DNS leaks.
Fortunately, Teredo is a feature that is easily disabled from within Windows. Open the command prompt and type:
netsh interface teredo set state disabled
While you may experience some issues when connecting to certain websites or servers or using torrent applications, disabling Teredo is a much more secure choice for VPN users. It’s also recommended to switch off Teredo and other IPv6 options in your router or network adapter’s settings, to ensure that no traffic can bypass your VPN’s tunnel.
Preventing future leaks
Now that you’ve tested for a DNS leak and either come out clean, or discovered and remedied a leak, it’s time to look into minimizing the chances of your VPN springing a leak in future.
First of all, make sure that all the above fixes have been performed in advance; disable Teredo and Smart Multi-Homed Name Resolution, make sure your VPN either supports or blocks IPv6 traffic, etc.
1. Change settings to a trusted, independent DNS server
Your router or network adapter should have a way to change TCP/IP settings, where you can specify particular trusted DNS servers by their IP addresses. Many VPN providers will have their own DNS servers, and using the VPN will often automatically connect you to these; check your VPN’s support for more information.
If your VPN doesn’t have proprietary servers, a popular alternative is to use an open, third-party DNS server such as Google Open DNS. To change your DNS settings in Windows 10:
- Go to your control panel
- Click “Network and Internet”
- Click “Network and Sharing Center”
- Click “Change Adapter Settings” on the left-hand panel.
- Right-click on the icon for your network and select “Properties”
- Locate “Internet Protocol Version 4” in the window that opens; click it and then click on “Properties”
- Click “Use the following DNS server addresses”
You can now enter a preferred and alternative address for DNS servers. This can be any server you wish, but for Google Open DNS, the preferred DNS server should be 18.104.22.168, while the alternative DNS server should be 22.214.171.124. See Figure 4.
You may also wish to change the DNS settings on your router – refer to your manual or support for your specific device for further information.
2. Use a firewall or your VPN to block non-VPN traffic
Some VPN clients will include a feature to automatically block any traffic not going through the VPN – look for an ‘IP Binding’ option. If you don’t have a VPN yet, consider getting one from here.
Alternatively, you can configure your firewall to only allow traffic in and out via your VPN. You can also change your Windows Firewall settings:
- Make sure you’re already connected to your VPN.
- Open the Network and Sharing Center and make sure you can see both your ISP connection (which should show up as “Network”) and your VPN (which should show up as the name of the VPN). “Network” should be a Home Network, while your VPN should be a Public Network. If either of them are set to something different, you’ll need to click on them and set them to the appropriate network type in the window that opens.
- Make sure you’re logged in as Administrator on your machine and open the Windows Firewall settings (exact steps for this vary depending on which version of Windows you’re running).
- Click on “Advanced Settings” (see Figure 5).
- Locate “Inbound Rules” on the left panel and click it.
- On the right-hand panel, under Actions, you should see an option for “New Rule…”. Click this.
- In the new window, choose “Program” and click Next.
- Choose “All Programs” (or select an individual program you want to block non-VPN traffic for) and click Next.
- Choose “Block the Connection” and click Next.
- Tick “Domain” and “Private” but make sure that “Public” is not ticked. Click Next.
- You should be back in the Advanced Settings menu for Windows Firewall; locate “Outbound Rules” and repeat steps 6 through 10.
3. Regularly perform a DNS leak test
Refer to the section “How do I Tell if my VPN has a DNS Leak?” above for instructions. Prevention is not ironclad, and it’s important to check frequently that all your precautions are still holding fast.
4. Consider VPN “monitoring” software
This can add an extra expense on top of your existing VPN subscription, but the ability to monitor your VPN’s traffic in real time will allow you to see at a glance if a DNS check goes to the wrong server. Some VPN monitoring products also offer additional, automated tools for fixing DNS leaks.
5. Change your VPN if necessary
You need the maximum possible privacy. The ideal VPN will have built-in DNS leak protection, full IPv6 compatibility, support for the latest versions of OpenVPN or the protocol of your choice and have functionality in place to counteract transparent DNS proxies. Try thebestvpn.com’s in-depth comparisons and reviews to find the VPN that offers everything you need to keep your browsing data private.