VPNs are one of the easiest ways to dramatically increase online privacy and anonymity, but like any other application, they aren’t infallible. With exception of VPN disconnections, DNS leaks are the most annoying problem users frequently encounter, and they’re an incredibly dangerous threat to privacy. When a DNS leak occurs, third party strangers like ISPs can see each and every website you visit, even though you’re connected to a VPN server. Read on to find out how to test VPN connection and surf knowing that your privacy is protected.
Now that’s downright terrifying, isn’t it? If you’re anything like me, you don’t want other people snooping through personal web browsing records because it’s a violating invasion of privacy. Just imagine all the sensitive personal information they could see.
It’s possible for third parties to glean information from DNS records such as which online banking service you use, the status of your health as evidenced by which health websites you’ve visited, whether or not you are planning to travel, and a whole host of other information that complete strangers shouldn’t have access to.
We live in an unprecedented era of social media in which people constantly post personal information online. But some things should stay private, so I urge you to take great care ensuring DNS leaks don’t occur. To help protect your privacy, today I’m going to show you what DNS leaks are and how they can be avoided. To start, let’s take a closer look at what DNS actually is.
What Is DNS?
DNS is a protocol that’s foundational to the way human beings access websites. Without it, we wouldn’t be able to easily search for our favorite websites and services, because the real address of a server is what’s called an IP address. IP addresses consist of four numbers ranging between 0 and 255 separated by periods, such as 192.168.0.1. But IP addresses are a pain in the neck to remember.
Human beings aren’t generally hard wired to remember IP addresses as easily as they can remember names. Try to imagine how difficult it would be trying to remember a unique IP address for each individual website on the Internet (but don’t think about it too long, or you’ll get a nasty headache). To help solve this problem, some rather clever nerds found a way to associate names with websites instead of numbers: DNS.
A DNS leak, however, is a situation when a computer fails to use the desired secure DNS server hosted by a VPN service provider. Instead, the user’s computer defaults to using another DNS server, often one provided by an ISP. And DNS leaks are a huge problem, because they cause a gaping security hole which completely defeats the purpose of using a VPN. The point of a VPN is to encrypt data so ISPs and other third parties can’t track online activities.
When a DNS leak occurs, the DNS related data isn’t encrypted or sent through the secure VPN tunnel. Instead, it’s sent in an unencrypted format, and whoever hosts the DNS server will have records of each domain name resolution requested from the DNS server. That might sound a little scary, but there is good news: DNS leaks are easy to detect and easily prevented.
How to Test VPN Connection
The fastest and easiest way to detect a leak is to visit a website that will automatically run a DNS test for you. And there are plenty of websites that provide the service for free. I prefer to use ExpressVPN’s DNS leak test because they’re more credible and trustworthy than other sites.
Not that it’s really a big deal, but I always visit credible sites when I can. There are multitudes of other services, however, which can be found with a quick Google search. For instance, DNSLeakTest.com is perfectly viable as well.
That said, there may be instances when a user wants to verify DNS settings manually. For example, some organizations run their own internal DNS servers on private networks, and a user may want to see if a DNS leak is occurring through a public DNS server or a corporate server.
The process is simple enough and doesn’t take more than a minute or two, but do note that the method of manually verifying DNS settings is heavily dependent upon which operating system a user is running.
Windows users can use the following steps:
- Open the command prompt. This can be accomplished by pressing the Windows key, typing “cmd” and then hitting the ‘enter’ key.
- Run the following command: ipconfig /all. Be sure to omit the period.
Verify the IP address listed near the bottom labeled “DNS Servers.”
Alternatively, Mac users can use the following steps:
- Open the terminal. It can be located by browsing to the Applications folder, navigating to the Utilities folder, and clicking on the terminal icon.
- Isse the following command, being sure to omit the final period: more /etc/resolv.conf.
- Look near the bottom for an IP address next to the text “nameserver.”
Optionally, you can choose to run the following command instead, omitting the period: scutil – dns.
Finally, note that Linux users can use the following steps to manually verify DNS server settings:
- Open the terminal, which is also called the BASH shell.
- The BASH shell’s icon is located in many different places due to the lack of uniformity among Linux distributions. Though on most systems, Ubuntu included, you can launch the BASH shell by hitting the following key combinations: Ctrl + Alt + T.
- Run the following command, being sure to omit the period: nm-tool | grep DNS.
What a Successful Test Looks Like
The exact message you receive describing a failed or successful test depends solely on the service you use to detect DNS leaks. But since the tests are designed primarily for nontechnical users, the results are often written in easily readable, down-to-earth language than anyone can understand. For example, note that the following results represent a successful test from DNSLeak.com:
Types of Leaks
There are several different types of DNS leaks, each of which are caused by a distinct root problem as follows:
- Configuration errors and DHCP
- Teredo conflicts
- Windows security flaws
- Invisible DNS proxies
Let’s take a moment to describe each of these root causes in greater detail.
The first issue, configuration errors, is undoubtedly the most common cause, especially when using a consumer grade service like ExpressVPN, IPVanish VPN, or Private Internet Access VPN. Consider that modern computing devices are mobile, and a single device may connect to multiple networks in a single day. Each network has different configurations, different DNS server addresses, and a wide variety of other technical settings.
One protocol in particular, DHCP, automatically assigns IP address related information to a device when it connects to a network. Even though DHCP is convenient, sometimes DHCP can assign DNS server addresses before you’ve had a chance to connect to a VPN server. In these situations, DNS request will be omitted from the tunnel since the configured DNS server address is outside the network subnet of your VPN server.
Secondly, a technology called Teredo tunneling causes DNS leaks, though it’s not as common a problem as DHCP network configuration errors. The function of Teredo is to assist with the migration from IPv4 to IPv6 (which we’ll talk about shortly). Basically, Teredo lets Windows systems connect to both IPv4 and IPv6 networks and use each protocol simultaneously.
But unfortunately, Teredo creates a tunnel not unlike your VPN tunnel. Sometimes a Teredo tunnel will take priority over a VPN tunnel, based on routing metrics, tunneling configurations, and other network protocols. It can cause rather tangled and confusing routing behavior that appears to be unpredictable on the surface, and can also cause DNS leaks.
Windows Security Flaws
Oh Windows, why do you have so many bugs? Microsoft Windows operating systems are notorious for having more bugs and a higher susceptibility to viruses and security problems than any other mainstream operating system.
After all, who hasn’t wanted to rip their hair out and bang their against the wall when the infamous Blue Screen Of Death rears its ugly head?
One lesser known yet equally troubling shortcoming of the Windows operating system, at least from the perspective of DNS leaks, is a feature called Smart Multi-Homed Name Resolution. The idea behind this feature is to take a shotgun-style approach to name resolution and blast out DNS requests to a myriad of DNS servers.
Why would Microsoft developers create such a feature, you ask? Good question. The idea was to provide users with a faster and more seamless web browsing experience.
Well, that was the idea anyway, but the flip side of this coin is that it can also threaten privacy. By sending redundant requests to multiple DNS servers, the chance of a slow response or a failed query would be mitigated, and the user could happily browse the web, none the wiser of what was happening behind the scenes.
The bad news, however, is that inundating a list of DNS servers with multiple copies of the same DNS query drastically heightens the likelihood of a DNS leak.
Invisible DNS Proxies
The fourth cause of DNS leaks is a dirty trick employed by ISPs by means of invisible DNS proxies. Some ISPs essentially force their customers into using their DNS servers, whether the end user wants to or not. If the ISP discovers that a user has attempted to change their DNS settings, such as configuring the use of a public Google DNS server, the ISP will intercept the DNS requests and reroute them to an ISP server.
Naturally, this trick can cause DNS leaks. However, tools like the ExpressVPN leak detector mentioned earlier can often spot this type of trick. As we’ll discuss later, the best defense against these types of network configurations is to use a firewall policy that blocks DNS requests to the ISP’s network.
Fifth and finally, the remaining cause of DNS leaks revolves around a protocol called IPv6. We talked about IPv4 addresses earlier (e.g. 192.168.0.1), but IPv4 is supposedly on it’s way out. Due to the Internet of Things and the ever growing population of humans, IPv4 addresses are in short supply. The exhaustion of the IPv4 address space has been slowed significantly due to technologies like NAT, but sooner or later, we’re going to run out of IPv4 addresses.
To solve this impending problem, engineers created a new protocol called IPv6, which has exponentially greater numbers of IP addresses. IPv6 has been slated to be implemented worldwide for years now, but the migration to IPv6 still hasn’t happened. It’s unclear when the world will fully adopt IPv6, but for the present, many computers use IPv4 and IPv6 simultaneously.
Unfortunately, sometimes IPv6 DNS server addresses are configured (usually automatically) and can take precedence over IPv4 server addresses, or in some cases act as backup servers. This problem can cause DNS leaks, but if you disable use of the IPv6 protocol on your computer, the problem is effectively negated.
What to Do If a Test Fails
The very first thing I would do if a test fails is disconnect from my VPN server, reconnect, and run the DNS leak test again to ensure that the issue is solved for the immediate present. Doing so will often resolve any DHCP errors (which are incredibly common) by refreshing the configured DNS settings to a server hosted by your VPN provider.
However, please be aware this solution is nothing more than a temporary bandage. You need to have long term solutions to guard against a potential future leak.
To that end, let’s take a closer look at the best ways to guard against DNS leaks.
Solutions to Protect Against Leaks
As my grandmother always says, an ounce of prevention is worth a pound of cure. It’s better to avoid DNS leaks in the first place instead of trying to fix them when they do occur.
There are several ways to protect against DNS leaks, as follows:
- Simply use a client with a DNS leak protection feature
- Setup a firewall policy to block DNS leaks
- Third party tools
- Manual configuration
The first way to guard against DNS leaks is to use a VPN service provider whose client has an automatic DNS leak protection feature. Unfortunately, this feature isn’t standard among providers, so I advise looking at a service’s list of features before committing to a subscription.
However, I am glad to see that more and more services are adding this feature to their clients. The software can automatically detect DNS leaks and take corrective action behind the scenes, so you can browse the web with the peace of mind that your ISP isn’t looking over your shoulder.
Secondly, it’s possible to guard against DNS leaks by configuring a firewall policy that blocks DNS leaks. Do note that the DNS protocol uses TCP/IP port 53, which is crucial for your firewall rule. I’d recommend configuring the firewall policy to block all traffic on port 53 (i.e. DNS traffic) destined to either a list of individual IP addresses of DNS servers you wish to avoid, or better yet to the whole subnet of your ISP.
Alternatively, you could setup a firewall rule that blocks all DNS traffic with exception to traffic destined for your VPN provider’s DNS servers. If you’re hunting for a great free firewall utility, I’d highly recommend using Comodo’s free firewall, since I find it to be superior to Windows Firewall.
Thirdly, there are third party tools like VPNCheck that prevent DNS leaks. They often have other useful features like VPN kill-switches. But I’m not too fond of this solution since the software is a little old and clunky, and not really the most elegant solution. Plus, if your software client already has DNS leak protection, you wouldn’t need this utility anyway.
And finally, the last solution is to manually configure DNS servers to addresses hosted by your VPN provider. Yet again, this isn’t an elegant solution either, because you may have to once again manually change DNS server settings later, depending on which server you wish to use. It’s really more of a quick temporary fix.
A Note Regarding Public DNS
Two of the most well-known DNS servers’ IP addresses are 18.104.22.168 and 22.214.171.124. Why? Because they’re Google’s public DNS server addresses. Some networks, be they a small business network or a personal home network, don’t maintain their own DNS servers. Typically a DNS server is automatically provided by an ISP, but sometimes, for a myriad of reasons, the ISP’s DNS servers become unavailable.
In this scenario, it’s fairly common knowledge that the problem can be solved by using Google’s DNS servers. But I must issue a dire warning: using Google’s public DNS servers (or any public DNS service, for that matter) is dangerous. Instead, it’s better to stick with a zero-knowledge DNS service provided by a VPN provider.
DNS leaks are a huge problem that could cause a loss of privacy. Fortunately, they’re simple problems to solve and only take a few minutes to detect and fix. I’d recommend using a VPN leak detector every once in a while for good measure, and I’d also advise setting up a firewall policy as soon as possible.
Last but not least, if you don’t already have a VPN service, remember to make sure that any potential candidate services include a DNS leak protection feature. After all, it’s the easiest way to avoid DNS leaks!
Sources & References: