What Is a DNS Leak? How to Prevent DNS Leaks?
DNS leaks are a pretty common issue when using VPNs, especially with those who offer poor services.
It’s a well-known fact that the internet is a dangerous place. From hackers, government agencies, websites to your Internet Service Provider, everyone wants to get as much data from you as possible.
Using a VPN can help you maintain your anonymity, hide most of your actions online, and bypass firewall- and geo-restrictions. But even VPNs can fail from time to time and it’s important to know why and how to prevent these failures.
Luckily, there are solutions for this and you can prevent DNS leaks, so let’s get into it a bit further and find out everything there is to know about this problem.
Table of contents
What Is a DNS Leak?
Before defining what a DNS leak is, it’s important to start at the beginning with a short explanation of what DNS actually represents.
What is a DNS?
DNS, otherwise known as the Domain Name System, is viewed by many as the internet’s phonebook. While we humans access websites using their domain names, like hideipvpn.com, web browsers use IP addresses to interact with the websites we want to visit.
To better understand this process, think about what happens when you call someone from your phone. You just click on the contact’s name on your screen and your phone uses the stored phone number to establish the connection.
The DNS basically translates the domain names into their corresponding IP addresses so that the browser can set up your connection to the website and display its content for you to enjoy.
The DNS helps us access websites without needing to remember their IP addresses since it’s a lot easier for us to memorize a domain name like hideipvpn.com than an IP address looking like 220.127.116.11.
What is DNS leakage?
The DNS leak represents a security vulnerability that allows your ISP or any other entity who is trying to get a hold of this information, what websites you visit, despite the fact that you are using a VPN.
As you know, a VPN represents, for the most part, a completely legal tool that allows you to hide your online activities.
Through the use of encryption, a VPN creates a tunnel through which your data, including the websites you access, is scrambled and turned into mumbo jumbo neither your ISP, nor local authorities or hackers can comprehend and interpret in any way.
A DNS leak occurs when your DNS queries (the transformation of the domain name into its corresponding IP address done by your browser when you try to access a website) are sent outside the VPNs tunnel of encryption instead of through it.
When this happens, your ISP (or any other third party that has an interest in knowing) can actually see the exact websites you visit and what you do there. And the worst part is that this will happen while you think your privacy is protected.
On top of that, your geo-location and real IP address are also exposed when a DNS leak occurs. Since all your data travels outside the encryption tunnel, your data can be seen by your ISP or even hackers.
Is my DNS leaking?
Now that we put all these bad thoughts in your head, you’re probably wondering “have I been leaking DNS all this time?”
First, let’s explore a bit the possible causes of DNS leakage.
Why is my DNS leaking?
While the main cause is usually an improper configuration of the VPN service you use, there could be a number of reasons for DNS leaks to occur.
Some have to do with the way your network is set up, your device or operating system you choose. Here are some of them:
Your network’s DNS settings are not configured properly
This is a possibility especially if you connect to the Internet through different networks all the time (for example switching your connection from your home router to a coffee shop’s Wi-Fi router or other hotspots).
If your setup is not done correctly, you may be exposed to DNS leakage because you may be automatically assigned an improperly configured DNS server for your requests by the network. If that happens, even if you connect to a VPN, your data could travel outside the safe tunnel of encryption, leaving you completely vulnerable.
To be more precise, a VPN usually creates a separate network card that is used along with your already existing, standard Internet network card.
If your VPN doesn’t automatically change the DNS addresses on both cards, or if the routing is incorrectly configured, it’s very likely for you to end up using 2 sets of DNS addresses. One of those will be your VPNs DNS, the other one will be your ISP’s DNS, leading to all your traffic being mirrored on both. That is how a DNS leakage will occur in this particular scenario.
Transparent DNS proxies could be used by your ISP
In recent years, a number of ISPs around the world have started using a technique that forces their own DNS servers to handle the requests of users who change their configuration to use a third-party server.
If your ISP has this policy and detects changes in your DNS configuration, it will use a different server (called transparent DNS proxy) to intercept and redirect your traffic to their main DNS server.
Doesn’t sound fair, does it? Well, it really isn’t. By doing this, your ISP basically forces a DNS leak to occur without the user’s knowledge. Luckily though, VPN protocols like OpenVPN for example, allow the users to bypass this technique through the proper configuration.
Your operating system is exposing you to DNS leaks
A new feature was introduced by Microsoft in the operating systems starting with Windows 8 onwards. It is called Smart Multi-Homed Name Resolution and its purpose is to speed up the users’ browsing.
What it does is basically send out all DNS requests to all the DNS servers that are available at any given moment. This leaves users exposed to DNS leaks.
The Windows 8 setup was done to always prefer the favorite DNS servers (usually the standard ISP server or others manually set by the user) and to only accept responses from other servers if the favorites failed to respond.
With Windows 10 things got even worse, because its configuration dictates that it automatically accepts responses from the DNS server which responds first. This exposes users to DNS spoofing attacks as well as the DNS leaks already mentioned.
IPv4 and IPv6 incompatibility within your VPN client
IPv4 is the most common Internet Protocol used by devices to interconnect. These IPs are formed using a decimal and 32-bit format and look like 192.0. 2.146.
IPv6 is the updated, more modern version of IPv4 and is considered to represent the future of IP addresses. IPv6 uses a hexadecimal and 128-bit format to assign the unique identifiers for devices across the network and looks like 2001:0db8:85a3:0000:0000:8a2e:0370:7334.
IPv6 will slowly replace IPv4, but the main word is that statement is “slowly”. In the meantime, they still coexist and that causes some problems, especially for VPNs.
Unless your VPN is specially designed to support IPv6 what happens is that each IPv6 request coming and going to and from your device will be sent through a dual-stack tunnel which converts IPv4 to IPv6. This will bypass your VPN and all your data will travel outside the tunnel of encryption, leaving you completely exposed.
A study from 2015 exposed the fact that a pretty big number of popular VPN providers could be subject to DNS leaks caused by IPv4 – IPv6 incompatibility.
Are you exposed to DNS leakage?
Since a DNS leak doesn’t show any signs or symptoms, there’s no real way of identifying the issue without using a specialized tool.
Luckily, such tools exist and you can easily test if you’re facing DNS leak issues.
Basically what you need to do is to run a test while connected directly to the internet, without a VPN. You will see there a number of servers responsible for handling your DNS requests and those that belong to your ISP.
Perform the same test after connecting to your VPN and you will get a result that will tell you whether you should worry about DNS leaks using your VPN.
How to stop and prevent DNS leaks
If you already identified having an issue with DNS leaks, the good news is that there’s a couple of things you can do to prevent having your data exposed online. So, if you’re currently wondering how to stop DNS leaks, here’s a couple of suggestions.
Switch to an independent and trustworthy DNS server
Usually, VPNs have their own DNS servers, meaning that you will automatically connect to those whenever you connect to the VPN.
In some cases though, when VPNs don’t have their own servers, it would probably be a good idea to use a third party DNS to avoid going through the one provided by your ISP.
You can use Google Public DNS for example, since it’s free and safe. The change can be easily done through the settings from your operating system.
Make sure to block non-VPN traffic
IP Binding is an option many VPN providers offer nowadays and it is a feature designed to automatically block any data transfers to and from your device outside the VPN’s tunnel of encryption.
If your VPN provider doesn’t have this option, the alternative would be to make this configuration in your firewall settings. Your Windows firewall for example can be configured to not allow any traffic that is not going through your VPN.
Don’t skip on regular DNS leaks tests
While prevention is crucial and represents the best approach on combating DNS leaks, it’s not always foolproof.
As much as you try to keep yourself safe, the best thing to do in order to know for sure that you really are, is to test your connection on a regular basis. As I mentioned before, testing tools are available online, they are easy to use and completely free.
Use VPN monitoring services
If your online privacy and security are especially important to you and you are willing to spend some extra money, you can use a VPN monitoring service as well.
VPN monitoring tools keep a close eye on specific metrics of your VPN’s performance and can alert you in case something goes wrong.
Disable IPv6 if your VPN doesn’t support it
Like I mentioned before, not all VPNs support IPv6, the successor of IPv4. In case your VPN doesn’t have this option built-in, it’s probably a good idea to stick to IPv4 in order to avoid any miscommunication and DNS leakage.
Disabling IPv6 can be easily done through your computer’s settings and only takes a couple of seconds.
Change your VPN provider
Sadly, not all VPN providers are the same. While some work tirelessly to improve their services and to offer a better, safer, and faster browsing experience to their users, others simply can’t keep up. Whether it’s from a lack of resources or a lack of interest in the provided service, some VPN providers are simply not as reliable as others.
If you perform a DNS leakage test on a regular basis and notice that you’re having issues, one way to fix this is to simply switch to a different VPN provider.
Make sure to choose one that offers full IPv6 compatibility, built-in DNS leak protection, the option to bypass transparent DNS proxies and which supports the most recent VPN protocols.
If it has come to change your VPN provider, you might want to give HideIPVPN a chance. Our client offers most several security features you can think of, supports all the most performant VPN protocols and is really user-friendly.
On top of this, we take your online privacy very seriously and testament to that is our no-logs policy. What happens online, stays online.
Our support team is always available and ready to help. Along with the VPN, each subscription is rewarded with free Smart DNS and proxy. You can even try our service for free for 24 hours before making a commitment.
To sum up, DNS leaks can be a major pain, especially if your online privacy is very important to you. Luckily, they can be prevented with the right tools, configurations and discipline.
Once you’ve gone through the entire article and you have your answer to the question “What is a DNS leak?” and what can be done about them, it is up to you to decide how far you are willing to go to fix them.
Our advice is to always choose a trusted VPN with DNS leak protection, rather than going for the cheapest option and ending up tweaking your configuration for hours before you find the right combo to really maintain your anonymity online.
And, for all the reasons listed above, we strongly recommend you to try HideIPVPN.