The Beginner's Guide to DNS Leaks

VPNs can do wonders for privacy and security, but they can become rather pointless if a DNS leak happens. To learn more, check out this article.

14:39 20 November 2019

VPNs are an excellent way to protect your data and secure your privacy on the Internet. They hide your IP address, encrypt your traffic, and stop anyone from tracking your browsing habits.

Well, unless you’re unlucky enough to suffer DNS leaks when you’re using the VPN. If that happens, you might as well turn off the VPN connection since it’s like you’re not even using it at all.

If you’re not familiar with DNS leaks, keep reading. I’ll cover everything you need to know about them – from what they are to why they happen, and what you can do.

First Things First - What Is DNS?

The acronym stands for Domain Name System, and it’s basically the phone book of the Internet. I’m calling it that because a DNS’ main purpose is to translate IP addresses into website names, and vice-versa, making communication between web-connected devices and web servers possible.

Here’s an overview of DNS in action:

• You type facebook.com in your browser.
  
  
• The browser will send a DNS query to your ISP, asking them for Facebook’s IP address.
  
  
• The ISP will use their DNS server to find Facebook’s IP address.
  
  
• Once they do that, they return facebook.com, allowing you to connect to the website.
  
  

What Is a DNS Leak & Why Should You Care?

Now, a DNS leak is something that can happen when you use a VPN. To keep things simple, the leak means DNS queries are sent outside the encrypted VPN tunnel. Alternatively, the queries might completely bypass the VPN server.

Normally, the queries should go through the VPN tunnel and they should use the VPN provider’s DNS servers. In the case of a DNS leak, you’ll use your ISP’s DNS servers like you normally do without a VPN.

See the problem?

It pretty much means your ISP can see what websites you’re connecting to and what web applications you’re using – even if you are using a VPN to hide that information.

If this happens, your privacy will be gone. Your ISP might sell all your browsing info to advertisers, and you’ll then have to deal with annoying personalized ads that follow you everywhere you go on the web.

Plus, if a skilled hacker ever eavesdrops on your traffic, then they’ll see what you do on the web too.

Why Do VPN DNS Leaks Happen?

Here are the main reasons DNS leaks endanger your privacy:

1. Poorly-Configured Networks

If you switch between networks quite often (home router, coffee shop WiFi, workplace network, etc.), DNS leaks can happen.

It all has to do with the DHCP protocol since it determines what IP address your device will have on the network. If DHCP settings are not optimized for privacy, the protocol might assign you a DNS server that either belongs to your ISP or a third-party.

Since that happens before you can run the VPN connection on a network, DNS queries can potentially bypass the VPN tunnel entirely.

2. Lack of IPv6 Support

If you’re not familiar with IPv6, it’s essentially the successor to IPv4 – the standard IP address format (1.1.1.1.). Web-connected devices will start using IPv6 in the future since the number of IPv4 addresses is running out.

Right now, IPv6 deployment isn’t that large – just over 25% of networks use IPv6 connectivity.

Despite that, if a VPN doesn’t offer IPv6 support, you can suffer DNS leaks if your device sends DNS queries over IPv6 or through a tunnel that converts IPv4 to IPv6.

3. Windows Issues

If you use Windows (especially Windows 10), you’re likely to deal with DNS leaks.

For starters, there’s a chance the OS will accept responses from the fastest DNS servers by default. That happens because of Windows’ Smart Multi-Homed Name Resolution feature, which aims to make web pages load faster.

So even though you’re using a VPN, your DNS queries might go to your ISP’s DNS server – or whichever other server is closer or faster to respond.

Besides that, Windows also has the Teredo problem. It’s a tunneling protocol whose goal is to make IPv4 and IPv6 IP addresses compatible, so that IPv6 addresses can work over IPv4 connections.

Unfortunately, Teredo being a tunneling protocol can interfere with your VPN’s own tunneling protocols, often taking precedence over them. As a result, your DNS queries leak outside the VPN tunnel.

That’s not to say macOS or Linux are 100% safe from DNS leaks, but they are currently more resistant to them than Windows.

4. Transparent DNS Proxies

Some ISPs like to play dirty and use transparent DNS proxies to force you to use their DNS servers, particularly if they detect that you have changed your DNS settings to use a third-party server (the VPN DNS server in this case).

They use a separate server (the transparent proxy) that intercepts and redirects your DNS queries to their own DNS server, pretty much forcing you to deal with a DNS leak.

5. Cybercriminal Interference

Lastly, a more serious type of DNS leak can occur if cybercriminals manage to take over your router. They can then redirect all your DNS queries to rogue and malicious DNS servers which will return phishing websites instead of legitimate ones.

How to Protect Yourself from DNS Leaks

Well, a good start is to make sure you use a VPN service that has built-in DNS leak protection.

If, for any reason, the VPN service you are using doesn’t have its own DNS server, you should configure your network to use reliable third-party DNS servers like OpenDNS and Google Public DNS.

And if the VPN doesn’t offer IPv6 support, you need to ensure that IPv6 is disabled on your device.

Another more extreme method to protect yourself is to configure your firewall to only allow traffic coming from and going to the VPN you’re using.

Those are just some basic tips, though. To see exactly what you need to do, I recommend checking out this guide which covers how to fix DNS leaks in more detail. Plus, it also tells you which VPNs offer built-in DNS leak protection.