Does Your VPN Leak? How VPN Flaws Can Create DNS Leaks That Compromise Your Privacy

finjanmobileBlog, Mobile Security

DNS Leaks

Domain Name System or DNS Leaks can betray information about your online activity and physical location, despite efforts to block this data by a Virtual Private Network or VPN. These DNS leaks may result from flaws in VPN service delivery and errors in your system configuration.

In this article, we’ll consider how these errors can arise, and how you can perform regular checks to see if your VPN service is prone to DNS leakage. We’ll also be making recommendations on how to choose a secure VPN, and how to tweak your system and hardware to avoid DNS leaks in future.

The Domain Name System (DNS) and Online Anonymity

The Domain Name System (DNS) consists of a global network of computers whose job is to translate the word-based URLs or website names that users type into their browsers and Internet-enabled applications into their numerical equivalents as IP (Internet protocol) addresses. These IP addresses currently exist in two major forms: IPv4 (internet protocol version 4), which display like 172.18.256.1, or IPv6 (internet protocol version 6) whose form is like 2001:0db7:0014:0001:3c5e:7364:0000:5db1.

As we’ll see, differences in how various services handle these two formats can have an effect on whether online activity remains secret or visible. More importantly, however, the IP address of an internet server contains a unique stamp which ties it to an actual geographical location. For unprotected connections, this will typically be that of the network carrier or ISP (Internet Service Provider) which gives users initial access to the web. And this service will usually be located in the country or region of origin of those users – and therefore be subject to the laws and censorship restrictions of that area.

Virtual Private Network or VPN software and services have emerged as one of the principal tools for users seeking to bypass the rules governing internet content and website access in their region. This is because VPN services replace the (visible and easily traceable) IP addresses of an ISP with those of their own internationally dispersed bank of web servers.

In effect, this can virtually transport a VPN user outside their country of origin, and into a region where internet access is less restricted, or unrestricted. This is how VPN services enable subscribers to stream multimedia content that’s unavailable in their home countries.

What’s more, since the flow of data between a user’s VPN connection and the internet at large is strongly encrypted, the only information about their activity and location that’s available to ISPs and outside surveillance is that a VPN connection has been made, and that its virtual “end point” is at an IP address that’s determined by the VPN service, on behalf of the user.

DNS Leaks and the VPN Flaws That Can Expose Users

Under normal circumstances, a VPN should protect a user’s anonymity not only by scrambling all the information they work with online but also by replacing their geographically traceable IP address with one that’s in an alternate location.

One occasion on which this may fail to happen is when an internet connection becomes unstable, and breaks the link between a user and their VPN service. At this point, the connection may revert to the user’s original (local) IP address, and the information they’re browsing may become visible as plain text.

It’s for this reason that many VPN services include a “kill switch” option to prevent DNS leaks. This feature automatically terminates all web connections whenever the user’s link to the VPN service is broken, giving ISPs and outside surveillance little opportunity to establish your identity or location. If you’re not using a VPN application that has a kill switch, you should be.

Although two standards for expressing IP addresses (IPv4 and IPv6) currently exist, both formats aren’t fully supported by all web browsers or all VPN applications. VPN services which can only handle IPv4 requests will ignore DNS lookups made using the IPv6 protocol, leaving the request to be handled by your underlying ISP. This effectively bypasses the encryption of the VPN tunnel and leaves your personal data (including the DNS information) exposed.

InvinciBull™ Supports both IPv4 and IPv6 - NO DNS LEAKS!
Try InvinciBull™ VPN FREE now!

To complicate matters further, there’s a Microsoft technology known as Teredo that’s now built into Windows operating systems, and which is supposed to act as an intermediary between IPv4 and IPv6. Unfortunately, like VPN services, Teredo is a tunneling protocol and can take precedence over a user’s VPN connection, again exposing their data and causing DNS leaks.

Internet Service Providers (ISPs) have their own mechanism for bypassing VPN protection, and effectively forcing DNS leaks to occur. This results from the practice of using what are known as transparent proxies – servers that intercept and redirect web traffic to ensure that all DNS lookups are shepherded to the ISP’s own DNS servers.

At the user level, improper network configurations can easily give rise to DNS leaks. This particularly affects people who often connect to the internet using different networks, such as their home or office router, and public Wi-Fi hotspots. Connections to any of these various outlets depend on DHCP settings, which determine your system’s IP address within a particular network. These settings may automatically assign a DNS server that belongs to your ISP, bypassing encryption even if you subsequently connect to your VPN service.

Users of Microsoft Windows also have to reckon with the “Smart Multi-Homed Name Resolution” feature of Windows version 8 and above. Intended as an accelerator for the web browsing experience, this mechanism automatically sends out all DNS requests to all available DNS servers, then chooses the one with the quickest response. As in many cases this is unlikely to be a DNS server provided by your VPN service, your connection is again left unprotected, and vulnerable to DNS leakage.

Some of the Brands Affected by DNS Leaks

A 2015 study of 14 commercial VPN providers by researchers from Sapienza University in Rome and Queen Mary University, London found that ten of them were vulnerable to IPv6 leaks.

More recently, in March 2018 a group of security researchers tested Pure VPN, Zenmate, and Hotspot Shield – and discovered IP address leaks in all three products. Hotspot Shield (the only brand to formally respond to the test results) has issued a patch addressing the vulnerabilities affecting its Chrome browser extension, which included a DNS leak bug, and an IP address flaw that could potentially allow an attacker to hijack a user’s web traffic if they were redirected to a malicious site. The company’s desktop and mobile apps were verified as sound.

In August 2018, research conducted by Dhiraj Mishra revealed that Kaspersky VPN version 1.4.0.216 and earlier contained a security vulnerability in its application for Android that caused the app to send DNS queries outside the established VPN tunnel. This bug could be triggered when connections were made to any random virtual server, and clearly exposed the domain names of any websites visited by users.

What You Can Do To Protect Yourself Against DNS Leaks

Addressing the various loopholes that might cause a VPN connection to fail or be bypassed entirely, there are several measures you can take to plug existing and potential DNS leaks.

You should start by testing out the capabilities of your VPN. A number of free online tools exist for checking to see if a VPN is leaking your IP address. Examples include DNS Leak Test, Hidester DNS Leak Test, and DNSLeak.com.

These sites essentially require you to make a note of your IP address in an unprotected state (as determined by your ISP or network carrier). You can use on-board diagnostic tools on your device, or visit the test site with an unencrypted connection to determine this. Then connect to your VPN service, and revisit the testing site. If your DNS isn’t leaking, you should see a different IP address displayed there.

If your VPN doesn’t specifically address the issue of DNS leaks, change your subscription to a service that does. You can also configure your VPN to use the DNS server provided or preferred by your VPN service. This should force all DNS lookups to go through the VPN by default. If for some reason the service doesn’t have its own DNS servers, you can configure the connection to use a secure and independent DNS server such as OpenDNS.

Wherever possible, go for a VPN that supports the IPv6 protocol. To combat the problem of transparent DNS proxies being used by ISPs, make sure that the VPN is also compatible with the latest version of OpenVPN, which has a mechanism specifically for this purpose.

A free and open-source plugin is also available for the OpenVPN standard, to deal with the issue of Smart Multi-Homed Name Resolution on Windows 8, 8.1, and 10. The Teredo feature for mediating between IPv4 and IPv6 can be deactivated manually, from the Windows Command Prompt.

For hardware, you can tweak your router or network adapter’s TCP/IP settings to specify particular trusted DNS servers according to their IP addresses. These configuration settings will extend to all devices covered by your home or office network. For extra protection, you might also consider configuring your network firewall to only allow traffic in and out via your VPN.

As an additional line of defense for your web browser, you can install an extension like Location Guard for Chrome. Regardless of whether your connection is VPN or not, these tools apply an algorithm to your IP address which confuses its location so that, to the outside world, your DNS server could originate from any one of a number of cities within a certain radius (depending on the strength of the location guard that you set). This also applies to VPN connections. So if for example, you’re connecting from a VPN DNS server in New York, the extension can make it appear as if your IP address could be based in any number of locations inland and across the eastern seaboard of the United States.

Finally, as VPN software gets periodically updated and Internet Service Providers change their infrastructure and operations, you’ll need to make occasional checks at those test sites, to ensure that your VPN connection hasn’t sprung any fresh DNS leaks, as time goes by.

Secure All of Your Devices for One Low Monthly Fee!
Get InvinciBull™ VPN now!

Share this Post