How to Deal with DNS Leaks
You normally use a VPN to hide your IP address and browsing habits, right? That’s the kind of privacy the service should offer – but not if it suffers a DNS leak.
Don’t know what that is? No problem – I’m going to tell you everything about them: how they work, how they impact your privacy, what DNS test tool for your VPN to use, and how to generally prevent DNS leaks.
So let’s get started.
What Is a DNS Leak Anyway?
To really understand that you should first know what DNS is.
Basically, it stands for Domain Name System, and it’s responsible for translating website names into IP addresses, and vice versa. You can pretty much think of it as the phone book of the Internet.
Normally, when you want to access a website, you’ll send DNS queries for its IP address to your ISP’s DNS server. That’s how they can see what websites you browse.
Well, when you use a VPN that doesn’t happen since your DNS queries are routed through the VPN provider’s own DNS server. That way, the website you connect to doesn’t see your IP address. Also, your ISP doesn’t know what you’re looking up – they’ll just see the VPN server’s IP address.
Now, a DNS leak is when your browser ignores the VPN provider’s DNS server and sends the DNS queries through your ISP’s DNS server instead. Alternatively, your connections might bypass the VPN server entirely.
What Does That Mean for You?
Simply put, that your VPN connection isn’t working as it should. Your ISP will actually be able to see what you do on the Internet.
What’s more, other websites will be able to see your real IP address. So you won’t manage to bypass geo-blocks or price discrimination with a VPN.
Even worse, if the DNS leak forces your connection to bypass the VPN server, you won’t get any traffic encryption at all.
What Causes a DNS Leak?
There are quite a lot of reasons you might experience this:
- A poorly configured network – basically, you automatically use an ISP’s DNS server instead of your VPN provider’s server. This can happen if the VPN doesn’t have its own DNS server, or if your DHCP settings don’t get an automatic update to use the VPN’s DNS addresses.
- You’re running both IPv4 and IPv6, and your VPN service only supports IPv4 traffic. In that case, requests sent over IPv6 traffic will bypass the VPN tunnel.
- Built-in operating system features can cause DNS leaks. Teredo is a good example of that since it’s a tunneling protocol used by default by Windows which offers compatibility between IPv4 and IPv6. At the same time, it also takes precedence over the VPN tunnel, resulting in a DNS leak. Also, a smart multi-homed name resolution is another Windows feature that can cause DNS leaks.
- Hackers managed to take over your router, and are forcing it to send DNS traffic outside of the VPN tunnel – usually to phishing sites.
- Your ISP uses a transparent DNS proxy. Essentially, if they detect you made changes to your DNS settings, they’ll use another server to intercept your DNS traffic to forcibly route it through their DNS server.
How Do You Know You’re Dealing with a DNS Leak?
Unfortunately, I can’t give you any clear telltale signs you’re dealing with one.
But don’t worry – there are tools you can use to test your VPN connection to make sure it’s running smoothly.
I personally recommend ProPrivacy’s DNS test tool for your VPN connection. It’s extremely easy to use, and very comprehensive. Not only does it test your VPN for DNS leaks, but it also makes sure there are no:
- IPv4 leaks;
- IPv6 leaks;
- WebRTC leaks.
And it’s a very quick test. In five simple steps, you’ll immediately find out if you have anything to worry about or if you’re in the clear.
There are other DNS leak test tools, but they tend to be more resource-intensive. Also, they’re not as accurate as ProPrivacy’s tool because they use outdated databases. What that means is you’ll see discrepancies in your results – like the tool telling you that a VPN server from the Netherlands has an IP address from Poland.
It can be overly and unnecessarily confusing, which is why ProPrivacy’s simplicity and accuracy are a blessing.
How to Prevent a DNS Leak
Here are a few things you can do:
1. Get a Secure VPN
If the tool I mentioned just showed that your VPN has a DNS leak, you should consider getting a more reliable one.
2. Disable Teredo and Smart Multi-Homed Name Resolution
These OS features are no good for your online privacy, so disable them completely. Here are some useful guides:
You can also use this patch for OpenVPN to be 100% sure smart multi-homed name resolution isn’t an issue.
3. Change Your DNS Settings
If your network settings don’t get updated when using a VPN, and you’re still using your ISP’s DNS server, you need to change the default DNS addresses.
Ideally, you should use your VPN provider’s DNS address. If they don’t have one, that’s a red flag. But if you’d still prefer to use that service, use these addresses instead:
- Google Public DNS – 8.8.8 and 220.127.116.11
- OpenDNS – 18.104.22.168 and 22.214.171.124
4. Disable IPv6
If your VPN doesn’t support IPv6, you’ll need to get rid of IPv6 traffic.
5. Change Your Router’s Login Credentials
If you use the default username and password, hackers can easily take over your router. They can look up the PDF manual for it online and find that information right there.
So make sure you change the default credentials with complex ones. Use a password generator if you need to.
6. Bypass the Transparent Proxy
Normally, using a VPN should be enough to bypass your ISP’s transparent proxy.
However, if said proxy is causing the VPN DNS leaks, you need to do something else. The best advice I can give is to use OpenVPN. Find the .ovpn or .conf files of the server(s) you want to use, and open them in a text editor. Next, add this line:
That should be enough to help you bypass the annoying proxy.