fbpx

Let us assume that you are using an anonymity or privacy service...
 
It is extremely important for you that all the traffic that is originating from your computer/laptop is routed through the anonymity network (VPN). You would usually take this aspect granted...
 
What if your traffic is leaking outside of the secure anonymity network (VPN)?
 
If it is happening, then any adversary who is monitoring your traffic will be able to log all of your online activity. And, it is a nightmare!
-
 

👉 What is DNS Leak?

The Domain Name System (DNS) makes the internet navigable and user-friendly, and is crucial to helping internet users visit their favorite websites, access search engines, use social media, and watch streaming services.
 
You already know that DNS is used to translate any domain name such as www.leonardo.com, into corresponding IP address, e.g., 110.24.45.93 or similar. These IP addresses are needed to route data-packets on the internet and to deliver at right destination.
 
Every time, when you enter an URL into your browser, trying to connect to a server, your computer is basically attempting to contact a DNS Server and request the IP address.
 
You need to remember here that when you are doing that, your computer is connecting to your ISP's DNS Server, which they control and use for logging and recording your internet activities.
 
Your query goes to ISP's DNS Server first, and that can surely be a privacy concern for you. Because the records of your online activities can be demanded by law-enforcement agencies to track your online activities. In some countries, this information can be sold to third-parties without users' permission.
 
However, most users including you, can avoid this by using a virtual private network (VPN) to keep their browsing activity encrypted, private, and secure.
 
There are some certain conditions under which, even if you are connected to an anonymity network (VPN), the Operating System (OS) of your computer will continue to use its default DNS Servers...It may not be using anonymous DNS servers assigned to your computer by the anonymous network. That's what leads to DNS Leaks!
 
You already know that a VPN is designed to encrypt your internet connection, which keeps your traffic in a private tunnel that hides all of your browsing activity. That means all of your internet searches and website visits are hidden from everyone except for your VPN provider.
 
However, a DNS leak occurs when your DNS requests move OUTSIDE the encrypted tunnel and become visible to your ISP. As a result, all your browsing activity, including your IP address, location, and web searches, goes through the ISP in the same way it would if you were not using a VPN.
 
DNS leaks are a major privacy threat to you, because you may be under the false impression of security, while your private data is leaking.
 
In short, A DNS leak is a security flaw that occurs when your requests are sent to an ISP's DNS servers even when a VPN is being used by you to protect your privacy.
 
You can test whether your DNS is being leaked. A way to test your provider against DNS leaks is by querying Akamai. Simply run the following command:
 
nslookup whoami.akamai.net
 
If this command returns the IP address of your VPN provider, then everything is fine. But if it returns the IP address as allocated by your ISP, then your DNS Leak is happening.
 
-
 

👉 How can a DNS Leak happen?

 
There are many situations that can result in a DNS leak. For example:
 
1. An improperly configured VPN
 
A DNS leak is most likely to occur when a VPN is configured improperly and it assigns a DNS server belonging to the your ISP.
 
Kindly note that all VPNs require you to connect to your ISP before you log in to the VPN. That's why, it is high likely that DNS Leak may happen, as you might be frequently switching between multiple networks on regular basis.
 
2. Poor Quality of VPN Service
 
The effectiveness of all VPN service depends heavily upon their own DNS servers. If a VPN service does not have its own DNS Server, then it will not be able to provide you effective protection.
 
3. Lack of support to IPv6
 
IPv6 addresses were created to extend the pool of IP address, so that more number of devices can be accommodated on internet. Right?
 
The internet is still transitioning, and some VPNs may not support IPv6, which may push a your DNS request outside of the encrypted tunnel. But I would expect that modern VPN services are meeting this requirement of supporting IPv6.
 
4. Transparent DNS Proxies
 
I guess, it is a bigger problem than you think. Some ISPs might be forcing you to use their DNS servers even when you change the settings to a third party VPN. If the ISP detects DNS setting changes, it can use a TRANSPARENT PROXY that forces a DNS Leak by redirecting the your web-activity to its own DNS Servers.
 
5. Windows Smart Features
 
There is a relatively new feature in Windows 8 and Windows 10, known as SMHNR. It stands for 'Smart Multi-Homes Name Resolution'. This feature submits DNS requests to all available DNS Servers, BUT it accepts the response of whichever server that responds first. This feature can possibly result in DNS Leaks. It can also leave you vulnerable to spoofing attacks.
 
6. Windows Teredo
 
It is another feature in Windows that has been built-in. Teredo aims to ease the transition from IPv4 to IPv6. This feature is good one, because it helps both IP systems to coexist more easily.
 
BUT it creates a huge security issue for VPN users. That is because Teredo is also a tunneling protocol that can take precedence over your encrypted VPN tunnel.
-

👉👉👉 How can you manage/fix the DNS Leaks?

 
The only solution is to ensure that once connected to the VPN, you are using ONLY the DNS server/s provided by the VPN service.
 
However, you can do many things to prevent it, in general...
 
1. VPN vendors provide 'DNS Leak Tests' that enable you (users) to check the status of their connection, Internet Protocol (IP) address, and DNS server. You should use only VPN Services which offer you some settings to enable the protection against DNS Leak, as well as a 'Kill-switch.'
 
You can’t predict if your VPN connection will last during the whole session. Sometimes the VPN server may shut down, due to an unexpected error, or your secure connection may drop. That’s when the kill-switch kicks in, automatically disconnecting your device from the network. That way, it protects any data that may slip out of the encrypted tunnel.
 

Just to be super-safe, make sure your VPN provider has a strict no-logging policy.

 
2. Uninstall and Reinstall the VPN Software (Client). It is a good practice to completely uninstall and reinstall the latest VPN client software from your provider.
 
3. Instead of using DNS servers as given by your ISP, you can immediately change DNS servers to alternative ones. For example, you can use
 
[A] Comodo Secure DNS Servers
 
Primary: 8.26.56.26
Secondary: 8.20.247.20
 
[B] OpenDNS Servers
 
Primary: 208.67.222.222
Secondary: 208.67.222.220
 
[C] Google Public DNS Servers
 
Primary: 8.8.8.8
Secondary: 8.8.4.4
 
[D] CloudFlare Public DNS [fastest]
 
Primary: 1.1.1.1
Secondary: 1.0.0.1
-
👉 4. Disable SMHNR in Windows 10
 
SMHNR is nothing but a fancy way of saying that– Windows 8 & 10 send DNS requests across all 'interfaces' and uses the fastest reply.
 
You can disable it via editing 'Group Policy' in Windows 10 Professional, but Home Edition does not offer your group-policy editor.
 
  • Tap on the keys 'Windows + R' on the keyboard, type gpedit.msc, and hit the 'Enter' on the keyboard.
  • Go to Computer Configuration > Administrative Templates > Network > DNS Client > Turn off smart multi-homed name resolution.
  • Set the policy to enabled, to disable the smart multi-homed name resolution feature of the system.
 
-
 
👉 5. A Note on Transparent DNS Proxies
 
Some ISP's are now using a technology called 'Transparent DNS proxy'. Using this technology, they will intercept all your DNS lookup requests (TCP/UDP port 53) and would transparently proxy the results. This effectively forces you to use their DNS service for all DNS lookups.
 
If you have changed your DNS settings to use an 'open' DNS service such as Google, Comodo or OpenDNS, expecting that your DNS traffic is no longer being sent to your ISP's DNS server, you may be surprised to find out that they are using transparent DNS proxying.
 
You can easily test this by visiting https://www.dnsleaktest.com/ and clicking on the any of two test buttons on the homepage. These represent 'Standard Test' and 'Extended Test.'
 
I would suggest you to use 'OpenVPN,' this cloud-based service offers your 3 free connections. You can use these for your personal usage. For your company, you can subscribe from 10 to 2000+ connections.
 
If your ISP implements a transparent DNS proxy, then it is very important that you use one of the methods in the following section to ensure that when you are connected to the VPN, there is no chance of your requests being intercepted.
 
Assuming you are using OpenVPN subscription, you can now prevent DNS leaks by specifying a new OpenVPN option. Simply open the .conf (or .ovpn) file for the server that you are connecting to and add the following on a new line:
 
block-outside-dns
 
For more information, you should see the OpenVPN manual.
 
-
 
6. Manage Windows Teredo
 
In simple words, Teredo allows IPv4 connections to read IPv6 addresses. You can disable it by following process:
 
  • Open the cmd-prompt using administrator's privileges.
  • Type the command: netsh interface Teredo set state disable
  • Press Enter to disable the adapter.
-
Kindly write 💚 your comments 💚 on the posts or topics, because when you do that you help me greatly in ✍️ designing new quality article/post on cybersecurity.
 
You can also share with all of us if the information shared here helps you in some manner.
 
Life is small and make the most of it!
Also take care of yourself and your beloved ones…
 
With thanks,
Meena R.
_____

This Article Was Written & published by Meena R,  Senior Manager - IT, at Luminis Consulting Services Pvt. Ltd, India. 

Over the past 16 years, Meena has built a following of IT professionals, particularly in Cybersecurity, Cisco Technologies, and Networking...

She is so obsessed with Cybersecurity domain that she is going out of her way and sharing hugely valuable posts and writings about Cybersecurity on website, and social media platforms. 

34,000+ professionals are following her on Facebook and mesmerized by the quality of content of her posts on Facebook. 

If you haven't yet been touched by her enthusiastic work of sharing quality info about Cybersecurity, then you can follow her on Facebook:

Click Here to follow her: Cybersecurity PRISM