What is DNS Leak Protection?
Using a Virtual Private Network (VPN) is a good idea when you want to protect your online privacy and have a more secure Internet connection, but even the best VPN won’t matter if it doesn’t protect you from DNS leaks.
In this article, we’ll explain:
- What is DNS leak
- How to check for DNS leaks
- What causes DNS leaks
- How to fix DNS leak
But first, we need to understand the following:
What is DNS and How it Works?
Domain Name System (DNS) is what allows us to traverse the Internet as we do. This is because DNS is responsible for translating hostnames into IP addresses.
Why is this important?
Well, because of the difference in which humans and computers think.
To us humans, it’s much easier to memorize a website called “Facebook.com” or “Google.com” (we don’t even need to remember the “.com” part).
Computers, however, think differently (binary to say). To them, words like “Facebook” or “Google” doesn't mean anything. Instead, they use numerical IP addresses like 22.214.171.124.
Each device connected on the Internet has its own IP address (sometimes they’ll have a range of IP addresses, but that’s another story). It is through these IPs that devices on the network communicate.
Here’s how DNS works normally:
- The user (that’s you) searches for a website on their browser. This is called a “request” and your request is sent to a “recursive resolver” operated by your Internet Service Provider (ISP).
- The DNS resolver goes “hold on, I’ll ask someone” and the first server it turns to for an answer is the root server. DNS root servers hold information about Top Level Domains (TLD) like .com. Contrary to popular belief, there aren’t 13 DNS root servers, but much more (hundreds all over the world). The 13 is just the max number of allowed named authorities in the delegation data for one root zone.
- If the root server has information about the TLD, it will return that info to the resolver, which can then ask the TLD Name Server “hey, where is thiswebsite.com?”, to which the TLD Name Server replies (if it knows) with “here’s the Domain’s Name Server”.
- Finally, the DNS resolver asks the Domain’s Name Server if it can tell it where to find thiswebsite.com? The Domain’s Name Server replies with “here’s its IP address”.
- Finally, the website appears on your screen and you are one happy user since all of this took probably as much time as you needed to blink.
What is DNS Leak?
At least this is how DNS should work (and normally, it does work like this). However, sometimes DNS gets attacked, or a request that you make to the DNS server becomes visible to others, like your ISP.
This is called a DNS leak and you don’t want that to happen.
What this means is that whoever is running the DNS server (usually the ISP), but also someone watching the DNS server, will see the IP addresses and hostnames of the websites that you visit.
For instance, you might be visiting a website about a particular illness and this information could obviously be very interesting to insurance houses, as well as scammers.
This is also very dangerous when it comes to net neutrality. For example, if the government becomes curious (for whatever reason) about you, they can ask your ISP for your details and the ISP will be obliged to provide them.
That is, unless you are using a VPN, which will route your DNS request through a VPN tunnel and to the VPN server and not the ISP’s.
So when the government asks for your data, the ISP can just shrug their shoulders if you’re using a VPN. However, if there’s a DNS leak, the ISP can be like “here are this guy’s details”.
What Causes a DNS Leak?
There are several potential causes of a DNS leak.
- Not configuring the network properly
Let’s say you use different networks to connect to the Internet. When using a VPN, your device first needs to connect to a local network.
A DNS leak can occur if the DHCP automatically assigns a DNS server that is not secure or that belongs to your ISP so that, when you connect to the VPN, the DNS request doesn’t go through the tunnel.
- Windows features
DNS leaks are most common for Windows machines and that’s because of a particular “feature” that Windows 8, 8.1 and 10 have called the “Smart Multi-Homed Name Resolution”.
What this feature is meant to do is make your browsing faster by all available DNS servers. On Windows 10, for example, this means that your device will accept the response from the fastest DNS server, which can lead to DNS leaks as well as spoofing attacks.
- VPN not working with IPv6
IPv6 was introduced 25 years ago and we are still waiting for it to replace IPv4. Why? Well, we have long run out of unallocated IPv4.
But, here we are, still waiting for the IPv6 to take over.
Unfortunately, some VPNs don’t fully support IPv6 yet. This means that if your device sends a request via IPv6, this will bypass your VPN tunnel and leave your data exposed, even though you are using a VPN.
Usually, the VPNs that don’t support IPv6 traffic, like NordVPN, will simply disallow it and send the address value to a local network address fd00::1 when it connects. Since this local network address cannot be routed publicly, there’s no danger of a DNS leak.
- A transparent proxy
A lot of users will use DNS proxies, or 3rd-party servers to redirect their traffic away from the ISP. If the ISP detects this, they might use a transparent proxy to “redirect your redirected” traffic back to their DNS server. This way, the ISP blatantly causes a DNS leak.
How to Check for DNS Leaks?
The problem with DNS leaks is that you won’t know you have one unless you check for DNS leaks.
So how to check for DNS leaks?
First, you need to know your real IP address. You can quickly find out this piece of information by googling “what is my IP?”
How to Fix DNS Leak?
Okay, say you’ve detected a leakage. Here are a few ways to fix DNS leaks.
- Use a VPN that will prevent DNS leakage
For instance, we already mentioned the NordVPN DNS leak prevention feature, so look for something similar in your VPN of choice as well.
Also, make sure that the integrity of your VPN connection is not compromised in any way and that your requests go through the VPN tunnel and not the original ISP.
- Use a secure DNS service
While not as good a choice as using a VPN, some secure DNS solutions heavily encrypt DNS traffic and this way prevents DNS leaks. This also helps with filtering and blocking malicious websites.
Again, a VPN is a preferred choice.
- Clear your DNS cache
This isn’t so much a solution to an existing DNS leak, but more a way to prevent your online actions from becoming known to intruders. The idea here is that by clearing (or “flushing”) your DNS cache regularly, you prevent someone from viewing your browsing history.
A DNS leak means that your request to a VPN server doesn’t get passed through a secure VPN tunnel and an encrypted connection, but instead through the ISP DNS and thus becomes visible to outsiders.
To stop a DNS leak that is already happening, switch from default DHCP settings on your Windows to either a public DNS or a static DNS server like OpenDNS, Cloudflare, or Comodo Secure.
You can change these settings by going to: Network and Sharing Center > Change Adapter Settings > right-click on your network > Properties > Internet Protocol Version 4 (TCPIPv4) > Properties > Use the following DNS server addresses > enter a Preferred or Alternate address of a DNS server you want to use.
However, since there’s no guarantee that the company managing the public service won’t just sell your data (Google, for instance, has its own public DNS), a better option to stop a DNS leak is to use a better VPN, with features that prevent DNS leakage, like NordVPN.
To prevent a DNS leak, be sure to either use a secure public DNS service, or better yet, a VPN service that includes DNS leak prevention.
So you want some online privacy?
Not gonna happen while you have a DNS leak!
DNS leaks are a nightmare to anyone who wants to keep their data secure when using a VPN. Hopefully, this article gave you a good idea of what DNS leak is and how to prevent it.
Do you also want to make your emails more secure from prying eyes? Sign up to CTemplar and enjoy unparalleled privacy when emailing.