In my last post, we discussed VPN and that you have to be careful about the DNS Leak. Today we will go deeper into that topic.
What are we talking about again?
Browsers use the Domain Name System (DNS) to bridge the gap between internet IP addresses (numbers) and website domain names (words).
When a web name is entered, it is sent first to a DNS server where the domain name is matched to the associated IP address so that the request can be forwarded to the correct computer.
This is a huge problem for privacy since all standard internet traffic must pass through a DNS server where both the sender and destination are logged.
That DNS server usually belongs to the user’s ISP and is under the jurisdiction of national laws. For example, in the UK, information held by ISPs must be handed to law enforcement on demand. Similar happens in the USA, but with the added option for the ISP to sell the data to marketing companies.
While the content of communications between the user’s local computer and the remote website can be encrypted with SSL/TLS (it shows up as ‘https’ in the URL), the sender and recipient addresses cannot be encrypted. As a result, every destination visited will be known to whoever has legal (or criminal) access to the DNS logs – that is, under normal circumstances, a user has no privacy over where he goes on the internet.
VPNs are designed to solve this problem by creating a gap between the user’s computer and the destination website. But they don’t always work perfectly. A series of issues means that in certain circumstances the DNS data can leak back to the ISP and therefore into the purview of government and marketing companies.
The problems are known as DNS leaks. For the purpose of this discussion on DNS leaks, I will largely assume that your VPN uses the most common VPN protocol, OpenVPN.
Why does it leak?
There are a number of reasons that could cause DNS Leak.
Corrupted Windows OS file
Many malicious websites use a specific technique that can force a Windows operating system to shift the traffic to an unsecured DNS server. This technique works by simply delaying the response time of a website so the computer uses another DNS server. Malicious websites use this technique to get users’ information.
Smart Multi-Homed Name Resolution
Windows operating systems from 8 onward have introduced the “Smart Multi-Homed Name Resolution” feature, intended to improve web browsing speeds. This sends out all DNS requests to all available DNS servers. Originally, this would only accept responses from non-standard DNS servers if the favorites (usually the ISP’s own servers or those set by the user) failed to respond. This is bad enough for VPN users as it greatly increases the incidence of DNS leaks, but as of Windows 10 this feature, by default, will accept the response from whichever DNS server is fastest to respond. This not only has the same issue of DNS leakage but also leaves users vulnerable to DNS spoofing attacks.
Teredo is Microsoft’s technology to improve compatibility between IPv4 and IPv6 and is an inbuilt feature of Windows operating systems. For some, it’s an essential transitional technology that allows IPv4 and IPv6 to coexist without issues, enabling v6 addresses to be sent, received and understood on v4 connections. For VPN users, it’s, more importantly, a glaring security hole. Since Teredo is a tunneling protocol, it can often take precedence over your VPN’s own encrypted tunnel, bypassing it and thus causing DNS leaks.
Transparent DNS Proxy
Some ISPs have adopted a policy of forcing their own DNS server into the picture if a user changes their settings to use a third-party server. If changes to the DNS settings are detected, the ISP will use a transparent proxy – a separate server that intercepts and redirects web traffic – to make sure your DNS request is sent to their own DNS server. This is effectively the ISP ‘forcing’ a DNS leak and trying to disguise it from the user. Most DNS-leak detection tools will be able to detect a transparent DNS proxy in the same way as a standard leak.
How do I know if I leak?
Well, there are multiple sites which are able to test if you have a DNS Leak or not. There is DNSLeak.com, IPLeak.net, DnsLeakTest.com and so on … you get the idea. I would also recommend doing multiple tests from different sites to ensure that you don’t have a DNS Leak.
It is possible to test for DNS and other leaks without using one of these websites, although it requires you to know your own IP address and how to use the Windows command prompt, It also requires a trusted test server for you to ‘ping’ directly; this could be a private server you know and trust, or one of the following public test servers:
To do this, open the command prompt (go to the start menu, type “cmd” and press Enter), and then enter the following text:
ping [server name] -n 1
Replace [server name] with the address of your chosen test server (for example “ping whoami.akamai.net -n 1”), and press Enter. If any of the IP addresses found in the resulting text match your personal or local IP, it’s an indicator that a DNS leak is present; only your VPN’s IP address should be shown.
How can I stop the leak?
To be honest. Get a VPN with DNS Leak protection, don’t use your ISP DNS Server and then you’re good to go. Of course, there can always be some flaws caused by whatever but then you need a fix for your special problem.
Also, use a firewall to block all traffic outside of the VPN – some VPN services even offer something called a “Kill switch” which basically routes all the network traffic through VPN and kills everything outside that boundary.
If you want to stay safe on a regular basis, you need to go to regular checkups -> so every now and then just test if your DNS is leaking.
It clearly sounds worse than it actually is, as you saw, there are easy methods for you to inspect and protect.
Don’t get a tinfoil hat, but a wool hat might just be enough.