DNS leak

Last updated November 14, 2024

A DNS leak is a security flaw that allows DNS requests to be revealed to ISP DNS servers, despite the use of a VPN service to attempt to conceal them.^[1] Although primarily of concern to VPN users, it is also possible to prevent it for proxy and direct internet users.

Process

The vulnerability allows an ISP, as well as any on-path eavesdroppers, to see what websites a user may be visiting. This is possible because the browser's DNS requests are sent to the ISP DNS server directly, and not sent through the VPN.

This only occurs with certain types of VPNs, e.g. "split-tunnel" VPNs, where traffic can still be sent over the local network interface even when the VPN is active.

Starting with Windows 8, Microsoft has introduced the "Smart Multi-Homed Named Resolution". This altered the way Windows 8 handled DNS requests, by ensuring that a DNS request could travel across all available network interfaces on the computer. While there is general consensus that this new method of domain name resolution accelerated the time required for a DNS look-up to be completed, it also exposed VPN users to DNS leaks when connected to a VPN endpoint, because the computer would no longer use only the DNS servers assigned by the VPN service. Instead, the DNS request would be sent through all available interfaces, thus the DNS traffic would travel out of the VPN tunnel and expose the user's default DNS servers.^[2]^[3]

Prevention

Websites exist to allow testing to determine whether a DNS leak is occurring. Regular DNS leak testing is crucial for VPN users to ensure their privacy, as DNS leaks can expose browsing activity to ISPs and other third parties, even when a VPN is active.^[4] DNS leaks can be addressed in a number of ways:

Encrypting DNS requests with DNS over HTTPS or DNS over TLS, which prevents the requests from being seen by on-path eavesdroppers.
Using a VPN client which sends DNS requests over the VPN. Not all VPN apps will successfully plug DNS leaks, as it was found in a study by the Commonwealth Scientific and Industrial Research Organisation in 2016 when they carried an in-depth research called "An Analysis of the Privacy and Security Risks of Android VPN Permission-enabled Apps"^[5] and found that 84% of the 283 VPN applications on Google Play Store that they tested did leak DNS requests.^[6]
Changing DNS servers on local computer for whole network adapters, or setting them to different ones. 3rd party apps are available for this such as NirSoft quicksetdns.
Using a firewall to disable DNS on whole device (usually outgoing connections UDP and less commonly TCP port 53), or setting DNS servers to non-existing ones like local 127.0.0.1 or 0.0.0.0 (via command line or 3rd party app if not possible via OS GUI interface). This requires alternate ways of resolving domains like the above-mentioned ones, or using in apps with configured proxy, or using proxy helper apps like Proxifier or ProxyCap, which allows resolving domains over proxy. Many apps allow setting manual proxy or using proxy already used by system.
Using completely anonymous web browsers such as Tor Browser which not only makes user anonymous, but also doesn't require any dns to be set up on the operating system.
Using proxy or vpn, system wide, via 3rd party app helpers like Proxifier, or in form of web browser extension. However most extensions in Chrome or Firefox will report false positive working condition even if they did not connect, so 3rd party website for ip and dns leak check is recommended. This false working state usually happens when two proxy or vpn extensions are tried to be used at the same time (e.g. Windscribe VPN and FoxyProxy extensions).

Related Research Articles

The Domain Name System (DNS) is a hierarchical and distributed name service that provides a naming system for computers, services, and other resources on the Internet or other Internet Protocol (IP) networks. It associates various information with domain names assigned to each of the associated entities. Most prominently, it translates readily memorized domain names to the numerical IP addresses needed for locating and identifying computer services and devices with the underlying network protocols. The Domain Name System has been an essential component of the functionality of the Internet since 1985.

In computer networking, a proxy server is a server application that acts as an intermediary between a client requesting a resource and the server providing that resource. It improves privacy, security, and possibly performance in the process.

An open proxy is a type of proxy server that is accessible by any Internet user.

The Web Proxy Auto-Discovery (WPAD) Protocol is a method used by clients to locate the URL of a configuration file using DHCP and/or DNS discovery methods. Once detection and download of the configuration file is complete, it can be executed to determine the proxy for a specified URL.

Ad blocking or ad filtering is a software capability for blocking or altering online advertising in a web browser, an application or a network. This may be done using browser extensions or other methods.

HTTP cookies are small blocks of data created by a web server while a user is browsing a website and placed on the user's computer or other device by the user's web browser. Cookies are placed on the device used to access a website, and more than one cookie may be placed on a user's device during a session.

DNS hijacking, DNS poisoning, or DNS redirection is the practice of subverting the resolution of Domain Name System (DNS) queries. This can be achieved by malware that overrides a computer's TCP/IP configuration to point at a rogue DNS server under the control of an attacker, or through modifying the behaviour of a trusted DNS server so that it does not comply with internet standards.

Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) computer networking protocol by which a client indicates which hostname it is attempting to connect to at the start of the handshaking process. The extension allows a server to present one of multiple possible certificates on the same IP address and TCP port number and hence allows multiple secure (HTTPS) websites to be served by the same IP address without requiring all those sites to use the same certificate. It is the conceptual equivalent to HTTP/1.1 name-based virtual hosting, but for HTTPS. This also allows a proxy to forward client traffic to the right server during TLS/SSL handshake. The desired hostname is not encrypted in the original SNI extension, so an eavesdropper can see which site is being requested. The SNI extension was specified in 2003 in RFC 3546

Internet censorship circumvention is the use of various methods and tools to bypass internet censorship.

DNSCrypt is a network protocol that authenticates and encrypts Domain Name System (DNS) traffic between the user's computer and recursive name servers. DNSCrypt wraps unmodified DNS traffic between a client and a DNS resolver in a cryptographic construction, preventing eavesdropping and forgery by a man-in-the-middle.

Cliqz was a privacy-oriented web browser and search engine developed by Cliqz GmbH and majority-owned by Hubert Burda Media. It was available as a desktop and mobile web browser as well as an extension for Firefox itself.

Mullvad is a commercial VPN service based in Sweden. Launched in March 2009, Mullvad operates using the WireGuard and OpenVPN protocols. It also supports Shadowsocks as a bridge protocol for censorship circumvention. Mullvad's VPN client software is released under the GPLv3, a free and open-source software license.

ExpressVPN is a company providing online privacy and security solutions, including a virtual private network (VPN) service and a password manager. Since September 2021, ExpressVPN has been a subsidiary of Kape Technologies, a company wholly owned by Israeli billionaire Teddy Sagi.

NordVPN is a Lithuanian VPN service with applications for Microsoft Windows, macOS, Linux, Android, iOS, Android TV, and tvOS. Manual setup is available for wireless routers, NAS devices, and other platforms.

DNS over HTTPS (DoH) is a protocol for performing remote Domain Name System (DNS) resolution via the HTTPS protocol. A goal of the method is to increase user privacy and security by preventing eavesdropping and manipulation of DNS data by man-in-the-middle attacks by using the HTTPS protocol to encrypt the data between the DoH client and the DoH-based DNS resolver. By March 2018, Google and the Mozilla Foundation had started testing versions of DNS over HTTPS. In February 2020, Firefox switched to DNS over HTTPS by default for users in the United States. In May 2020, Chrome switched to DNS over HTTPS by default.

DNS over TLS (DoT) is a network security protocol for encrypting and wrapping Domain Name System (DNS) queries and answers via the Transport Layer Security (TLS) protocol. The goal of the method is to increase user privacy and security by preventing eavesdropping and manipulation of DNS data via man-in-the-middle attacks. The well-known port number for DoT is 853.

Outline VPN is a free and open-source tool that deploys Shadowsocks servers on multiple cloud service providers. The software suite also includes client software for multiple platforms. Outline was developed by Jigsaw, a technology incubator created by Google.^[3]

<span class="mw-page-title-main">AdGuard</span> Ad blocking and privacy protection software

AdGuard is an ad blocking service for Microsoft Windows, Linux, MacOS, Android and iOS. AdGuard is also available as a browser extension.

Surfshark VPN service is a digital privacy tool provided by the cybersecurity company, Surfshark. It also offers a data leak detection system, a private search tool, an antivirus and an automated personal data removal system.

A virtual private network (VPN) service provides a proxy server to help users bypass Internet censorship such as geo-blocking and users who want to protect their communications against data profiling or MitM attacks on hostile networks.

References

↑ "What is a DNS leak and why should I care?". dnsleaktest.com. 2017-05-29. Retrieved 2016-09-03.
↑ "Preventing Network and DNS Traffic Leaks - SparkLabs". www.sparklabs.com. Retrieved 2018-11-29.
↑ "Windows 8 and Windows 8.1 New Group Policy Settings |". blogs.technet.microsoft.com. 10 November 2013. Retrieved 2018-11-29.
↑ "DNS leak test and protection | NordVPN". nordvpn.com. Retrieved 2024-11-13.
↑ "VPN Tests and Checks - The Ultimate How-To Guide | Restore Privacy". Restore Privacy. 2018-03-07. Retrieved 2018-11-29.
↑ "An Analysis of the Privacy and Security Risks of Android VPN Permission enabled Apps" (PDF).

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] "What is a DNS leak and why should I care?". dnsleaktest.com. 2017-05-29. Retrieved 2016-09-03.

[2] "Preventing Network and DNS Traffic Leaks - SparkLabs". www.sparklabs.com. Retrieved 2018-11-29.

[3] "Windows 8 and Windows 8.1 New Group Policy Settings |". blogs.technet.microsoft.com. 10 November 2013. Retrieved 2018-11-29.

[4] "DNS leak test and protection | NordVPN". nordvpn.com. Retrieved 2024-11-13.

[5] "VPN Tests and Checks - The Ultimate How-To Guide | Restore Privacy". Restore Privacy. 2018-03-07. Retrieved 2018-11-29.

[6] "An Analysis of the Privacy and Security Risks of Android VPN Permission enabled Apps" (PDF).

[1]

[2]

[3]

[4]

[5]

[6]

DNS leak

Contents

Process

Prevention

Related Research Articles

References