One of the main reasons why people resort to premium VPN services is to protect their privacy. And one of the reasons why the privacy of many users is exposed is because of DNS leaks.
DNS leaking compromises your online identity and broadcasts your true IP address and home location to the websites you visit as well as your ISP. Therefore, you must learn to keep your online identity safe by stopping DNS leaks.
In this article, we are breaking down DNS and DNS leaks to show you why it is essential to turn to a trustworthy VPN application that supports DNS leak protection.
Further, we are reviewing the most common causes for DNS leaks and showing you how to check your own system for this kind of vulnerability. Afterward, you can find out how to efficiently resolve DNS leaks by having the right type of tools and features by your side.
Take a look at the list of topics below to see what we are talking about (click to jump).
- What is DNS?
- Breaking down DNS leaks
- What causes DNS leaks?
- How to check for DNS leaks
-
How to fix DNS leaks
- Avoid using free VPN and switch to premium VPN
- Use exclusive DNS servers and DNS leak protection
- Turn on the VPN kill switch
- Change your default DNS configuration
- Counteract transparent DNS proxies with OpenVPN
- Install DNSCrypt to stop DNS spoofing
- Deactivate WebRTC in your web browser
- Block all incoming non-VPN connections
- In conclusion
What is DNS?
Short for Domain Name System, DNS acts like the phonebook of the Internet. It is just like making a phone call: you do not enter the phone number but the name of the person you are trying to reach.
Every site you visit has a unique IP address that you can use to identify it out of all other sites on the Internet. When you go to a certain website, you do not enter its IP address but its domain name.
By applying the phonebook analogy, you can tell that the phone number is the IP address, and the domain name is the person’s name. Therefore, DNS is in charge of looking up an IP address in its phonebook, based on the domain names you input.
Breaking down DNS leaks
DNS leaks are security flaws that reveal your true DNS requests to the DNS servers of your Internet service provider, even if you were trying to secure your browsing with a virtual private network tool.
The role of a VPN service is to protect all your incoming and outgoing data packets using encryption. This level of protection also extends to your DNS queries.
When you connect to a VPN server, you trust the VPN tool to hide the fact that you are trying to reach a certain site when entering its domain name. It is a way to hide your browsing history from your ISP.
As such, your DNS queries must be protected by the VPN. But if you are experiencing network configuration issues, you risk leaking your DNS requests and, ultimately, compromising your online privacy.
What causes DNS leaks?
There are many reasons why your network connection might be leaking your genuine DNS requests to your ISP. On the bright side, many of them can be resolved in order to prevent any further DNS leaks. Here are the three most common reasons:
Your VPN service does not support IPv6 requests
Because there are so many devices using IPv4 addresses, the pool is getting shorter every day. But IPv6 addresses have been designed to overcome this. The problem is that the transitioning process is slow, and many VPN services are not equipped to handle IPv6 requests.
Let us assume that your computer is attempting to forward a DNS query over IPv6. However, your VPN is not compatible with IPv6 requests. In this case, the DNS queries switch from the exclusive DNS servers of your VPN to the default DNS servers of your system.
And, since the default DNS servers of your system are operated by your ISP, your online browsing will be exposed to your ISP, too.
To fix this issue, you should change the default DNS servers of your system to make sure the new ones are secure and support IPv6. We recommend opting for Google Public DNS, OpenDNS, and Cloudflare, which are free and secure. But we have some other choices listed further below.
ISPs could use transparent DNS proxies to redirect your DNS requests
In the previous point, we said that you can resolve the problem by modifying the default DNS servers of your system. But some Internet service providers might not look too kindly on that.
It mostly depends on the data retention and Internet regulation laws of your country. In some parts of the world, ISPs are obligated by law to monitor and collect the data of all customers.
When this happens, the ISPs might resort to transparent DNS proxies to redirect your DNS requests to their own servers. Running a DNS leak test can help you determine if this is actually going on.
You can overcome this issue if you are using OpenVPN to hide your IP address and mask your true location. It is only necessary to open the config file of OpenVPN and add a new line of text, which we will explain below.
Your devices have network configuration issues with IPv6
If your home network has an IPv6 address, it means that all other Internet-enabled devices must support IPv6, too. Otherwise, you will face DNS leaks. You might just have to manually configure your devices to make them compliant with IPv6.
However, you can not get around this without getting in touch with your Internet service provider. The ISP must check if IPv6 is properly enabled and configured on your home network.
But some ISPs might be reluctant about this, depending on the data retention and Internet regulation laws of your country that we discussed earlier.
How to check for DNS leaks
To find out if you are victim of DNS leaks while connected to a VPN server, here is what you need to do:
- Without connecting to a VPN server, visit a website that facilitates an online service for testing your network for DNS leaks, such as DNS Leak Test
- Take note of the displayed IP address and location – these are your true personal details that you wish to hide with a VPN
- Fire up your VPN client, connect to a server, and make sure that the connection is successful
- Return to the same site to perform a standard or extended test
- Take note of the displayed IP address and location. If they match the previous ones, then your VPN is leaking your DNS. But if the IP address and location are different, then you are safe.
It does not hurt to run DNS leak tests on multiple online services, just in case anyone of them returns any errors. This way, you can be certain of the DNS leak test results. Furthermore, it is recommended to run these tests every now and then, in order to quickly any DNS leaks and fix them.
How to fix DNS leaks
We previously mentioned some simple ways to resolve DNS leaks, depending on the type of problem you have with your Internet connection. But let us dig a little further into the matter. Here are our top fixes for DNS leaks.
Avoid using free VPN and switch to premium VPN
If your primary concern for using VPN is to maximize your online privacy and security, then you should never resort to free VPN services. It is impossible for a company to enable tier-1 security features in a free product – it is simply not sustainable.
Besides, free VPNs are known for bad practices, such as collecting and selling your data to third parties in exchange for profit. There are other disadvantages to using free virtual private network services, too, like a limited number of VPN servers, lack of advanced VPN protocols, or ineffective security features.
We are aware that it might not sound convenient, but you should always stick to premium virtual private solutions. A trustworthy VPN is operated by a team of paid professionals who work round-the-clock to ensure an optimal experience and secure your online identity.
It can be challenging to pick the right VPN for your needs, especially when there are so many services available on the Internet right now. It involves comparing the pros and cons to see which VPN has strong security features to protect you against DNS leaks.
If you do not wish to do the research on your own, you can trust our advice. We have evaluated, reviewed and ranked more than 50 virtual private network solutions on FindYourVPN. As you can imagine, we identified the strong and weak points of each product.
As a result, you can find out what are the best VPN services out there. And, if you need a recommendation, you should know that ExpressVPN is ideal for preventing DNS leaks and securing your browsing. To get started, you can get a premium subscription plan for ExpressVPN here.
Use exclusive DNS servers and DNS leak protection
To make sure that your DNS requests will not be leaked to your ISP, opt for a VPN application that operates its own DNS servers and also includes a DNS leak protection module.
Exclusive DNS servers mean that your DNS requests will be forwarded to the virtual service network provider, which is in charge of encrypting your data traffic and protecting your online privacy.
For example, ExpressVPN has an IPv6 leak protection module as well as exclusive DNS servers. On the other hand, NordVPN does not have proprietary DNS – it only lets you set up custom DNS addresses in its native client.
Turn on the VPN kill switch
The kill switch has become an essential tool for any VPN user. It is designed to protect your online identity and prevent DNS leaks by disabling all Internet access if the VPN connection suddenly drops.
This might take some time getting used to since it is inconvenient at the beginning. But a kill switch stops your Internet connection from broadcasting your true IP address and location in the time it takes the VPN to reconnect.
ExpressVPN and NordVPN are our two top-rated VPN services, and both of them feature a kill switch on their panels of settings. It is called Network Lock in ExpressVPN as well as Internet Kill Switch in NordVPN.
Change your default DNS configuration
If you encounter a scenario where your VPN service is forced to switch to the default DNS configuration of your operating system, then you should better be prepared. Go to the DNS settings area of your OS to change the default configuration and insert other, faster and more secure DNS servers.
On the bright side, there are some free and secure DNS servers available on the Internet. You can check them out in the table below. Most DNS providers have preferred and alternate addresses for both IPv4 and IPv6.
| Provider | Preferred DNS (IPv4) | Alternate DNS (IPv4) | Preferred DNS (IPv6) | Alternate DNS (IPv6) |
|---|---|---|---|---|
| Google Public DNS | 8.8.8.8 | 8.8.4.4 | 2001:4860:4860::8888 | 2001:4860:4860::8844 |
| OpenDNS | 208.67.222.222 | 208.67.220.220 | 2620:119:35::35 | 2620:119:53::53 |
| Cloudfare | 1.1.1.1 | 1.0.0.1 | 2606:4700:4700::1111 | 2606:4700:4700::1001 |
| Adguard DNS | 176.103.130.130 | 176.103.130.131 | 2a00:5a60::ad1:0ff | 2a00:5a60::ad2:0ff |
| Verisign | 64.6.64.6 | 64.6.65.6 | 2620:74:1b::1:1 | 2620:74:1c::2:2 |
| Quad9 | 9.9.9.9 | 149.112.112.112 | 2620:fe::fe | 2620:fe::9 |
| CleanBrowsing | 185.228.168.9 | 185.228.169.9 | 2a0d:2a00:1::2 | 2a0d:2a00:2::2 |
| Comodo Secure DNS | 8.26.56.26 | 8.20.247.20 | – | – |
Counteract transparent DNS proxies with OpenVPN
Earlier, when we discussed the common causes of DNS leaks, we mentioned that your ISP could use transparent DNS proxies to redirect your DNS requests. When this happens, your Internet service provider will be able to see what sites you are visiting.
But your VPN service should have a built-in option to stop this from happening. If you are not sure, you should consult the manual of your virtual private network service or run a Google search. Otherwise, feel free to contact customer support and ask for assistance.
If the VPN service can not prevent your ISP from redirecting your DNS requests, there is a way to get around the issue. The only condition is that your virtual private network service must have an OpenVPN manual configuration mode. Simply put, you must make some minor changes to the OpenVPN settings. No expertise is necessary.
Before getting started, you should update your OpenVPN client to the newest version. In the following step, you should download the OpenVPN configuration files from your VPN provider. Keep in mind that one file corresponds to one VPN server.
Also, settings are different for OpenVPN TCP and UDP because those are two distinct transmission types. For example, if you plan on connecting to five VPN servers using both OpenVPN TCP and UDP, you must download ten OpenVPN configuration files: one for each server and transmission type.
After doing this, head over to the VPN’s installed folder, where you can locate the OpenVPN configuration files. Then, open the config subdirectory, then look for a file ending in the .conf or .ovpn extension.
Open the file and write a new line that says block-outside-dns. Keep in mind that, if OpenVPN is set to connect to multiple servers, you must open one file at a time to add block-outside-dns.
Install DNSCrypt to stop DNS spoofing
If your favorite VPN service does not have a DNS leak protection module, you can back it up by downloading and installing a third-party tool called DNSCrypt.
DNSCrypt is a free program made as a security measure against cyber-criminals. More specifically, it prevents hackers from running man-in-the-middle attacks with the aid of your DNS servers.
Setting up the application is not so simple. But you can find instructions and tutorials on the official website. It is compatible with many devices, like Windows, macOS, Linux, Android, iOS, BSD and OpenWrt/LEDE.
Deactivate WebRTC in your web browser
WebRTC is a relatively new technology integrated into web browsers to set up real-time communication between browsers, mobile apps, and IoT devices. It is used by popular apps like Facebook Messenger, Google Hangouts, and Discord.
But the unexpected downside of WebRTC is that it leaks your IP address to the websites you visit. This can not be controlled by the desktop VPN application because it involves browser permissions.
To turn off WebRTC, you can manually tinker with your browser settings or install browser extensions that can take care of this job automatically.
Block all incoming non-VPN connections
A more dramatic approach toward fixing DNS leaks is to prevent any connections from reaching and escaping your network unless they are routed through the VPN. The only problem to this is that you become somewhat isolated from the public Internet since only VPN traffic is allowed.
There are two ways to do this: by enabling IP binding in your VPN service or by setting up rules in your system firewall. To find out if your VPN supports IP binding, you can consult the user manual or get in touch with customer support.
To create rules in your system firewall, here are instructions for Windows 10. Make sure to connect to a VPN server before getting started:
-
Step 1: Open the Start menu
- Type firewall in the search box
- Click Firewall & network protection
- Click Advanced settings
- Step 2: Select Inbound Rules and click New Rules
- Step 3: Go to Program and select All programs
- Step 4: Head over to Action and pick Block the connection
- Step 5: In Profile, select Domain and Private, but deselect Public
- Step 6: When you reach Name, set a Name and Description, then click Finish
- Step 7: Select Outbound Rules, click New Rule, and repeat Steps 3 to 6
In conclusion
To sum it up, DNS leaks are a true security concern for any VPN user. If your DNS requests are exposed to your ISP, it means that your ISP can see what websites you are trying to visit while connected to the VPN. Therefore, your online privacy is compromised.
It is better to remain on the safe side and prepare yourself for every scenario, even if you have not experienced such issues yet. With the right VPN service by your side, you should be able to take advantage of a smooth and secure browsing experience, without having to worry that your DNS requests are on display.
Have you ever encountered DNS leaks on your device? How did you fix them? We would love to get feedback from you, so please do not hesitate to drop us a line in the comment section below.
Leave a Reply