Please note that is article has been largely superseded by A Complete Guide to IP Leaks.
In addition to VPN connection failures (see our full article on protecting yourself against these here), the other big threat to your anonymity when using a trusted VPN service is that of DNS leaks, which can result in your ISP being able to ‘see’ and monitor your online activity even though you think you are safely protected by an encrypted VPN tunnel.
The Dynamic Name System (DNS) is used to translate domain names (www.bestvpn.com) into numerical IP addresses (220.127.116.11). This translation service is usually performed by your ISP, using its DNS servers.
When you use a VPN service, the DNS request should instead be routed through the VPN tunnel to your VPN provider’s DNS servers (rather than those of your ISP). However, it is quite common for Windows (the main culprit for this problem, although never say never for OSX and Linux) to instead use its default settings, and send the request to the ISP’s DNS server rather than through the VPN tunnel. This is known as a DNS leak, and if it happens then it results in your ISP being able to track your internet movements, regardless of whether you are using a VPN or not.
How to detect a DNS leak
To perform a DNS leak test simply go to dnsleaktest.com
Check the results to make sure that you recognize the IP numbers. In particular, any result that shows your ‘real’ location or that belongs to your ISP means that you have a DNS leak.
These results all look ok to us, so we know we don’t have a DNS leak. Phew!
How to prevent a DNS leak
If you want to plug a DNS leak, or simply want to prevent the possibility of one happening, there are a number of approaches you can take.
1. Use a VPN client with built in DNS leak protection
This is by far the simplest way, but unfortunately only a few VPN providers supply this option. Those that do include:
- Private Internet Access – Settings/DNS Leak Protection*
- Mullvad -Settings/Stop DNS leaks*
- TorGuard – Automatic
*These clients also feature an ‘internet kill switch’.
2. Use VPNCheck (Pro version)
We discussed this nifty utility in our article on protecting yourself against VPN connection failure. The Pro version also includes a DNS leak fix.
a) Download VPNCheck Pro from here, install and run. On the main screen click ‘Config’.
Then simply ensure that the ‘DNS leak fix box’ is checked. It’s also probably worth specifying some programs (such as your favourite BitTorrent client) that you want to shut down in the event of a VPN disconnection while you are at it.
To get everything started, go back to the main screen and click either Cycle IP: Task or Cycle IP: Network.
VPNCheck Pro costs $24.90 (at the time of writing there is a 20% discount, which brings the price down to $19.92), and comes with a 13 day free trial.
3. Change DNS severs and obtain a static IP
Although not strictly a speaking a fix, changing DNS servers makes sure that your ISP is not snooping on you. Most VPN providers will be happy to give you their DNS server details, or you can route your requests through a public DNS server such as those offered by Google Public DNS, OpenDNS and Comodo Secure DNS.
Edit: I have now written How to Change your DNS Settings – A Complete Guide which explains in detail how to change your DNS settings in all major OSs. In that article I recommend using OpenNIC over Google DNS, as Google DNS is a very poor choice when it comes to privacy.
Installation instructions for various platforms are provided on the respective websites, but as we are working in Windows 7, here is a rundown on how to do it there (the process is similar on all platforms).
a) Open Network and Sharing Centre (from the Control Panel,) and click on ‘Change Adapter settings’
b) Right-click on your main connection and select ‘Properties’
c) Look through the list and find ‘Internet Protocol Version 4 (TCP/IPv4). Highlight it and click on ‘Properties’
d) Make a note of any existing DNS server addresses, in case you want to restore your system to its previous settings at some point in the future, then click on the ‘Use the following DNS server addresses’ radio button, enter the relevant addresses. Click ‘OK’ and restart the connection.
If you are using your VPN provider’s DNS server, then they will provide you with the DNS server addresses. If you are using a public server then you may find these addresses useful:
Google Public DNS
- Preferred DNS server: 18.104.22.168
- Alternate DNS server: 22.214.171.124
- Preferred DNS server: 126.96.36.199
- Alternate DNS server: 188.8.131.52
Comodo Secure DNS
- Preferred DNS server: 184.108.40.206
- Alternate DNS server: 220.127.116.11
Changing DNS server is not only more secure as it moves the DNS translation service to a more trusted party, but it can bring speed benefits, as some services are faster than others. To find out how well a DNS server provider fares in this respect, you can download a free utility called DNS Benchmark.
A static IP address is single fixed IP address. If configured to connect to a static IP, Windows (or other OSs) will always route your DNS requests to that static IP address, rather than assigning a random IP each time you connect to the internet (using DHCP).
In theory, when using a VPN with DHCP enabled, all DNS requests should be routed through the VPN tunnel (using a process known as address reservation). These are then handled by the VPN provider. Errors in the address reservation process, however, can result in DHCP defaulting to using the DNS servers specified by the OS settings, rather routing them through the VPN tunnel.
Although not critical, it is therefore probably also a good idea to clear any other DNS servers except those used by your VPN adaptor. Full instructions for doing so can be found here.
This fix can be downloaded from here, and only works with the ‘classic’ open source OpenVPN client. It is effectively a 3 part batch file which:
- Switches from any active DHCP adaptors to a static IP (set by you)
- Clears all DNS servers except the TAP32 adaptor (used by OpenVPN)
- Returns your system back to its original settings once you are disconnected from the VPN server
Author’s note, 14 January 2016: This 3 year old hack is a partial way to get around the fact that most VPN clients of the time did not properly route DNS requests through the VPN to be resolved by the VPN provider (as should happen.) Fortunately, the situation has improved greatly, and most good clients now offer robust DNS leak protection. Hopefully VPN providers will now start to support full IPv6 routing (rather than simply disabling IPv6.)
As ensuring anonymity is the main reason most people use VPN, it makes sense to spend a few minutes to plug any potential areas where this anonymity may be compromised (see also 5 ways to protect yourself when your VPN connection fails). It is also worth remembering that while Windows causes the most DNS leak problems, Linus and OSX are not immune, so it is still a good idea to follow similar step to those outlines above if these are your platforms of choice.
Update: Following revelations of Google’s complicity in the recent NSA spying scandal, we now advise against using Google Public DNS servers.
Update: Although reliability can be an issue, using OpenNIC DNS servers is a decentralized, open, uncensored and democratic alternative to the DNS providers listed above. It is also possible to set your DNS settings to those of your VPN provider (ask it for details).
Important Update: A new “feature” in Windows 10 means that DNS requests are directed not just through your VPN tunnel, but also through your ISP and local network interface. This is because by default Windows 10 attempts to improve web performance by sending DNS requests in parallel to all available resources at once, and using the fastest one. Windows 10 users, in particular, should therefore disable “Smart Multi-Homed Name Resolution” immediately (although Windows 8.x users can benefit from doing this also.) See WARNING! Windows 10 VPN users at big risk of DNS leaks for more details.