Douglas Crawford

Douglas Crawford

April 18, 2013

Please note that is article has been largely superseded by A Complete Guide to IP Leaks.

The problem

In addition to VPN connection failures (see our full article on protecting yourself against these here), the other big threat to your anonymity when using a trusted VPN service is that of DNS leaks, which can result in your ISP being able to ‘see’ and monitor your online activity even though you think you are safely protected by an encrypted VPN tunnel.

The Dynamic Name System (DNS) is used to translate domain names (www.bestvpn.com) into numerical IP addresses (216.172.189.144). This translation service is usually performed by your ISP, using its DNS servers.

When you use a VPN service, the DNS request should instead be routed through the VPN tunnel to your VPN provider’s DNS servers (rather than those of your ISP). However, it is quite common for Windows (the main culprit for this problem, although never say never for OSX and Linux) to instead use its default settings, and send the request to the ISP’s DNS server rather than through the VPN tunnel. This is known as a DNS leak, and if it happens then it results in your ISP being able to track your internet movements, regardless of whether you are using a VPN or not.

How to detect a DNS leak

To perform a DNS leak test simply go to dnsleaktest.com

leak test 1

Check the results to make sure that you recognize the IP numbers. In particular, any result that shows your ‘real’ location or that belongs to your ISP means that you have a DNS leak.

 leak test 2

These results all look ok to us, so we know we don’t have a DNS leak. Phew!

How to prevent a DNS leak

If you want to plug a DNS leak, or simply want to prevent the possibility of one happening, there are a number of approaches you can take.

1. Use a VPN client with built in DNS leak protection

mullvad dns leak

This is by far the simplest way, but unfortunately only a few VPN providers supply this option. Those that do include:

*These clients also feature an ‘internet kill switch’.

2. Use VPNCheck (Pro version)

We discussed this nifty utility in our article on protecting yourself against VPN connection failure. The Pro version also includes a DNS leak fix.

a) Download VPNCheck Pro from here, install and run. On the main screen click ‘Config’.

vpncheck 1

 Then simply ensure that the ‘DNS leak fix box’ is checked. It’s also probably worth specifying some programs (such as your favourite BitTorrent client) that you want to shut down in the event of a VPN disconnection while you are at it.

vpncheck 2

To get everything started, go back to the main screen and click either Cycle IP: Task or Cycle IP: Network.

 vpncheck 3

VPNCheck Pro costs $24.90 (at the time of writing there is a 20% discount, which brings the price down to $19.92), and comes with a 13 day free trial.

3. Change DNS severs and obtain a static IP

Although not strictly a speaking a fix, changing DNS servers makes sure that your ISP is not snooping on you. Most VPN providers will be happy to give you their DNS server details, or you can route your requests through a public DNS server such as those offered by Google Public DNS, OpenDNS and Comodo Secure DNS.

Edit: I have now written How to Change your DNS Settings – A Complete Guide which explains in detail how to change your DNS settings in all major OSs. In that article I recommend using OpenNIC over Google DNS, as Google DNS is a very poor choice when it comes to privacy.

Installation instructions for various platforms are provided on the respective websites, but as we are working in Windows 7, here is a rundown on how to do it there (the process is similar on all platforms).

a) Open Network and Sharing Centre (from the Control Panel,) and click on ‘Change Adapter settings’

 static 1

b) Right-click on your main connection and select ‘Properties’

static 2

c) Look through the list and find ‘Internet Protocol Version 4 (TCP/IPv4). Highlight it and click on ‘Properties’

static 3

d) Make a note of any existing DNS server addresses, in case you want to restore your system to its previous settings at some point in the future, then click on the ‘Use the following DNS server addresses’ radio button, enter the relevant addresses. Click ‘OK’ and restart the connection.

static 4

If you are using your VPN provider’s DNS server, then they will provide you with the DNS server addresses. If you are using a public server then you may find these addresses useful:

Google Public DNS

  • Preferred DNS server: 8.8.8.8
  • Alternate DNS server: 8.8.4.4

Open DNS

  • Preferred DNS server: 208.67.222.222
  • Alternate DNS server: 208.67.222.220

Comodo Secure DNS

  • Preferred DNS server: 8.26.56.26
  • Alternate DNS server: 8.20.247.20

Changing DNS server is not only more secure as it moves the DNS translation service to a more trusted party, but it can bring speed benefits, as some services are faster than others. To find out how well a DNS server provider fares in this respect, you can download a free utility called DNS Benchmark.

A static IP address is single fixed IP address. If configured to connect to a static IP, Windows (or other OSs) will always route your DNS requests to that static IP address, rather than assigning a random IP each time you connect to the internet (using DHCP).

In theory, when using a VPN with DHCP enabled, all DNS requests should be routed through the VPN tunnel (using a process known as address reservation). These are then handled by the VPN provider. Errors in the address reservation process, however, can result in DHCP defaulting to using the DNS servers specified by the OS settings, rather routing them through the VPN tunnel.

Although not critical, it is therefore probably also a good idea to clear any other DNS servers except those used by your VPN adaptor. Full instructions for doing so can be found here.

This fix can be downloaded from here, and only works with the ‘classic’ open source OpenVPN client. It is effectively a 3 part batch file which:

  1. Switches from any active DHCP adaptors to a static IP (set by you)
  2. Clears all DNS servers except the TAP32 adaptor (used by OpenVPN)
  3. Returns your system back to its original settings once you are disconnected from the VPN server

Author’s note, 14 January 2016: This 3 year old hack is a partial way to get around the fact that most VPN clients of the time did not properly route DNS requests through the VPN to be resolved by the VPN provider (as should happen.) Fortunately, the situation has improved greatly, and most good clients now offer robust DNS leak protection. Hopefully VPN providers will now start to support full IPv6 routing (rather than simply disabling IPv6.)

Conclusion

As ensuring anonymity is the main reason most people use VPN, it makes sense to spend a few minutes to plug any potential areas where this anonymity may be compromised (see also 5 ways to protect yourself when your VPN connection fails). It is also worth remembering that while Windows causes the most DNS leak problems, Linus and OSX are not immune, so it is still a good idea to follow similar step to those outlines above if these are your platforms of choice.

Update: Following revelations of Google’s complicity in the recent NSA spying scandal, we now advise against using Google Public DNS servers.

Update: Although reliability can be an issue, using OpenNIC DNS servers is a decentralized, open, uncensored and democratic alternative to the DNS providers listed above. It is also possible to set your DNS settings to those of your VPN provider (ask it for details).

Important Update: A new “feature” in Windows 10 means that DNS requests are directed not just through your VPN tunnel, but also through your ISP and local network interface. This is because by default Windows 10 attempts to improve web performance by sending DNS requests in parallel to all available resources at once, and using the fastest one. Windows 10 users, in particular, should therefore disable “Smart Multi-Homed Name Resolution” immediately (although Windows 8.x users can benefit from doing this also.) See WARNING! Windows 10 VPN users at big risk of DNS leaks for more details.

Douglas Crawford
March 9th, 2018

I am a freelance writer, technology enthusiast, and lover of life who enjoys spinning words and sharing knowledge for a living. You can now follow me on Twitter - @douglasjcrawf.

50 responses to “4 ways to prevent a DNS leak when using VPN

    1. Hi Mahdi,

      As noted at the beginning of this article, this article is now largely out of date and has been superseded by A Complete Guide to IP Leaks. When it was written back in 2013 it was rare for providers to include kill switches and full DNS leak protection in their VPN clients, so switching DNS was a viable workaround. In 2018 this is no longer he case, so I now recommend simply using a VPN client that has these features (even OpenVPN GUI has full IPv4 and IPv6 DNS leak protection now). .

  1. Google’s “free” services are DEAD OPPOSITE of privacy: Privacy Raping for profit

    “Having a static IP means that Windows (or other OSs) will always route your DNS requests to your preferred DNS server”

    That is not what a static IP ADDRESS means.

    “rather than assigning you a random IP [ADDRESS] (through DHCP) which may be routed through your ISP’s DNS server.”

    Perhaps you are fishing for [DHCP] Address Reservation?

    “which [might] be routed through your ISP’s DNS server.”

    *cough* Routed how?

    IPv6 has DNS addressing options also.

    Remove ignorance leak within article, re-educate self, re-upload

    1. Hi eat more kittens!,

      Please note that I wrote this article almost four years ago, and my understanding of many things has improved since then. I do like to ensure that all published articles are accurate, however, so thanks for your input.

      1. As noted in this article, its content has largely been superseded by more recently published articles. The most notable of these is A Complete Guide to IP Leaks, but the section your first point refers to has basically been replaced by How to Change your DNS Settings.

      In that article I recommend using OpenNIC over Google DNS. But looking through it again, I have slightly modified the text slightly to reiterate the point that Google DNS is not a good choice when it comes to privacy.

      2. I agree that this statement is poorly worded. Better would be, “A static IP address is single fixed IP address. If configured to connect to a static IP, Windows (or other OSs) will always route your DNS requests to that static IP address, rather than assigning a random IP each time you connect to the internet (through DHCP).”

      3. In theory, when using a VPN with DHCP enabled, all DNS requests should be routed through the VPN tunnel (using a process known as address reservation). These are then handled by the VPN provider. Errors in the address reservation process, however, can result in DHCP defaulting to using the DNS servers specified by the OS settings, rather than routing them through the VPN tunnel.

      4. You are correct. When this article was written, use of IPv6 was uncommon (and the situation has not improved as much as we might hope). Because to this day almost no VPN service properly supports IPv6 (with the notable exception of Mullvad), I usually recommend simply disabling IPv6. I know this is not a long-term solution, but it works for now.

        1. Hi fcuku2,

          Um… In this article, I clearly advise against using Google Public DNS servers… No, I do do not trust Google! As noted, this is a very old article, and been almost completely superseded by a newer one. I have made it clear, however, that I recommend using OpenNIC, not Google DNS!

Leave a Reply

Your email address will not be published. Required fields are marked *