A Complete Guide to IP Leaks - BestVPN.com

A Complete Guide to IP Leaks

Douglas Crawford

Douglas Crawford

November 13, 2015


DNS Leaks

The WebRTC “bug”
VPN dropouts (and kill switches)

Using Firewall rules (a global fix)


One of the primary reasons to use a VPN is to hide your true IP address. When using a VPN, all your internet traffic is encrypted and sent to a VPN server run by your VPN provider, before exiting to the internet.

This means that outside observers can only see the IP address of the VPN server, and not your true IP address. The only way for them to discover your true IP address, therefore, is to convince your VPN provider to hand it over to them (and good providers use robust measures, such as using shared IPs and keeping no logs, to make this as difficult as possible.)

At least this is the theory…

Unfortunately, and for various reasons discussed below, it is sometimes possible for websites to detect your true IP address, even when using a VPN.

I have discussed all the issues listed here at length before on BestVPN (and will link to relevant articles where appropriate), but it is time to bring together all known causes that may answer the questions: Why is my IP leaking even though I am connected to a VPN? And how do I fix it?

To determine if you are suffering an IP leak, visit ipleak.net. If you are connected to a VPN and you can see your true IP address (or even just your ISP’s name) anywhere on this page then you have an IP leak.  Note that ipleak.net now detects IPv6 DNS leaks.

The Domain Name System (DNS) is used to translate the easy-to-understand and remember web addresses that we are familiar with, to their “true” numerical IP addresses: for example translating the domain name www.bestvpn.com to its IP address of

Every internet connected device, and every internet connection, has a unique IP address that is used to identify it (although these can change), including your computer and smart phone, etc. We call this your “real IP” (as opposed to the “fake IP” provided by your VPN server.)

This DNS translation process is usually performed by your ISP, but when using a VPN all DNS requests should be sent through your encrypted VPN tunnel, to be handled by your VPN provider instead.

Using the right scripts, a website can determine which server resolved a DNS request directed to it. This will not allow it to pinpoint your exact real IP address, but will foil attempts to geo-spoof your location, and allows police etc. to demand that your ISP hand over your real IP address (ISPs keep records of these things, while  good VPN providers do not.)

Most VPN providers run their own dedicated DNS servers in order to perform this DNS translation task themselves, but some make use of public DNS services such as Google DNS instead. Although not ideal, this is not the privacy nightmare it might at first seem, as the DNS requests appear to come from your VPN provider, not your real IP.

Unfortunately, internet traffic does not always get sent through the VPN tunnel as it is supposed to, and is instead resolved by your ISP…

IPv4 DNS leaks

Until recently, the entire internet used the Internet Protocol version 4 (IPv4) standard to define IP addresses. Unfortunately, thanks to the unprecedented rise in internet use over the last few years, IPv4 addresses are running out (in fact technically speaking they have already done so), as IPv4 only supports a maximum 32-bit internet address. This translates to 2^32 IP addresses available for assignment (about 4.29 billion total). For now, however, the vast majority of internet addresses still use the IPv4 standard.

When using a VPN, your Operating System (OS) can sometimes get confused, sending IPv4 requests through to the DNS server specified in its default settings (usually run by your ISP), instead of through the VPN tunnel (as it’s supposed to.) This can occur with any OS, but Windows is notably guilty in this respect.


  1. Use a VPN client with built-in “DNS leak protection”. This is basically just a firewall that ensures no internet traffic can leave your computer unless it goes through the VPN. Many good providers offer this feature in their custom VPN clients (sometimes called something else), but it is not available in the generic open source OpenVPN client.
  2. Use VPNCheck Pro (Windows). Although primarily an “internet kill switch”, the Pro version of this tool also includes a DNS leak fix.

IPv6 DNS leaks

While various mitigating strategies have been deployed to extend the shelf-life of IPv4, the real solution comes in the form of a new standard – IPv6. This utilizes 128-bit web addresses, thus expanding the maximum available number web addresses to 2^128, which should keep us supplied with IP addresses for the foreseeable future.

Adoption of IPv6, however, has been slow – mainly due to upgrade costs, backward capability concerns, and sheer laziness. Consequently, although all modern Operating Systems support IPv6, the vast majority of websites do not yet bother.

This has led websites that support IPv6 to adopt to a dual-tiered approach. When connected to from an address that only supports IPv4, they will serve up an IPv4 address, but when connected from an address that supports IPv6, they will serve up an IPv6 address.

Unfortunately, most VPN software fails to direct IPv6 traffic through the VPN tunnel, so when you connect to an IPv6 enabled website, your browser will make an IPv6 DNS request outside the VPN, which is therefore handled by your ISP.

VPN providers that offer “DNS leak protection” in their clients’ usually side-step the problem by simply disabling IPv6 in the OS. This is effective at preventing IPv6 leaks, but is hardly forward looking, and we would like to see providers offer true IPv6 support in their products (Mullvad is the only provider that claims to properly route IPv6 calls. We have not tested this yet, but if true then Mullvad is very much to be commended.).


Here we can see a clear IPv6 leak. You tell the address is IPv6 because it is much longer than the IPv4 address above it (which shows no leak)


This is an interesting case. IPv6 has been blocked (not reachable), but is nevertheless leaking via WebRTC (see below). Note that IPv4 WebRTC leaks have been properly blocked here

iOS is supposedly (.pdf) immune to IPv6 leakage.

This result shows that IPv6 has been disabled, so IPv6 leaks are not possible. In a perfect world it should be possible to enable IPv6, while only detecting your VPN provider’s IP address (you can check who an address belongs to by entering “whois [ip address] into a search engine.)


  1. Use a VPN client with built-in “DNS leak protection”. This disables IPv6.
  2. Disable IPv6 manually. Instructions for doing so are available for Windows, OSX Mac, and Linux. The more paranoid out there may prefer to do this even if using a VPN client with “DNS leak protection”.
  3. The OpenVPN for Android app has the option to properly route all IPv6 traffic over the VPN. To ensure this is enabled:

OVPN Android 1

Go to the specific server connection settings, then navigate to Routing

OVPN Android 2

Ensure that IPv6 -> “Use default Route” is checked. Note also the IPv4 leak protection

Smart Multi-Homed Name Resolution (mainly a Windows 10 problem)

A new “feature” in Windows 10 means that DNS requests are directed not just through your VPN tunnel, but also through your ISP and local network interface. This is because by default Windows 10 attempts to improve web performance by sending DNS requests in parallel to all available resources at once, and (at least in theory) using the fastest one.

Under Windows 7 all DNS requests were made in simple order of DNS server preference, but this changed in Windows 8 when Microsoft added “‘Smart Multi-Homed Name Resolution” by default. This sends out DNS requests to all available interfaces, but only uses non-preferred servers if the main DNS server failed to respond.

This makes Windows 8.x systems somewhat liable to DNS leaks, but Windows 10 makes the situation much worse as it simply chooses whichever DNS request responds quickest. In addition to being major security risk, there are also reports of Windows 10 users suffering slow page loading and timeouts due to this issue

This problem has led the United States Computer Readiness Team (US-CERT), an official department of the US Department of Homeland Security, to issue an alert.


  1. There is now an OpenVPN plugin to fix this problem. It should work with all versions of Windows, and should also work with most custom OpenVPN clients that use a standard .ovpn configuration file (i.e. most of them.)
  2. Anecdotally, I have never suffered DNS leaks in Windows 8.1 due to this issue, but nevertheless advise all Windows 8, Windows 8.1, and especially Windows 10 users to disable Smart Multi-Homed Name Resolution if possible*. Avast has published some great instructions on how to do this.

Disable Smart Multi-Homed Name Resolution*Unfortunately, the Group Policy Editor is not available in Windows Home Editions. Luckily, the OpenVPN plugin mentioned above should fix the problem for most users’ anyway. Whew!

The WebRTC “bug”

Web Real-Time Communication (WebRTC) is a potentially useful standard that allows browsers to incorporate features such as voice calling, video chat, and P2P file sharing directly into your browser.

A good example of this is the new Firefox Hello video and chat client that lets you talk securely to anyone else using an up-to-date Firefox, Chrome, or Opera browser, without the need to download any add-on, or configure any new settings.

Unfortunately for VPN users, WebRTC allows a website (or other WebRTC service) to directly detect your host machine’s true IP address, regardless of whether you are using a proxy server or VPN.

Given that WebRTC is potentially useful, it is something of a shame that the only way to prevent it from leaking your true IP address is to disable WebRTC in your bowser completely (although the Statutory add-on does allow you whitelist individual websites.)

The WebRTC issue only affects the Firefox, Chrome, and Opera browsers (not Internet Explorer or Safari etc., as these do not include WebRTC functionality.) Update: newer versions of the stock Android browser appear to implement WebRTC, and so should be avoided.

Fixes (Firefox)

1. Type ‘about:config’ into the URL bar to enter Firefox’s advanced settings, and then change the ‘media.peerconnection.enabled’ value to false.

WebRTC firefox fix

2. Various browser plugins can disable WebRTC, including Disable WebRTCuBlock Origin, NoScript, and Statutory.

For more information on the WebRTC “bug”, full instructions on how to disable WebRTC in Firefox, plus a more detailed look at the various browser plug-in solutions available (various browsers,) please check out my article on The WebRTC VPN “Bug” and How to Fix It.

Update: WebRTC leaks can now be blocked at both the VPN client and VPN server levels. In fact, the latest version of OpenVPN GUI includes WebRTC leak protection. We therefore now expect VPN software to include WebRTC protection. This is not always the case however (especially with IPv6 protection), so we strongly recommend that you continue to manually disable WebRTC in your browser. Just to be sure.

VPN dropouts (or why you need a “kill switch”)

Sometimes VPN connections fail. With a good VPN provider this should not happen very often, but it occasionally happens even to the best. If your computer continues to remain connected to the internet while after this happens, then your real IP will be exposed.

Although not technically an “IP leak”, as the problem occurs exactly because you don’t have a VPN connection, the effect is the same – you think that you are protected by VPN, when in fact the whole world can see your IP address.

This is particularly a problem for P2P downloaders who leave BitTorrent clients running while they are away from their computers (often for long periods of time). If the VPN connection drops, their true IP is therefore exposed to any copyright enforcers tracking a torrent they are downloading.


  1. Use a “VPN kill switch” (also called, somewhat more accurately, an “internet kill switch”.) These either monitor your internet connection and shut it down when they detect a VPN dropout, or use firewall rules to prevent any internet traffic leaving your computer outside of your VPN connection.

Many providers’ custom VPN clients include a built-in kill switch (sometimes called something else, such as “network lock”,) or you can use third-party solutions such as VPNetMon, VPN Check, or VPN Watcher. The Viscosity OpenVPN client even supports per app kill switches (you can specify which individual apps can only access the internet using VPN.)

Interestingly, the OpenVPN for Android app can be setup to work as a kill switch. The app will automatically attempt to reconnect to your VPN in the event of a VPN dropout (which is good, as this will occur whenever you move between WiFi routers, or WiFi and a mobile connection!).

To configure the app as a kill switch, edit the specific VPN connection (see IPv6 above), and navigate to “Advanced”.

OVPN Android 3

Check “Persistent Tun” and set “Connection retries” to Unlimited. Ta-da! You now have an OpenVPN kill switch for Android.

  1. Create your own kill switch using Firewall rules (see below.)
  2. Configure the Vuze BitTorrent client to only download over VPN. This is not a true solution to the problem, but can be very effective for those whose primary concern is VPN dropouts while downloading via P2P. Detailed instructions how to setup Vuze to do this are available here (where I also discuss how to configure VPNetMon and VPN Check as kill switches.)

Using Firewall Rules ( a global fix)

A unified solution to all of the above issues is to use a firewall, configuring it so that only connections to the VPN server are permitted through the firewall. Details differ by OS and firewall program, but the basic principles are:

1. Add a rule that blocks all outgoing and incoming traffic on your Local Ethernet Device.
2. Add an exception for your favorite DNS Server (to resolve the hostname of your VPN provider)
3. Add an exception for your VPN provider’s IP addresses
4. Add an Rule for your tun/tap or any other VPN Device to allow all outgoing Traffic for the VPN Tunnel.*

I have a detailed guide for doing this using Comodo Firewall (Windows), and guides are also available using the Windows 7 (not 8+) built-in firewall, and Little Snitch (Mac OSX). Those familiar with iptables should have no problem doing something similar in OSX and Linux. * My thanks to reader x22 for concisely formulating these principles.


If using a good VPN client that features “DNS leak protection” and a kill switch, you should have little to worry about when it comes to accidentally exposing your real IP address when using VPN (although Windows 10 users should watch out for the Smart Multi-Homed Name Resolution issue.)

OpenVPN for Android users should be particularly chuffed that DNS leak protection and kill switch functionality are built into the generic OpenVPN app (just make sure that they are enabled.)

If your VPN software does not include these features, never fear, as there are plenty of third party solutions to fill the gaps.

It is always a good idea, however, to check  ipleak.net, test-ipv6.com , and doileak.com periodically, just to make sure that nothing is amiss.

Douglas Crawford
March 15th, 2018

I am a freelance writer, technology enthusiast, and lover of life who enjoys spinning words and sharing knowledge for a living. You can now follow me on Twitter - @douglasjcrawf.

40 responses to “A Complete Guide to IP Leaks

  1. kiran says:

    It is a very good article. Easy to understand.Thanks for your input and effort. Great job.

  2. Paul Hire says:

    Excellent and very educational site, I never new how interesting this subject was or all the technicalities involved.
    I am now a avid reader of your site..thank’s

  3. Peter Uithoven says:

    Statutory add-on not found anymore. Maybe due to Firefox’s new Add-on changes.

    1. Douglas Crawford says:

      Hi Peter,

      Thanks. I think it best to wait and let the dust settle a little to find out which Firefox add-ons make the jump to WebExtentions before updating the info on this website.

  4. DAB says:

    Great article. But typo in “Operation System”? Shouldn’t it be “Operating System”?

    1. Douglas Crawford says:

      Hi DAB,

      Thanks for spotting the typo!

  5. Brenda says:

    People already hacked and know my IP address. I paid for a VPN afterwards. They let me know through gmail, which got hacked 2 years ago, saying things I viewed websites. I was using mobile WFi machine for internet connection. The password is on the outside of every box hanging on display at ALL stores. Can’t change my password. Tried and wouldn’t connect. Support told me to leave it alone even though instruction booklet shows steps how to. Any suggestions to hide what websites I’m viewing?

    1. Douglas Crawford says:

      Hi Brenda,

      It is unlikely that your router got hacked. Your ISP can normally see every website that you visit, and every website that you visit can see your unique IP address. Using a VPN will hide what you get up to on the internet from your ISP, and your real IP address from all websites that you visit. For more information, please see VPNs for Beginners – What You Need to Know.

  6. Thedys says:

    Hi Douglas,

    Let me first say one thing: Thanks a million for educating me on such a key topic. I am new to VPNs and your article helped me so much to understand that installing a VPN does not mean you should immediately run your P2P client without thinking twice…

    I subscribed to IPVanish few hours ago on both my Windows 10 Pro PC + my iMac, made sure I enabled their “IPv6 Leak Protection” feature and went to IPleak.net on both machines:

    a) Both Chrome browsers on my PC & the iMac showed the WebRTC leak. No such issue on Edge or Safari as I understand both browsers do not run WebRTC components. I have fixed this issue by downloading the “WebRTC Leak Prevent” extension and adding it to Chrome. Yet I have now read your article and would appreciate your recommendations re: using the “WebRTC Network Limiter” Chrome extension instead?

    b) My real IPv6 addresses showed in the IPleak.net results page on all browsers on my PC (Chrome, Firefox, Edge). I initially got confused and thought enabling the “Turn off smart multi-homed named resolution” would help. But, correct me if I am wrong, this only helps for DNS leaks, right? Therefore the only thing I could do at this stage was to visit the recommended Microsoft Web site and download the file to turn off IPv6 entirely on my PC. Since then: No IPv6 address has been detected in any browser.

    My question is: Was there anything else I could have done as the IPVanish “Enable IPv6 Leak Protection” setting is enabled… unless there is a known issue with this feature?

    Would appreciate your guidance!

    Many thanks!

    1. Douglas Crawford says:

      Hi Thedys,


      a) WebRTC Network Limiter is an official Google extensionand works great. I have not, however, looked at WebRTC Leak Prevent for some time, and it has likely fixed the issues I mention The WebRTC VPN “Bug” and How to Fix It. If is seems to work fine for you, then it most likely is.

      b) Well, although “DNS leak” usually refers to a regular IPv4 leak, an IPv6 leak is still a DNS leak and can can be the result of Smart Multi-Homed Name Resolution. If the IPVanish “Enable IPv6 Leak Protection” setting was enabled, you should not have had an IPv6 leak! This setting usually simply completely disables IPv6, so it is surprising that you detected one. I’m afraid its something that you will need to take up with IPVanish…

  7. Yasiel says:

    I am currently using NordVPN. With my android devices I had to remove my search bar on my android phone/tablet screens. In addition, download a “beta” internet browser on a current phone (https://play.google.com/store/apps/details?id=com.sec.android.app.sbrowser.beta)

    I like NordVPN for I communication with CSR in real time and the support *appears* to be available 24/7. I changed older browsers due to WebRTC leaks. This odd to think about but I wondered when using the GMail app is anything leaking while connected to the VPN. Might you personally recommend excellent performance VPNs?

    1. Douglas Crawford says:

      Hi Yasiel,

      Google apps and services are very secure, but they are not private. The app will not be “leaking” anything when connected the VPN, as such (it is secured using HTTPS encryption), but it will tell Google pretty much everything about you. Google will then use this information, plus what it can glean from scanning your emails, recording your web searches, and tracking you as you surf the web, to deliver highly targeted ads to your browser.

  8. Bill says:

    Bookmarked and will be reviewed often. Thanks for writing this.

  9. Anna says:

    Hi, I’m not sure I understand when there is a leak and when there is not. I tested DNS in both Safari and Chrome using 3 different Leak test sites. In Safari it is obvious there is no leak. I wish I could attach screen shots here but since that’s not possible here goes: Using IPLEAK.net Safari only says:
    IP address: 185. XXX There is no DNS or any other info available.
    With Chrome there is plenty of information available using IPLEAK.net but is it giving away my info? First is listed IP address: 185.XXX. Then for “Your IP Address- WebRTC Detection”, it lists 10.XXX.XXX.XX (Private Use RFC1918) and IP 185.XXX again.
    DNS Server; the last number is different than the IP address number 185.XXX. They all only show a location in Germany where I am not.
    Safari gives away nothing but Chrome gives 10.XXX.XXX.XX
    These are not my personal IPs or DNS servers though. So what is 10.XXX.XXX.XX? I looked it up but I do not understand what it says.
    I installed Unblock for Chrome but it didn’t change anything that I can tell in DNS leak tests. Perhaps I am worried about something that isn’t a problem? I am using Windscribe by the way. I liked Windscribe for the first few months but as of late I have a lot of trouble connecting to websites and have to switch to Chrome because it time’s out in Safari. But some sites will not load in Chrome either. Windscribe has tried to help but I am unable to send them a debug report (it says it can’t send) so we are at a standstill with trouble shooting the problem.

    1. Douglas Crawford says:

      Hi Anna,

      – If you cannot see your real IP address or that of your ISP, then you do not have an IP leak.
      – The reason you are seeing that address in Chrome and not Safari is because Safari does not use the WebRTC “feature”, but Chrome does.
      – That 10.x.x.x. address is a private use [RFC1918] IP address. Pleased see here and here for more details. As discussed in this article, “If the client is behind a NAT, the client’s private IP addresses, typically [RFC1918] addresses, can be learned.”.

      The [RFC1918] address you are seeing therefore probably belongs to your VPN provider’s server, which is behind a NAT gateway. Even if it is your real IP, it is an internal network address . This cannot be used to identity you, though, so does not constitute an IP leak.

      Or to put all this another way… you have nothing to worry about :).

  10. eat more kittens! says:

    Group Policy is not available to all editions of Windows 10.

    1. Douglas Crawford says:

      Hi eat more kittens!

      I did state that,

      *Unfortunately, the ‘Turn off smart multi-homed name resolution’ option is not available in Windows Home Editions. Luckily, the OpenVPN plugin mentioned above should fix the problem for most users’ anyway. Whew!

      It would, however, be more accurate to say that the Group Policy Editor is not available in Windows Home Editions.” Fixed and thanks.

  11. mary says:

    If your IP address is known can still use a VPN to prevent the hacker doing further damage?

    1. Douglas Crawford says:

      Hi Mary,

      I’m afraid that you will need to define “prevent the hacker doing further damage! further. Please see my VPNs for Beginners guide, which aims to explain what VPNs can and cannot do to protect you. Even if you are suffering an IP leak, the connection between your computer and the VPN server remains securely encrypted. This means that a hacker, your ISP, or the NSA, cannot access your data.

      1. eat more kittens! says:

        Until the NSA activates embedded technology on the your secured side (courtesy Intel, et al) to funnel data back to NSA.

        1. Douglas Crawford says:

          Hi eat more kittens!,

          Sure, but I think the general point stands.

  12. Simail says:

    Great article, I found all the information I need in one place for a change.

  13. Duane Whitty says:

    Nice post.

    Here’s some info for users of various GNU Linux distributions. dnsmasq will cause your system to leak DNS info.

    I would like to bring attention to caching dns clients. *nix systems (Gnu Linux distributions, FreeBSD, etc.) have traditionally run a piece of “system” software called BIND which stands for the Berkeley Internet Name Daemon. When running this software is responsible for handling any DNS requests made by or to the system it is on. There are other systems which “compete” with BIND. One which comes to mind is tinyDNS. This is still a full featured DNS handler.

    I have very successfully and happily used BIND on my desktop computer at home using an IP address dynamically assigned by my ISP. However, most people including myself would find these examples of DNS software unsuitable for running in a “road warrior” configuration on one’s laptop. But DNS lookups still need to be handled. This brings the program known as dnsmasq into the show. dnsmasq is a “smaller” system than BIND and other general purpose DNS management software. Its description on the Gnu Linux distribution I am running (Kubuntu) is “dnsmasq – A lightweight DHCP and caching DNS server. dnsmasq is a lightweight DNS, TFTP, PXE, router advertisement and DHCP server. It is intended to provide coupled DNS and DHCP service to a LAN.”

    Until I disabled dnsmasq my system running OpenVPN leaked my DNS info. It may be possible to configure dnsmasq to not leak this info but I’m not sure and I think it would be difficult and inflexible in the “road warrior” scenario of frequently changing networks and IP addresses. The easiest and most consistent fix is to disable it. I accomplished this by commenting out its line in the configuration file:


    The ‘#’ at the beginning of the line makes the line a comment and causes it to be ignored by NetworkManager. You could just delete the line but in my experience it is better to “comment-it-out” just in case you decide to do things differently in the future. If you delete it you’d have to remember it was there, what it was called, etc. Now you can just uncomment it.

    Now my VPN provider’s DNS servers are completely responsible for handling all DNS requests from my computer.

    Hope someone finds this information useful.

    1. Douglas Crawford says:

      Hi Duane,

      Thanks! I have not encountered this problem myself, but I’ sure this post will be useful to others.

  14. Ruamzuzla says:


    I’m still confused wether my systems are leaking DNS requests or not.
    I have two devices using OpenVPN, an Android Phone and Laptop with Debian OS.
    In both systems the IPs,, and are used for DNS (OpenDNS). They are not only written in the VPN settings, but also in the general network settings, so even when disabling VPN, all requests should go to the OpenDNS server instead of my ISP’s.

    The problem is now that I don’t know if the requests are tunneld through the VPN connection.
    I used doileak.com to analyse the situation and I get this report:

    “We did get DNS requests from the following IPs: OpenDNS, LLC (36692), United States (NA) (Leak?) OpenDNS, LLC (36692), United States (NA) (Leak?) OpenDNS, LLC (36692), United States (NA) (Leak?)
    We received DNS requests from you via a DNS server from another AS (routable network) than your HTTP request. This could mean that your DNS requests are leaking.”

    So I don’t know if this is okay or not, maybe someone can help me with this problem?

    Thank you 🙂

    1. Douglas Crawford says:

      Hi Ruamzuzla,

      If all DNS requests are being handled by OpenDNS, then they are not being handled by your VPN provider. By definition this means that you have a DNS leak. Does your VPN provider’s software offer a DNS leak protection / Network Lock feature? If so, then turning it on should ensure that all DNS requests are handled by your VPN provider (as this feature is basically a firewall that prevents any internet communication outside the VPN connection). Note that is your VPN provider handles the DNS requests (as it should do), then you will not be using the OpenDNS servers.

      1. Ruamzuzla says:

        thank you for you fast answer.

        So the problem is that my VPN service (PureVPN) only let you use their DNS server, when you allow your public IP in their webinterface. But my public IP is changing every few days, so this is not a solution.
        The other option would be to use their software, but there is only a client for Windows and I need something for Debian and Android.

        But I just found my situation described in this guide under point 3 (using a public DNS). So I just don’t get, why this is still a problem and if a DNS provider can see my IP or not (that would be the leakage, wouldn’t it?).

        Furthermore I’m used to Wireshark.
        So I started protocolling all outgoing connections, and when analysing all endpoints I can see, that every request, even the DNS requests are send through the tunnel. There is no other endpoint than the VPN server I am connected to.
        When I understand that properly, then any DNS server can not see my IP adress, only the one from my VPN (DNS request of my computer -> VPN -> DNS server and the way back to my computer).

        How is it possible, that the request can leak out of the tunnel, even when I would use my ISP’s DNS? I think I understand the DNS problem in theorie, but the technical background is not explained anywhere.

        Hope you can clarify this situation to me 🙂

        1. Douglas Crawford says:

          Hi Ruamzuzla,

          So in order to route your DNS requests to its servers when you are not using its custom software, you must tell PureVPN your local IP address using its webinterface. All well and good, except that because your ISP assigns you a dynamic IP, your IP changes every few days?

          I think you are getting confused over Point 3 in 4 ways to prevent a DNS leak when using VPN. This sets your PC to always use a set DNS server. But if you tell PureVPN your local IP address using its webinterface then it will simply reroute all DNS requests from that address to its own DNS servers.

          You can either:

          a) Not tell PureVPN your IP address. In this case all DNS requests will be handled by the DNS server that you set in your OS (e.g. an OpenDNS). Or…

          b) You can use a managed IP service. These monitor your dynamic IP addresses and link them to a static IP. You can give the static IP to PureVPN. no-ip has free plan that offers this.

  15. vuik says:

    whats a good vpn that has dns and kill switch?

    1. Douglas Crawford says:

      Hi vuik,

      AirVPN, Mullvad, BolehVPN, and many more (AirVPN also prevents WebRTC leaks).

  16. dev/null says:

    Just a heads up. “The Dynamic Name System (DNS) is used to translate” is incorrect. I think you’re confusing your acronyms because DNS stands for Domain Name System and you have it sounding like DHCP – Dynamic Host Configuration Protocol.
    See from the people who’s equipment runs most of the Internets infrastructure.
    or check out the wiki

    1. Douglas Crawford says:

      Hi dev/null,

      “DNS is a globally distributed, scalable, hierarchical, and dynamic database that provides a mapping between hostnames, IP addresses (both IPv4 and IPv6), text records, mail exchange information (MX records), name server information (NS records), and security key information defined in Resource Records (RRs).” It is basically an address book that cross-references domain names (www.blahblah.com) with numerical IP addresses. I think the way I have described it is perfectly clear and accurate.

      What I am not talking about is DHCP, in which IP addresses are dynamically allocated to users.

  17. vinay aditya says:

    easily understandable important information
    thank you very much

  18. NickH says:

    The site has a wealth of knowledge shared in a understandable way. This page in particular was very useful, thank you. I’ll be back and hopefully so will some others who I’ll refer this site to.

  19. Paul Paulson says:

    Perfect. Glad I came across this. Didn’t know my ip might be at risk during vpn reconnect . ?Cheers!

  20. MAD says:

    Nice review on how to protect you while using an VPN.

    Thank you very much!

  21. Tobias says:

    Thank you. After wasting hours collecting all the above informations in little pieces I finally found this great article.

  22. Jon Dough says:

    Thanks for a fantastic article, Doug! Your hard work is much appreciated.

  23. marcel lemieux says:

    thank you very much for a fine writing article on privacy..excellent

  24. shrinivas says:

    Great article, thank you !

Leave a Reply

Your email address will not be published. Required fields are marked *