An important new report(.pdf) titled ‘A Glance through the VPN Looking Glass: IPv6 Leakage and DNS Hijacking in Commercial VPN clients’ has alleged that many VPN providers are guilty of not preventing DNS leakage because they do not route IPv6 DNS requests through the VPN.
The Dynamic Name System (DNS) is used to translate the easy-to-understand and remember web addresses that we are familiar with, to their ‘true’ numerical IP addresses: for example translating the domain name www.bestvpn.com to its IP address of 220.127.116.11. Every internet connected device, and every internet connection, has a unique IP address (although these can change).
Until recently, the entire internet used the Internet Protocol version 4 (IPv4) standard to define these IP address values. Unfortunately, thanks to the unprecedented rise in internet use over the last few years, IPv4 addresses are running out, as IPv4 only supports a maximum 32-bit internet address. This translates to 2^32 IP addresses available for assignment (about 4.29 billion total).
While various mitigating strategies have been deployed to extend the shelf-life of IPv4, the real solution comes in the form of a new standard – IPv6. This utilizes 128-bit web addresses, thus expanding the maximum available web addresses to 2^128 (340,282,366,920,938,000,000,000,000,000,000,000,000!), which should keep us supplied with IP addresses for the foreseeable future.
Unfortunately, adoption of iPv6 has been slow, mainly due to upgrade costs, backward capability concerns, and sheer laziness. Consequently, although all modern Operating Systems support IPv6, the vast majority of websites do not yet bother.
This has led websites that support IPv6 to adopt to a dual-tiered approach. When connected to from an address that only supports IPv4, they will serve up an IPv4 address, but when connected from an address that supports IPv6, they will serve up an IPv6 address.
And this is where the problem with the way in which many VPN services handle DNS requests lies…
In order to fully hide a users’ real IP address, VPN providers either handle the DNS translation process themselves, or use a third party provider such as OpenDNS or Google DNS. Please note that using a third party DNS translation service is not the privacy disaster it may sound, as all requests are made via the VPN provider instead of the user.
In theory, then, all DNS requests should be routed through the VPN and be handled by the VPN provider (or passed on to a third party.) When this does not happen, and the request is handled by the user’s ISP instead – this is known as a DNS leak.
The report, unfortunately, found that most providers, while they do route IPv4 requests through the VPN tunnel, failed to route IPv6 requests in the same way.
The result is a total privacy failure, where visitors to IPv6 enabled websites suffer a DNS leak that can be used to determine their real IP address, ISP, and geographic location… Oops.
The report also found that although IPv6 enabled websites are quite uncommon, 92% of websites studied contained third party IPv6 objects, mainly from popular advertising domains such as Google, Facebook and Yahoo, who were early IPv6 adopters.
It should be noted however, that many of the VPN providers listed here either strongly dispute many of the ‘facts’ quoted in the report, or note that test results in the report are out of date.
PIA, for example says that it has always performed its own DNS translation, and has never even heard of Choopa Geo DNS, while AirVPN says that it speeded-up dropping legacy support for older versions of OpenVPN responsible for the IPv6 leak when it was presented with an early draft of the paper. But despite informing the researchers of this long before publishing, they published the out-of-date results anyway.
Many of the providers mentioned in the report have published detailed responses, which we reproduce at the end of this article.
In theory it is perfectly possible for a DNS client to simply route all IPv6 requests through to the VPN provider, but every client we know of that features ‘DNS leak protection’ takes the nuclear option, and simply disables IPv6. This is fine for the time being, but given that IPv4 addresses are running out, must be seen as a temporary solution.
To determine if your VPN leaks, visit test-ipv6.com.
If you use a provider that does not offer ‘DNS leak protection’ through its client software, then you can disable IPv6 yourself. Instructions for doing so are available for Windows, OSX Mac, and Linux. The more paranoid out there may prefer to do this anyway.
According to the report,
‘On iOS, all tested VPN services are immune to IPv6-leakage, as IPv6 is completely disabled during the VPN tunnel lifetime. On the other hand, we found that the leakage affects all VPN services on Android.’
For what it’s worth, however, we visited test-ipv6.com using an Android phone connected to AirVPN (using both the stock Android browser and Firefox), and obtained the following results:
Again, this calls into doubt some of the claims made in the paper
In addition to the IPv6 leakage issue, the report highlights some other problems.
It criticizes, for example, many VPN providers for offering the very insecure PPTP VPN protocol to customers (singling VyprVPN out for offering a PPTP-only basic service in particular, something that we have also criticized it for).
In many (but not all) cases we feel this censure is somewhat unfair, however, as VPN providers’ often offer PPTP in order to support the many legacy devices that only use that protocol, but also make it very clear that they do not recommend PPTP for security reasons. While providers such as AirVPN only offer OpenVPN precisely because other protocols are less secure, we do not think providers should penalized for offering customers a choice.
Another criticism made is that many providers offer a limited number of VPN exit locations, and of these, nearby ones, or ones in P2P-friendly countries, are favored (thereby reducing the number of locations a VPN user is likely to use even further).
The paper observes that the more predictable a user’s VPN exit points, the easier it would be to perform an end-to-end timing attack. There is certainly some truth in this, although it assumes a very powerful adversary, and is a very specialized use-case for VPN.
Much of the paper then goes on to outline how both OpenVPN and PPTP/IPSec routing tables can be subverted by a sophisticated man-in the-middle attack if the adversary controls the internet access point (such as a public WiFi router).
Again, this is a very specific and specialized form of attack, although as the paper notes, it does fall within VPN’s remit of protecting users when accessing the internet via public hotspots. The paper expresses alarm that users in repressive countries (the governments of which are exactly the kind of adversary likely to perform this kind of attack) are sometimes encouraged to use VPN, and this is a point that we do agree with.
If individuals are likely to get into trouble for what they get up to on the internet, they should use Tor instead of VPN, and for any provider to suggest otherwise is very irresponsible (many providers do make the limitations of the technology very clear, however.)
Interestingly, users of Windows 8 and Android 4.4+ are immune to the attack described, but we agree that VPN providers should look into ways of combating such vulnerabilities (for example by using IP firewalls rather than routing tables, as suggested).
The paper is an interesting one, and the points made will hopefully be wake-up calls to those VPN providers who are simply not up to scratch. We do, however, feel that it also contains quite a number of misunderstandings and factual inaccuracies that do some of the better services named in it a disservice.
Below are responses to the report from some of the named VPN providers. We will add to these as more information becomes available.
‘AirVPN is not vulnerable to DNS hi-jacking because VPN DNS server and gateway IP addresses match.
The paper is outdated because their tests were performed on VPN servers with a /30 topology that we kept to maintain compatibility with Windows OpenVPN 2.0.9 and some older versions. After the draft paper preview they kindly provided us with months ago, we decided to speed up Windows OpenVPN 2.0.9 support drop, which made sense in 2010 but not now.
Current topology allows to have the same IP address for VPN DNS server and VPN gateway, solving the vulnerability at its roots, months before the publication of the paper.’
Full response available here
Private Internet Access
‘To begin, there were a number of claims which were made, but we’d like to address some of the more unreasonable of those amongst them. The truth about the world which we believe in, an uncensored world, is that often times data will be published without being checked for accuracy. Journalists in this world are amazing at reporting news. They are the best at digesting and reporting news in laymen’s terms. However, they may not necessarily be subject matter experts which is what led to this inaccurate reporting today. Luckily, the internet allows us, for the first time in history after newspapers had such a strong grip on information, to refute and respond to unworthy claims and set the record straight so that we can have accurate, fair, unbiased information to let the good people of earth come to their own conclusions based on fact, not hearsay.’
PIA has provided a detailed refutation of various claims made by the paper here.
‘Given the recent press regarding IPv6 Leakage and DNS Hijacking for commercial VPN services which stemmed from this report: http://www.eecs.qmul.ac.uk/~hamed/papers/PETS2015VPN.pdf the Golden Frog affiliate team wanted to contact you and address the issue directly (as we have done with our customers).
We’re proud to say that out of 14 major VPN providers, VyprVPN is one of 3 services that did not leak information for customers using Windows, Mac or iOS applications (http://www.computerworld.co.nz/article/578828/vpn-users-beware-may-safe-think/) according to the study. At Golden Frog we do our best to ensure VyprVPN is the most secure option for our customers, and we’re happy to see that our efforts have paid off in this particular instance.
With that said, all VPN providers who offer Android devices are seeing some vulnerabilities within the Android app due to the way Android operating system operates under the hood. At Golden Frog we are actively working on a solution for our Android customers. We are confident that we will have a solution in place soon.
In terms of the IPv6 vulnerabilities and DNS-based attacks, VyprVPN is more secure than other providers due to the fact that we run our own, localized DNS servers all through the VyprVPN network. This makes it extremely difficult for 3rd parties to utilize DNS attacks on the Golden Frog network, especially compared to providers that utilize public DNS services such as Google, Chupa, or OpenDNS. The impact vector for VyprVPN in this regard is very small, but we’ll still be updating our DNS configurations so that traffic over the VyprVPN network will always have to go through VyprDNS endpoints. This is something Golden Frog engineers are already working on, and will make our service even more secure going forward. Additionally, since we manage our own network, we’ll be able to test these solutions ourselves and implement the solutions that have the best results. This fix will also solve DNS-leakage issues that are addressed within the research paper.
Philip Molter, a co-CTO at Golden Frog, recently hosted a Google Hangout to answer questions about the IPv6. You can read our initial response and watch the hangout via the Golden Frog Blog at https://www.goldenfrog.com/blog/vpn-study-highlights-importance-trustworthy-vpn, and see how Phil responded to our customers’ questions. If you have any additional questions about this, please contact your affiliate manager, and we will do our best to address them.
Thanks again for your continued dedication in working alongside us at Golden Frog. Please let us know if there is anything else we can do for you!’
Additional information is available here.
‘We’re indeed aware of this and have been working on an article which will be published shortly. It shall include all the important aspects covered, do keep an eye on our blog section and feel free to suggest me anymore improvements.
As far as DNS vulnerability is concerned, we do have our separate DNS which is safe. You will see more details on this too very soon.’
‘The paper is outdated in several points. ExpressVPN uses its own DNS service, and we block IPv6 DNS results.
We’re working on further enhancing security in cases where an attacker controls the local router and is trying to break the VPN. Bittorrent users should check if their network supports IPv6, then disable if necessary.
If you use bittorrent, we suggest these steps to confirm that all your bittorrent traffic always goes through the VPN: check if your network supports IPv6
go to http://ip6.nl/
at the top left, in the “your connection” section, check the result for IPv6
if it says “No IPv6 connectivity :-(“, that’s good and you’re secure
otherwise, if your network supports IPv6, consider disabling it in your operating system.’
‘Along with many of the companies, TunnelBear was listed as vulnerable to these attacks. Below is a summary of the actions we have already taken and will be taking to address the vulnerabilities.
It’s important to note that TunnelBear has been working on the long-term solution to these problems for quite awhile. However, this paper rightfully highlights the risks of these vulnerabilities and that our temporary solutions could and should have been rolled out sooner.’
Further details are available here.