WARNING! Windows 10 VPN Users at Big Risk of DNS Leak

A new “feature” in Windows 10 means that DNS requests are directed not just through your VPN tunnel, but also through your ISP and local network interface. This is because by default Windows 10 attempts to improve web performance by sending DNS requests in parallel to all available resources at once, and (at least in theory) using the fastest one.

This is a major issue for VPN users. It means that your ISP (and anyone listening in on your local network) will know through your DNS requests which websites and services you have visited on the internet. It also opens the way for hackers to hijack your DNS requests (DNS spoofing.) In addition to this, are reports of Windows 10 users suffering slow page loading and timeouts due to this issue.

The problem has led the United States Computer Readiness Team (US-CERT), an official department of the US Department of Homeland Security, to issue an alert.

Smart Multi-Homed Name Resolution

DNS refers to the Dynamic Name System used to translate domain names ( into numerical IP addresses ( This translation service is usually performed by your ISP, using its DNS servers. But when you use a VPN service, the DNS request should instead be routed through the VPN tunnel to your VPN provider’s DNS servers, rather than those of your ISP.

Under Windows 7 all DNS requests were made in simple order of DNS server preference. But this changed in Windows 8 when Microsoft added “‘Smart Multi-Homed Name Resolution” by default. This sent out DNS requests to all available interfaces, but only used non-preferred servers if the main DNS server failed to respond.

This makes Windows 8.x systems liable to DNS leaks, but at least makes it unlikely that DNS requests will be hijacked. Windows 10, on the other hand, simply chooses whichever DNS request responds quickest, which presents a major security risk.

VPN clients that feature “DNS leak protection” should disable Smart Multi-Homed Name Resolution in earlier versions of Windows, but this may not work in Windows 10 (and may vary by individual client). Users of clients without this feature (including the generic open source OpenVPN client,) will almost certainly be liable to DNS leaks under Windows 10.

Fixes for Smart Multi-Homed Name Resolution DNS leak

1. There is now an OpenVPN plugin by ValdikSS that fixes this problem. It should work with all versions of Windows, and should also work with most custom OpenVPN clients that use a standard .ovpn configuration file (i.e. most of them)

2. It is also possible for users of some* versions of Windows 8, Windows 8.1, (and especially!) Windows 10 to disable Smart Multi-Homed Name Resolution using the Local Group Policy Editor. Avast has published some great instructions on how to do this.

Disable Smart Multi-Homed Name Resolution DNS leak fix

*Unfortunately, the ‘Turn off smart multi-homed name resolution’ option is not available to users of Windows Home Editions. Luckily, the OpenVPN plugin mentioned above should fix the problem anyway. Whew!

Douglas Crawford I am a freelance writer, technology enthusiast, and lover of life who enjoys spinning words and sharing knowledge for a living. Find me on Google+

Related Coverage


24 responses to “WARNING! Windows 10 VPN Users at Big Risk of DNS Leak

  1. I am using OpenVPN 2.3.11 with my Windows 10 box.

    I have tried simply updating my configuration file on both my client and server with the ‘block-outside-dns’ and it does not seem to be working. Am I missing something?

    Thanks in advance for your help/reply.

    1. hi,

      try “block-outside-dns” in the client config or “push block-outside-dns” at server config. it did works for me (openvpn 2.3.11). after that, everything should work ok (vpn dns get used) BUT nslookup does not work any more! only other programs using DNS .. like telnet, ping, firefox, tracert ….!

      my hint is to change the metric on LAN interface from automatic to e.g. 50 without using “block-outside-dns” at all. this way even ipsec seems to work and windows10 always uses DNS server of vpn interface because of the smaller metric (of vpn interface, rather than LAN interface). give it a try!


  2. Hi; this is a very useful article; quite helpful. I am finding through the years that computers are getting less and less “user friendly”, so for a lay person, like me (and with too many years behind me to become an expert now…) folks like you who diligently take the time to inform in untechnical language, are life-savers for folks like me. Keep up the good work. Now, I want to clarify; is this procedure strictly for vpn clients only; or is this something I should be doing now… (I found your article searching for recommendations of vpns for windows 10; so I haven’t chosen one as of yet) I had a tablet that I used a vpn prior; and it worked great for a good while, and then I guess it leaked, as it did get hacked into at a public wifi. I don’t use public wifis now, but I do use my wifi, so I intend to get a vpn. Thanks for your answer.

    1. Hi vb,

      Thanks! Using a VPN will protect you while using public WiFi networks (as all your data is encrypted.) As for the Windows 10 Smart Multi-Homed Name Resolution issue discussed in this article, there is now an OpenVPN plugin to fix this problem ( You should install this once you have installed your chosen VPN provider’s OpenVPN software. It should work with all versions of Windows, and will also work with most custom OpenVPN clients that use a standard .ovpn configuration file (i.e. most of them.)

      1. Hi Douglas.

        I just tried that. I downloaded the 64-bit and installed into HMA Pro VPN/config. I then went to and it still shows my real IP address under WebRTC detection. None of those add-ons for either Chrome or Firefox work either. Boy have they made this hard for us.

          1. Hi Douglas.

            Yes, I’ve read that link. I realized after posting that that IP6 leak had nothing to do with WebRTC. That being said I was finally able to fix the WebRTC problem. I installed WebRTC Network Limiter and now WebRTC doesn’t leak in the pleak test. I coulda sworn I had tried that a couple of weeks ago. Either it was a different extension I tried or they’ve updated it since I last tried.

            Now for this IP6 leak… I just ran a test on and it says I don’t even have access to IP6 and that I’m only using IP4. So I guess I have nothing to worry about now?

          2. Hi Mike,

            Yes. Disabling IPv6 will prevent IPv6 leaks. The only VPN provider I know of to properly route IPv6 calls is Mullvad (at least this is what it claims, and Mullvad is a trustworthy provider.)

    1. Hi JPH,

      As noted in the article, this “solution” was always a partial workaround at best. Fortunately, there is now an OpenVPN plugin to fix this problem. It should work with all versions of Windows, and will probably also work with most custom OpenVPN clients that use a standard .ovpn configuration file (i.e. most of them.)

    1. Hi Jim,

      This might be true (and is true for Windows Homegroups), but until VPN clients start to properly support routing all IPv6 requests through the VPN, turning off IPv6 is the only reliable way to prevent IPv6 DNS leaks… It really is about time VPN providers puled thier thumb out on this issue!

  3. As a windows home user I find that the TCP/IPv6 is enabled ( checked ) and that I am not able to un select it. Can you provide any suggestions?

    1. Hi George,

      The official Microsoft instructions are here. Microsoft provides an executable script to disable IPv6 automatically, and also manual instructions for disabling IPv6 using the registry (a version of these instructions with screenshots is also available here.) I run Windows 8.1 Professional, so if you let me know how you get on, I would be grateful (and will update this article accordingly.)

  4. I’m still running Windows 10 insider and I cannot find it on my system. I use a VPN which has an option in settings for DNS leak protection. So far, for the last 6 months I show no leakage using the “Tools to check your IP info”.

  5. It seems that the Windows 10 Home version, the free one I downloaded, does not support group policies and so does not have gpedit.msc enabled.

    I think this means your warning does not apply to Windows 10 home version users. If I am wrong, I would like to hear more about it. I could not find gpedit.msc on my computer. The search only offered to download it.


    1. Hi Sean,

      Thanks for the feedback. Unfortunately my Windows is refusing to let me upgrade to Windows 10 at the moment, and even when/if it does it will be to the Pro version. I would therefore be interested in hearing feedback from other Wind10 Home users on this issue. Have you visited Does it detect any DNS leaks from your system?

      1. Sean

        the DNS leakage absolutely occurs with Windows 10 home version. As described in the discussion after the “4 ways to prevent a DNS leak” I described my experiences with my VPN connection and Windows 10 (this was Home Edition). Douglas’ addition to the article above for Windows 10 Home users does prevent the DNS leakage.


        1. Hi Mike,

          It is true that the advice I published above is more of a partial workaround than a true solution (as I make very clear), but it should be quite effective (especially if you are using your VPN providers DNS settings.)

Leave a Reply

Your email address will not be published. Required fields are marked *