GUIDE

4 ways to prevent a DNS leak when using VPN

Please note that is article has been largely superseded by A Complete Guide to IP Leaks.

The problem

In addition to VPN connection failures (see our full article on protecting yourself against these here), the other big threat to your anonymity when using a trusted VPN service is that of DNS leaks, which can result in your ISP being able to ‘see’ and monitor your online activity even though you think you are safely protected by an encrypted VPN tunnel.

The Dynamic Name System (DNS) is used to translate domain names (www.bestvpn.com) into numerical IP addresses (216.172.189.144). This translation service is usually performed by your ISP, using its DNS servers.

When you use a VPN service, the DNS request should instead be routed through the VPN tunnel to your VPN provider’s DNS servers (rather than those of your ISP). However, it is quite common for Windows (the main culprit for this problem, although never say never for OSX and Linux) to instead use its default settings, and send the request to the ISP’s DNS server rather than through the VPN tunnel. This is known as a DNS leak, and if it happens then it results in your ISP being able to track your internet movements, regardless of whether you are using a VPN or not.

How to detect a DNS leak

To perform a DNS leak test simply go to dnsleaktest.com

leak test 1

Check the results to make sure that you recognise the IP numbers. In particular, any result that shows your ‘real’ location or that belongs to your ISP means that you have a DNS leak.

 leak test 2

These results all look ok to us, so we know we don’t have a DNS leak. Phew!

How to prevent a DNS leak

If you want to plug a DNS leak, or simply want to prevent the possibility of one happening, there are a number of approaches you can take.

1. Use a VPN client with built in DNS leak protection

mullvad dns leak

This is by far the simplest way, but unfortunately only a few VPN providers supply this option. Those that do include:

*These clients also feature an ‘internet kill switch’.

2. Use VPNCheck (Pro version)

We discussed this nifty utility in our article on protecting yourself against VPN connection failure. The Pro version also includes a DNS leak fix.

a) Download VPNCheck Pro from here, install and run. On the main screen click ‘Config’.

vpncheck 1

 Then simply ensure that the ‘DNS leak fix box’ is checked. It’s also probably worth specifying some programs (such as your favourite BitTorrent client) that you want to shut down in the event of a VPN disconnection while you are at it.

vpncheck 2

To get everything started, go back to the main screen and click either Cycle IP: Task or Cycle IP: Network.

 vpncheck 3

VPNCheck Pro costs $24.90 (at the time of writing there is a 20% discount, which brings the price down to $19.92), and comes with a 13 day free trial.

3. Change DNS severs and obtain a static IP

Although not strictly a speaking a fix, changing DNS servers makes sure that your ISP is not snooping on you. Most VPN providers will be happy to give you their DNS server details, or you can route your requests through a public DNS server such as those offered by Google Public DNS, OpenDNS and Comodo Secure DNS.

Edit: I have now written How to Change your DNS Settings – A Complete Guide which explains in detail how to change your DNS settings in all major OSs.

Installation instructions for various platforms are provided on the respective websites, but as we are working in Windows 7, here is a rundown on how to do it there (the process is similar on all platforms).

a) Open Network and Sharing Centre (from the Control Panel,) and click on ‘Change Adapter settings’

 static 1

b) Right-click on your main connection and select ‘Properties’

static 2

c) Look through the list and find ‘Internet Protocol Version 4 (TCP/IPv4). Highlight it and click on ‘Properties’

static 3

d) Make a note of any existing DNS server addresses, in case you want to restore your system to its previous settings at some point in the future, then click on the ‘Use the following DNS server addresses’ radio button, enter the relevant addresses. Click ‘OK’ and restart the connection.

static 4

If you are using your VPN provider’s DNS server, then they will provide you with the DNS server addresses. If you are using a public server then you may find these addresses useful:

Google Public DNS

  • Preferred DNS server: 8.8.8.8
  • Alternate DNS server: 8.8.4.4

Open DNS

  • Preferred DNS server: 208.67.222.222
  • Alternate DNS server: 208.67.222.220

Comodo Secure DNS

  • Preferred DNS server: 8.26.56.26
  • Alternate DNS server: 8.20.247.20

Changing DNS server is not only more secure as it moves the DNS translation service to a more trusted party, but it can bring speed benefits, as some services are faster than others. To find out how well a DNS server provider fares in this respect, you can download a free utility called DNS Benchmark.

Having a static IP means that Windows (or other OSs) will always route your DNS requests to your preferred DNS server, rather than assigning you a random IP (through DHCP) which may be routed through your ISP’s DNS server.

Although not critical, it is probably also a good idea to clear any other DNS servers except those used by your VPN adaptor. Full instructions for doing so can be found here.

This fix can be downloaded from here, and only works with the ‘classic’ open source OpenVPN client. It is effectively a 3 part batch file which:

  1. Switches from any active DHCP adaptors to a static IP (set by you)
  2. Clears all DNS servers except the TAP32 adaptor (used by OpenVPN)
  3. Returns your system back to its original settings once you are disconnected from the VPN server

Author’s note, 14 January 2016: This 3 year old hack is a partial way to get around the fact that most VPN clients of the time did not properly route DNS requests through the VPN to be resolved by the VPN provider (as should happen.) Fortunately, the situation has improved greatly, and most good clients now offer robust DNS leak protection. Hopefully VPN providers will now start to support full IPv6 routing (rather than simply disabling IPv6.)

Conclusion

As ensuring anonymity is the main reason most people use VPN, it makes sense to spend a few minutes to plug any potential areas where this anonymity may be compromised (see also 5 ways to protect yourself when your VPN connection fails). It is also worth remembering that while Windows causes the most DNS leak problems, Linus and OSX are not immune, so it is still a good idea to follow similar step to those outlines above if these are your platforms of choice.

Update: Following revelations of Google’s complicity in the recent NSA spying scandal, we now advise against using Google Public DNS servers.

Update: Although reliability can be an issue, using OpenNIC DNS servers is a decentralized, open, uncensored and democratic alternative to the DNS providers listed above. It is also possible to set your DNS settings to those of your VPN provider (ask it for details).

Important Update: A new “feature” in Windows 10 means that DNS requests are directed not just through your VPN tunnel, but also through your ISP and local network interface. This is because by default Windows 10 attempts to improve web performance by sending DNS requests in parallel to all available resources at once, and using the fastest one. Windows 10 users, in particular, should therefore disable “Smart Multi-Homed Name Resolution” immediately (although Windows 8.x users can benefit from doing this also.) See WARNING! Windows 10 VPN users at big risk of DNS leaks for more details.


Douglas Crawford I am a freelance writer, technology enthusiast, and lover of life who enjoys spinning words and sharing knowledge for a living. Find me on Google+

Related Coverage


40 responses to “4 ways to prevent a DNS leak when using VPN

    1. Hi Nguyen,

      Yup, a firewall is used to prevent DNS leaks (to ensure that all DNS requests are directed only to the VPN provider’s DNS server). VPN clients that feature “DNS leak protection” have a built-in firewall that does this. Or you can configure your regular firewall.

  1. For speed and convenience i use Hoxx proxy free vpn extension in Firefox .As with other free vpn’s ive tried ipleak test shows Hoxx server ip address and not mine. However DNS address shows as Google’s 74. 125 .47 . etc . which I changed to some time ago from my ISP’s DNS address. Is this vpn and are these settings safe for me to use on public wifi ? Thanks

    1. Hi brian,

      I am not familiar with Hoxx (and BestVPN has not yet reviewed it), so I cannot comment on the service specifically. Pretty much any VPN service, however, will protect you from criminal hackers while using a public WiFi hotspot. If you are worried about the government tracking you, on the other hand, then it is theoretically possible to track your movements on the internet through Google DNS.

  2. If I change to Google’s (or anyone elses) DNS then I’m obviously not using
    my router’s DNS so that breaks access by name to local resources (such as
    my NAS).

    1. Hi Eli,

      If you change your PC’s DNS settings you can still access local resources (for example I can access my NSA and WiFi printer with no problem).

  3. Just a word of warning. DNSleaktest.com did not detect my DNS leak. Actually a few web sites failed to detect the leak. DNSleak.com detected my correct and therefore no longer anonymous DNS. I’m just waiting for the knock on the door….

    1. Hi Steve,

      Please note that is article has been largely superseded by A Complete Guide to IP Leaks. Other ways your IP can leak that will not be detected by dnsleaktest.com are IPv6 leaks, the Windows 10 ‘Smart Multi-Homed Name Resolution’ “feature”, and WebRTC. IPleak.net IPleak.net is much more comprehensive than DNSLeakTest, but does not check for IPv6 leaks. For this go to test-ipv6.com.

  4. I live in the UK but will be living in Spain for several months of the year. I want to have access to various UK websites that have geo restrictions (e.g. BBC iPlayer) and take my NOWTV and Amazon Prime services too which also have geo restrictions. So I have considered installing a VPN client on my PC. However I recently (September 2015) upgraded to Windows 10 and have discovered that in order to obtain the fastest available connection Windows 10 allows DNS leaks which causes a bypass of the VPN client. I have read up on how to disable this in the Local Group Policy Editor but when I try nothing works! How do I get around this problem and which is the best VPN client for my requirements? I have researched ipvanish and purevpn so far.

  5. Please explain exactly how internet traffic is directed to the VPN, but I
    still have a service provider…traffic must go through the service provider
    servers or not??????

    1. Hi yhalds,

      When using a VPN, all of your internet traffic is encrypted, so yes, although it goes through your ISP’s servers, your ISP cannot see what that traffic is. Assuming you have no DNS leaks (as discussed in this article and Report raps VPNs for IPv6 DNS leakage,) your DNS requests are funneled through the encrypted VPN and are handled by your VPN provider. At no point should your ISP be able to see what you get up to on the internet (your VPN provider can, but good VPN services take steps (such as using shared IP address, see 5 Best Logless VPNs) to minimize how much they know..

    1. Hi MikeL,

      Thanks for bringing this issue to my attention. I will publish an article on the subject today, warning our readers about the problem.

  6. This issue would probably apply to most VPN providers as its totally transparent. The other interesting fact is that when I am connected to the VPN and run DNS leak it only comes back with my ISP’s DNS server addresses and none of the VPN provider’s DNS addresses even though the Wireshark trace shows the DNS queries going to both places.

    Will be very interested in seeing what your tests show up. I’ve been communicating with tech support at StrongVPN but it’s an uphill slog. Although the last message did state that they had passed the issue on to their developers to look at.

    I see this as being a MS problem but the VPN vendors may want to give their clients a heads up.

  7. Yes, PrivateTunnel leaks DNS, although I’m not sure it can prevent it. I’m running on Win10 now, and it seems it (Windows) tries all available DNS servers and uses the fastest one, with no current workaround to stop that.

    I’ve set a specific DNS server on my VPN connection, but it’s still bypassing it. I blame Windows 10, and if PrivateTunnel even has the option of disabling this, I blame them too, but I don’t know that they do.

    1. Hi Hansi,

      VPN software should route all DNS requests to the VPN provider’s DNS translation servers (or third party servers if used.) The main cause for DNS leaks is that usually only IPv4 requests are routed in this way – the ‘DNS protection’ feature found on many VPN clients generally just disables IPv6. More information can be found in our article on Report raps VPNs for IPv6 DNS leakage. I haven’t yet dared to install Windows 10 on my PC thanks to the many security issues that have been found, but I will get around to writing an article on how to manually disable IPv6 in Windows 10. In the meantime, this article shows one way to do this.

      1. I have also recently upgraded my computer to Windows 10. My TCP/IPv4 setting was set to get DNS server addresses automatically from my router/DHCP server which in turn got them from my ISP. When I connect to my VPN (StrongVPN) and looked at a DNS trace with Wireshark I saw that every DNS request was being sent to the vpn DNS server but a duplicate DNS request was being sent to my local ISP’s DNS server. Responses came back from both places, sometimes with different IP addresses (which is OK) and it seemed that the local response was not passed up the network stack. However it did been that a log of sites visited was available to my local ISP.

        I changed the DNS settings to explicitly go to my ISP’s DNS server instead of obtaining it automatically from them. This stopped windows from sending a duplicate DNS query when connected to the VPN.

        So now things work as I would like it. When not connected to the VPN all DNS queries go to my ISP and when connected to the VPN they only go through the VPN tunnel and are handled by the VPN’s DNS server.

        Can I assume that the DNS queries when connected to the VPN in this way are encrypted before leaving my computer?

        1. Hi MikeL,

          Well spotted! I’m glad that you fixed this problem (my PC is stubbornly refusing to upgrade to Windows 10, so I cannot check to see if this is a Win10 issue.) Yup, all DNS requests sent to the VPN provider’s servers are sent through the encrypted VPN tunnel.

          1. Douglas
            there does seem to be an issue or two with DNS client software in Win10> The one mentioned above is worrisome from a privacy perspective given that the majority of people will have their DNS settings on automatic and are assuming their VPN gives them browsing anonymity.
            I have 2 machines both running Win10 and with identical DNS and other network settings. When connected to the VPN one works fine but the other has real problems trying to browse internet sites and usually times out. Looking at the DNS trace on the second machine shows 2 identical DNS queries being sent to the 2 VPN DNS server addresses configured within a ms of each another (definitely not a timeout retransmission). Responses come back to both but both responses seem to get ignored as you see the queries being retransmitted, this time looking like a timeout retransmission. Eventually, but not always, a response will be handled and it works but the overall experience is slow to unusable and lots of failed URL connection attempts.

            The machine that works is a lot more powerful so I suspect a timing issue. The second machine seems to work on the VPN if I connect using Ethernet in place of Wifi. I’ve tried different wifi adaptors but that doesn’t seem to make a difference.

            Interesting !!

          2. Hi MikeL,

            Interesting indeed, and as you say, could be very bad for privacy. DNS translation is very quick (it’s basically just cross-referencing an address on a big database), so I’m not sure if the power of your computer is relevant (unless it’s very old!). If/when Microsoft gets around to fixing the upgrade error I am experiencing (or I get bored waiting and go through the hassle of a clean install) I will investigate.

  8. Hi, I was wondering whether or not PrivateTunnel causes DNS leaks, and whether or not my ISP can see my internet activity when using PrivateTunnel; I need a secure internet connection that my ISP can’t observe.

    1. Hi Smith,

      I am afraid that we have not reviewed PrivateTunnel (yet), although I will note that we rarely recommend VPN services that charge by bandwidth use. Any VPN will prevent your ISP seeing what you get up to on the internet. As for DNS leaks, why not try the free service and test for yourself (as discussed in this article)? Note that BestVPN now prefers to use the more comprehensive ipleak.net website to test for DNS leaks (although dnsleaktest.com continues to work just fine).

  9. Using Private Internet Access’ client, I checked dnsleaktest.com & it showed no leaks.
    However, i checked at a different time and typed dnsleak.com instead. Surprise surprise, that one did show that my DNS is leaking, while the first one doesn’t.
    I didn’t know about the DNS leak protection switch – thanks for the tip, I activated it & now the leak is gone.

  10. Hi Douglas,

    thank-you for some very useful info; the right to privacy combined with near-instant world-wide communication is is a fascinating area, central to so many bell-weathers of human concerns and endeavors,

    regards,

    IV.

  11. “3. Change DNS severs and obtain a static IP

    Although not strictly a speaking a fix, changing DNS servers makes sure that your ISP is not snooping on you. ”

    Does it mean that if I use a VPN with DNS servers set manually, any resolution request will go that way :

    my ip -> my vpn ip -> DNS servers

    or that way ?

    my ip -> DNS servers

    1. Hi Thethe,

      DNS requests are usually handled by your ISP, but when using VPN they should be handled by your VPN provider instead. When a DNS leak occurs however, your computer reverts to its default DNS settings- those of your ISP. By changing your default DNS settings (servers), you ensure that in the event of a DNS leak, DNS requests are handled by a third party instead of your ISP.

      1. Thanks but that’s not exactly what I was asking.

        When I go to dnsleaktest.com, it shows my DNS. It’s not the DNS of my ISP since I’ve changed them, but it’s not the DNS of my VPN either.
        So does it mean that every resolution request go directly from my IP to the DNS servers instead of going thru the VPN ip?

        1. Hi Thethe,

          It seems that your VPN service is either not performing the DNS resolution properly (so you have a DNS leak), or possibly that it uses public DNS servers (the one same ones that you have set your computer to). This is not unusual for smaller VPN services, and is not a major problem as the DNS request is made from the VPN server, not your real IP address. I would recommend that you contact the provider ask about what is going on.

  12. Hi, Douglas,

    I am confused now. The article above says: “When you use a VPN service, the DNS request should instead be routed through the VPN tunnel to your VPN provider’s DNS servers (rather than those of your ISP).” And you say I will be safe using VPN, even though my ISP doesn’t allow third-party DNS servers.

    1. Hi Serge,

      Please bear in mind that I have not encountered this situation before, so my answers are perforce somewhat speculative. When you connect to a VPN service, DNS resolution is performed by the VPN provider inside an encrypted VPN tunnel, completely bypassing your ISP. As your ISP cannot know what is going on inside the encrypted tunnel, it cannot be aware of any DNS resolution being performed, and so will be unable to block it. Your ISP will however be aware that you are connecting via VPN to a VPN server, and could in theory either try to block your VPN connection or suspend your internet connection (this last is very unlikely – even ISPs in China and Iran do not disconnect customers for using VPN, although they do try to block it). If VPN is blocked, or if you wish to hide its use, this article (bestvpncom.wpengine.com/blog/5919/how-to-hide-openvpn-traffic-an-introduction/) may be useful to you. Assuming that you will not into trouble for even trying to use VPN, why not just take a provider up on one of the many free trials on offer, and see if its works?

  13. Thank you for your reply. My ISP is AKADO-Stolitsa JSC, Russian Federation.
    But if I use anonymizers (like Anonymouse), the ISP can only see that I am using a particular anonymizer, but not the sites I visit through that anonymzer, is that right? If so, then I expected VPNs to work similarly: I reach a VPN server through my ISP (through the ISP’s DNS server) and the ISP can see what VPN server I am using), but the ISP cannot see any further, since not only is the address of a site I am visiting encrypted, it is resolved through a DNS server of the VPN. That was my understanding.

    1. Hi Serge,

      Your understanding is correct. Like Peter, I have never heard of an ISP refusing to work if you don’t use its own DNS servers, but it can only do this because it can see that you are trying to access websites using a different DNS service. Using VPN should help, as your ISP will be unable to see that you are doing.

  14. Hi,

    if my ISP works with its own DNS servers only (so that when I try to change to third-party DNS servers, the internet connection effectively ceases), are VPNs pointless in this situation?

    1. Hi Serge

      Could you tell us your ISP we haven’t heard of this kind of limitation before. It will still be effective to some extent as in you can set the DNS to your ISPs (with certain providers anyway) so you should still be able to get a tunnel going with a different geo-location IP but of course your ISP would see basically everything you do.
      But as I say can you tell us your ISP and we’ll look into it further.

      Peter

  15. People using Torguard have experienced leaks. Only recently have they provided addresses for their own DNS servers. They claimed this was automatic yet it wasn’t.

    1. Hi Jolirojer,

      That is a very interesting question, and there is no simple answer. VPN clients mess with your OS’s routing tables, and are therefore not suitable to run as discrete mobile USB apps. Your best solution would probably be to use a Linux distro on a USB stick, which you can setup to run through VPN. You can then boot directly into a secure Linux envirnment, with VPN all ready to go. Surfbouncer (www.surfbouncer.com/VPN_flash_drive.htm) offers a such a service pre-configured (but is expensive and we have not reviewed Surfbouncer yet), but is easy to do for yourself. The secure and free TAILS OS (https://tails.boum.org/) works in a similar way, except that it uses Tor instead of VPN. You might also be interested in a discussion about just this subject that we found at http://portableapps.com/node/23840.

  16. hi,

    i was wondering if you have any tips on VPN service providers that let you run the VPNJN software directly off a USB key device, without having to install any software on the host computer?

    thanks

    // Rojer

Leave a Reply

Your email address will not be published. Required fields are marked *