WARNING! Windows 10 VPN Users at Big Risk of DNS Leak - BestVPN.com

WARNING! Windows 10 VPN Users at Big Risk of DNS Leak

Douglas Crawford

Douglas Crawford

September 23, 2015

A new “feature” in Windows 10 means that DNS requests are directed not just through your VPN tunnel, but also through your ISP and local network interface. This is because by default Windows 10 attempts to improve web performance by sending DNS requests in parallel to all available resources at once, and (at least in theory) using the fastest one.

This is a major issue for VPN users. It means that your ISP (and anyone listening in on your local network) will know through your DNS requests which websites and services you have visited on the internet. It also opens the way for hackers to hijack your DNS requests (DNS spoofing.) In addition to this, there are reports of Windows 10 users suffering slow page loading and timeouts due to this issue.

The problem has led the United States Computer Readiness Team (US-CERT), an official department of the US Department of Homeland Security, to issue an alert.

Smart Multi-Homed Name Resolution

DNS refers to the Dynamic Name System used to translate domain names (www.bestvpn.com) into numerical IP addresses ( This translation service is usually performed by your ISP, using its DNS servers. But when you use a VPN service, the DNS request should instead be routed through the VPN tunnel to your VPN provider’s DNS servers, rather than those of your ISP.

Under Windows 7 all DNS requests were made in simple order of DNS server preference. But this changed in Windows 8 when Microsoft added “‘Smart Multi-Homed Name Resolution” by default. This sent out DNS requests to all available interfaces, but only used non-preferred servers if the main DNS server failed to respond.

This makes Windows 8.x systems liable to DNS leaks, but at least makes it unlikely that DNS requests will be hijacked. Windows 10, on the other hand, simply chooses whichever DNS request responds quickest, which presents a major security risk.

VPN clients that feature “DNS leak protection” should disable Smart Multi-Homed Name Resolution in earlier versions of Windows, but this may not work in Windows 10 (and may vary by individual client). Users of clients without this feature (including the generic open source OpenVPN client,) will almost certainly be liable to DNS leaks under Windows 10.

Fixes for Smart Multi-Homed Name Resolution DNS leak

1. There is now an OpenVPN plugin by ValdikSS that fixes this problem. It should work with all versions of Windows, and should also work with most custom OpenVPN clients that use a standard .ovpn configuration file (i.e. most of them). This is the recommended solution.

2.In theory, it is possible for users of some* versions of Windows 8, Windows 8.1, (and especially!) Windows 10 to disable Smart Multi-Homed Name Resolution using the Local Group Policy Editor. Avast has published some instructions on how to do this.

Disable Smart Multi-Homed Name Resolution DNS leak fix

*The ‘Turn off smart multi-homed name resolution’ option is not available to users of Windows Home Editions.

As reader Arthur T. has noted, however, if you look carefully at Microsoft’s description of the “Turn off smart multi-homed name resolution” setting in the Group Policy Editor, Windows will still fall back to using Smart Multi-Homed Name Resolution when other DNS queries fail, even when the setting is enabled.

This means that this “solution” is a partial one at best.


Luckily, the OpenVPN plugin mentioned above should fix the problem (for most people) anyway. Whew!

Douglas Crawford
August 30th, 2017

I am a freelance writer, technology enthusiast, and lover of life who enjoys spinning words and sharing knowledge for a living. You can now follow me on Twitter - @douglasjcrawf.

41 responses to “WARNING! Windows 10 VPN Users at Big Risk of DNS Leak

  1. Larry Asiodora says:

    Is it “normal” to see loads of LLMNR packets on the tun0 interface, immediately after being connected to a PureVPN server through OpenVPN? What are name resolution requests doing within a “private” tunnel?

    1. Douglas Crawford says:

      Hi Larry,

      Well… as long as all the DNS resolution requests are going through the tunnel (tun0 interface) to be handled by PureVPN, then there isn’t a problem. If they are also going outside the tunnel then you have a problem.

    1. Douglas Crawford says:

      Hi Greg,

      Thanks! That’s a great link.

  2. Franck says:

    Thank you very much for letting us know!

  3. Franz says:

    Great post. Lifesaver I woudld say, I found the reason why the only way to use the IPVanish DNSs was to force them into the adapter “preferred” DNSs. Enabling that service now solved everything.
    Thanks again for your work.

  4. gggirlgeek says:

    One thing that is not clear in both of your articles about DNS leaks is whether router DNS settings will guard against leaks.

    If I change my router to another DNS:
    *Will Windows 10 still leak to my ISP?
    *Will Windows 7, Android, iPhone, etc. leak to my ISP (on same wifi)?

    Note: I am asking regardless of VPN — many other devices are on my network without custom DNS settings — i.e. Android, iPad, PS3, etc.

    1. Douglas Crawford says:

      Hi gggirlgeek,

      – In general, if you change router DNS settings, the outside world will see those settings (not those of your PC/iPhone/Android device/PS3, etc.).
      – This should also be true even when Windows uses Smart Multi-Homed Name Resolution, as all DNS requests still have to go through via the router.
      – Your real IP address can still be detected (and reported) by WebRTC, however (on almost all platforms, depending on which browser you use).

      1. gggirlgeek says:

        Yes, I have WebRTC blocked in all my browsers.

        According to this article at HowToGeek.com, simply setting your DNS servers manually in all of your network connections, disabling WebRTC in Firefox and Chrome, and changing your DNS servers in your router should do the trick for Windows 10. http://www.howtogeek.com/253475/how-to-see-if-your-vpn-is-leaking-your-personal-information/

        Personally, I am using a socks5 proxy tunnel in my browsers and apps that require privacy. I have passed the leak tests with this combo so far. Woo hoo!

  5. Arthur T. says:

    Unfortunately–but not surprisingly–the Group Policy “solution” isn’t a solution at all. This is because the setting doesn’t disable multi-homed DNS. If a DNS query fails, the Windows 10 system will still fail over to the other DNS query methods. Here is a direct quote from the “Turn off smart multi-homed name resolution” setting in the Group Policy editor on a Windows 10 Pro 1607 system. This verbiage pertains to the “Enabled” status for this setting:

    “DNS queries will be issued across all networks first. LLMNR queries will be issued if the DNS queries fail, followed by NetBT queries if LLMNR queries fail.”

    So, if I read this correctly, you’re safe only if DNS queries always work. Like that’s going to happen.

    1. Douglas Crawford says:

      Hi Arthur,

      As I clearly state in the article, the best solution is to use the OpenVPN plugin by ValdikSS.

      1. Arthur T. says:

        No, you don’t state that the OpenVPN plugin is the “best solution.” Besides, it’s not an option to all.

        You do state that one can “disable Smart Multi-Homed Name Resolution using the Local Group Policy Editor,” which is inaccurate.

        1. Douglas Crawford says:

          Hi Arthur,

          Re-reading through the article, I can see that I could have made the point that the plugin is the best solution to this problem clearer. You are also completely right that the option to disable Smart Multi-Homed Name Resolution using the Local Group Policy Editor is a partial one at best. Thank you for bringing this to my attention. I have updated the article accordingly.

    2. Darkangael says:

      It’s actually worse than that. Parallel DNS is never turned off by this setting (DNS is issued across *all* networks first). LLMNR and NETBT aren’t actually threats as they only go to your link-local networks. Could be a problem if your PC is directly connected to the Internet (which it should never be) but otherwise they won’t go further than your local network segment.

      LLMNR is Link-Local Multicast Name Resolution. It sends a multicast request on the link-local network (your switch) to see if your neighbours have the name.

      NETBT is NetBIOS over TCP. It’s going to look up workgroup names, again on your local network.

      As such, turning off this feature may protect you from compromised hosts on your LAN, but otherwise you’re shooting yourself in the foot (less optimisation) for little to no benefit.

      If you want to disable parallel DNS (which is actually different to SMHNR) then you want the following (from http://superuser.com/a/970322):

      “DisableParallelAandAAAA (DWORD)

      In registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters.
      The value is 0 to enable, 1 to disable DNS A and AAAA queries from executing in parallel on all configured DNS servers, with the fastest response being theoretically accepted first.”

      1. Douglas Crawford says:

        Hi Darkangel,

        Thanks for the info and link. It is still the case, though, that the easiest solution is to use the OpenVPN plugin by ValdikSS.

  6. Mateo Sevorg says:

    I am using OpenVPN 2.3.11 with my Windows 10 box.

    I have tried simply updating my configuration file on both my client and server with the ‘block-outside-dns’ and it does not seem to be working. Am I missing something?

    Thanks in advance for your help/reply.

    1. Douglas Crawford says:

      Hi Mateo,

      Use the OpenVPN plugin by ValdikSS.

    2. Stefan K. says:


      try “block-outside-dns” in the client config or “push block-outside-dns” at server config. it did works for me (openvpn 2.3.11). after that, everything should work ok (vpn dns get used) BUT nslookup does not work any more! only other programs using DNS .. like telnet, ping, firefox, tracert ….!

      my hint is to change the metric on LAN interface from automatic to e.g. 50 without using “block-outside-dns” at all. this way even ipsec seems to work and windows10 always uses DNS server of vpn interface because of the smaller metric (of vpn interface, rather than LAN interface). give it a try!


  7. vb says:

    Hi; this is a very useful article; quite helpful. I am finding through the years that computers are getting less and less “user friendly”, so for a lay person, like me (and with too many years behind me to become an expert now…) folks like you who diligently take the time to inform in untechnical language, are life-savers for folks like me. Keep up the good work. Now, I want to clarify; is this procedure strictly for vpn clients only; or is this something I should be doing now… (I found your article searching for recommendations of vpns for windows 10; so I haven’t chosen one as of yet) I had a tablet that I used a vpn prior; and it worked great for a good while, and then I guess it leaked, as it did get hacked into at a public wifi. I don’t use public wifis now, but I do use my wifi, so I intend to get a vpn. Thanks for your answer.

    1. Douglas Crawford says:

      Hi vb,

      Thanks! Using a VPN will protect you while using public WiFi networks (as all your data is encrypted.) As for the Windows 10 Smart Multi-Homed Name Resolution issue discussed in this article, there is now an OpenVPN plugin to fix this problem (https://github.com/ValdikSS/openvpn-fix-dns-leak-plugin.) You should install this once you have installed your chosen VPN provider’s OpenVPN software. It should work with all versions of Windows, and will also work with most custom OpenVPN clients that use a standard .ovpn configuration file (i.e. most of them.)

      1. Mike says:

        Hi Douglas.

        I just tried that. I downloaded the 64-bit and installed into HMA Pro VPN/config. I then went to https://ipleak.net/ and it still shows my real IP address under WebRTC detection. None of those add-ons for either Chrome or Firefox work either. Boy have they made this hard for us.

        1. Douglas Crawford says:

          Hi Mike,

          The WebRTC problem is a different issue to the “Smart Multi-Homed Name Resolution” problem discussed in this article. Please check out my article on The WebRTC VPN “Bug” and How to Fix It. For the full low-down on the different ways your real IP can be detected when using VPN, check out A Complete Guide to IP Leaks

          1. Mike says:

            Hi Douglas.

            Yes, I’ve read that link. I realized after posting that that IP6 leak had nothing to do with WebRTC. That being said I was finally able to fix the WebRTC problem. I installed WebRTC Network Limiter and now WebRTC doesn’t leak in the pleak test. I coulda sworn I had tried that a couple of weeks ago. Either it was a different extension I tried or they’ve updated it since I last tried.

            Now for this IP6 leak… I just ran a test on http://test-ipv6.com/ and it says I don’t even have access to IP6 and that I’m only using IP4. So I guess I have nothing to worry about now?

          2. Douglas Crawford says:

            Hi Mike,

            Yes. Disabling IPv6 will prevent IPv6 leaks. The only VPN provider I know of to properly route IPv6 calls is Mullvad (at least this is what it claims, and Mullvad is a trustworthy provider.)

  8. JPH says:

    As of 29 November, the solution for Windows 10 Home Edition users does not work, and DNS leaks to third parties as well as ISP.

    1. Douglas Crawford says:

      Hi JPH,

      As noted in the article, this “solution” was always a partial workaround at best. Fortunately, there is now an OpenVPN plugin to fix this problem. It should work with all versions of Windows, and will probably also work with most custom OpenVPN clients that use a standard .ovpn configuration file (i.e. most of them.)

  9. Jim Alles says:

    turning off IPv6 is not such a good idea anymore, it will break such things as HomeGroups.

    1. Douglas Crawford says:

      Hi Jim,

      This might be true (and is true for Windows Homegroups), but until VPN clients start to properly support routing all IPv6 requests through the VPN, turning off IPv6 is the only reliable way to prevent IPv6 DNS leaks… It really is about time VPN providers puled thier thumb out on this issue!

  10. George McClure says:

    As a windows home user I find that the TCP/IPv6 is enabled ( checked ) and that I am not able to un select it. Can you provide any suggestions?

    1. Douglas Crawford says:

      Hi George,

      The official Microsoft instructions are here. Microsoft provides an executable script to disable IPv6 automatically, and also manual instructions for disabling IPv6 using the registry (a version of these instructions with screenshots is also available here.) I run Windows 8.1 Professional, so if you let me know how you get on, I would be grateful (and will update this article accordingly.)

  11. Dave says:

    Very useful article, it helped me improve my security settings. Thanks.

  12. Darrel says:

    I need to correct my statement regarding DNS leakage. When using Chrome I do get leakage. With Firefox I have no problem.

  13. Darrel says:

    I’m still running Windows 10 insider and I cannot find it on my system. I use a VPN which has an option in settings for DNS leak protection. So far, for the last 6 months I show no leakage using the “Tools to check your IP info”.

  14. J says:

    Very grateful for the post on Windows 10 VPN. Thank you

  15. Sean O'Donnell says:

    It seems that the Windows 10 Home version, the free one I downloaded, does not support group policies and so does not have gpedit.msc enabled.


    I think this means your warning does not apply to Windows 10 home version users. If I am wrong, I would like to hear more about it. I could not find gpedit.msc on my computer. The search only offered to download it.


    1. Douglas Crawford says:

      Hi Sean,

      Thanks for the feedback. Unfortunately my Windows is refusing to let me upgrade to Windows 10 at the moment, and even when/if it does it will be to the Pro version. I would therefore be interested in hearing feedback from other Wind10 Home users on this issue. Have you visited ipleak.net? Does it detect any DNS leaks from your system?

      1. MikeL says:


        the DNS leakage absolutely occurs with Windows 10 home version. As described in the discussion after the “4 ways to prevent a DNS leak” I described my experiences with my VPN connection and Windows 10 (this was Home Edition). Douglas’ addition to the article above for Windows 10 Home users does prevent the DNS leakage.


        1. Douglas Crawford says:

          Hi Mike,

          It is true that the advice I published above is more of a partial workaround than a true solution (as I make very clear), but it should be quite effective (especially if you are using your VPN providers DNS settings.)

Leave a Reply

Your email address will not be published. Required fields are marked *