VPN deals Advertisement
Disclosure: BestVPN.com is reader-supported. When you buy a VPN through links on our site, we may earn commissions. Learn more

WARNING! Windows 10 VPN Users at Big Risk of DNS Leak

A new “feature” in Windows 10 means that DNS requests are directed not just through your VPN tunnel, but also through your ISP and local network interface. This is because by default Windows 10 attempts to improve web performance by sending DNS requests in parallel to all available resources at once, and (at least in theory) using the fastest one.

This is a major issue for VPN users. It means that your ISP (and anyone listening in on your local network) will know through your DNS requests which websites and services you have visited on the internet. It also opens the way for hackers to hijack your DNS requests (DNS spoofing.) In addition to this, there are reports of Windows 10 users suffering slow page loading and timeouts due to this issue.

The problem has led the United States Computer Readiness Team (US-CERT), an official department of the US Department of Homeland Security, to issue an alert.

Smart Multi-Homed Name Resolution

DNS refers to the Dynamic Name System used to translate domain names (www.bestvpn.com) into numerical IP addresses (216.172.189.144). This translation service is usually performed by your ISP, using its DNS servers. But when you use a VPN service, the DNS request should instead be routed through the VPN tunnel to your VPN provider’s DNS servers, rather than those of your ISP.

Under Windows 7 all DNS requests were made in simple order of DNS server preference. But this changed in Windows 8 when Microsoft added “‘Smart Multi-Homed Name Resolution” by default. This sent out DNS requests to all available interfaces, but only used non-preferred servers if the main DNS server failed to respond.

This makes Windows 8.x systems liable to DNS leaks, but at least makes it unlikely that DNS requests will be hijacked. Windows 10, on the other hand, simply chooses whichever DNS request responds quickest, which presents a major security risk.

VPN clients that feature “DNS leak protection” should disable Smart Multi-Homed Name Resolution in earlier versions of Windows, but this may not work in Windows 10 (and may vary by individual client). Users of clients without this feature (including the generic open source OpenVPN client,) will almost certainly be liable to DNS leaks under Windows 10.

Fixes for Smart Multi-Homed Name Resolution DNS leak

1. There is now an OpenVPN plugin by ValdikSS that fixes this problem. It should work with all versions of Windows, and should also work with most custom OpenVPN clients that use a standard .ovpn configuration file (i.e. most of them). This is the recommended solution.

2.In theory, it is possible for users of some* versions of Windows 8, Windows 8.1, (and especially!) Windows 10 to disable Smart Multi-Homed Name Resolution using the Local Group Policy Editor. Avast has published some instructions on how to do this.

Disable Smart Multi-Homed Name Resolution DNS leak fix

*The ‘Turn off smart multi-homed name resolution’ option is not available to users of Windows Home Editions.

As reader Arthur T. has noted, however, if you look carefully at Microsoft's description of the “Turn off smart multi-homed name resolution” setting in the Group Policy Editor, Windows will still fall back to using Smart Multi-Homed Name Resolution when other DNS queries fail, even when the setting is enabled.

This means that this "solution" is a partial one at best.

smhnr-setting

Luckily, the OpenVPN plugin mentioned above should fix the problem (for most people) anyway. Whew!

Written by: Douglas Crawford

With over five years’ experience at the sharp end of the VPN industry, Douglas is a recognized cyber-privacy expert. His articles have been published by numerous technology outlets, and he has been quoted by the likes of The Independent, Ars Technica, CNET and the Daily Mail Online.

43 Comments

  1. CHenty
    on November 5, 2018
    Reply

    Has this been done intentionally or is it some kind of a deeper issue? I use Surfshark VPN. I have checked my connections to confirm that there were no DNS leaks several times but if this is a serious issue could DNS leak without even being able to see it on the tests that you can find online? I mean, my VPN speeds are great and it's stable 90% of the time so I don't really suspect anything and only check once in a while. Also, I didn't get any letters from ISP even though I torrent almost all the time. I would think that I'm safe.

    1. douglas replied to CHenty
      on November 5, 2018
      Reply

      Hi Charles, Well, Smart Multi-Homed Name Resolution is a deliberate feature designed to speed up DNS resolution. it just seems that the Microsoft team didn't take VPN users into account when designing it. If you have checked for DNS leaks and haven;lt found any then you should be good.

  2. Larry Asiodora
    on September 19, 2017
    Reply

    Is it "normal" to see loads of LLMNR packets on the tun0 interface, immediately after being connected to a PureVPN server through OpenVPN? What are name resolution requests doing within a "private" tunnel?

    1. Douglas Crawford replied to Larry Asiodora
      on September 19, 2017
      Reply

      Hi Larry, Well... as long as all the DNS resolution requests are going through the tunnel (tun0 interface) to be handled by PureVPN, then there isn't a problem. If they are also going outside the tunnel then you have a problem.

  3. Greg
    on August 30, 2017
    Reply

    Thanks scary stuff and problem if you cant use OpenVPN solutions You might be interested in this link that gives Windows 10 Home users an easy way to install Group Policy Editor https://www.itechtics.com/easily-enable-group-policy-editor-gpedit-msc-in-windows-10-home-edition/

    1. Douglas Crawford replied to Greg
      on August 30, 2017
      Reply

      Hi Greg, Thanks! That's a great link.

  4. Carl
    on July 17, 2017
    Reply

    in my point of view the best VPN for windows as i m using is https://www.onevpn.com/windows-vpn/ .its great and reliable in price.

Write Your Own Comment

Your comment has been sent to the queue. It will appear shortly.

Your comment has been sent to the queue. It will appear shortly.

Your comment has been sent to the queue. It will appear shortly.

  Your comment has been sent to the queue. It will appear shortly.