What Is a DNS Leak? Here's How To Prevent It

You know they are spying on you online, don’t you? 

This isn’t another conspiracy theory. It’s merely a fact you need to know before you understand what a DNS leak is and why it matters.

So, who’s they?

Well, we can start with your ISP, continue with corporations, and reach national agencies and governments.

Businesses do it for better ad-targeting, thus making more sales and increasing their revenue. Security agencies mostly want to make sure you aren’t building a bomb in your basement. 

The other reason is someone could be using the Web for criminal activities. In that case, logging your behavior might be acceptable.

We can all agree that terrorism and crime prevention are admirable. 

Still, what about our online privacy?

There are over one billion people worldwide who use VPN services to stay safe and anonymous online. 

Unfortunately, if your DNS leaks, the primary purpose of a VPN service becomes moot. 

So, if you believe that what you do online should be strictly your business, keep reading.

Alright then, let’s start with the basics.

What Is a DNS?

Let’s find out the meaning of DNS, for starters. The acronym stands for “Domain Name System.” You can think of it as an online version of the Yellow Pages.

For instance, when you type in “TechJury.net” in your browser, your device asks a DNS server where to find it.

See, computing is based on math, and it doesn’t get along with words that well. The Web prefers numbers. The domain names are just a human-friendly mask of the real address of a website.

For instance, the real address of example.com is 93.184.216.34, but no one in their right mind can remember all the websites’ addresses. That’s why the Domain Name System translates a domain name to an IP address, so your device could reach the desired content. 

Here’s how it works:

So you see, there are several DNS servers, which communicate with each other to carry out your requests. Let’s break it down step-by-step. 

What Is a DNS Server?

The DNS server is essentially a server with databases of IP addresses. When you type in a URL in your browser, a DNS resolver will communicate with other DNS servers to find the IP address of the particular website. A DNS resolver, a.k.a. a DNS lookup tool, transforms the domain name into the IP of the website. Since the domain name itself doesn’t provide enough information, a DNS resolver finds its IP, thus gaining knowledge of where exactly the site is and how to reach it. You can think of the online space as a treasure map. X marks the spot of the site you want to visit. Still, without a DNS lookup, your device wouldn’t have a clear idea of where to start the search.

These DNS servers are also known as nameservers (NS). You can check a nameserver to find out information about a website – like where it’s hosted, what its IP is, etc. 

This is especially helpful if you want to check out a brand, or a website (especially ecommerce sites) to avoid any online frauds. There are many tools you can use to find information about a specific website – here’s an example of an NSlookup online tool.

Now.

Usually, you don’t have to worry about DNS servers. Your ISP runs its own, and your router acts as a gateway between your device and the DNS server. So once you search for a website, the ISP’s DNS server finds out where its resources are located – like pictures, videos, text, etc. That’s how sites appear on your screen.

If you are wondering what DNS server your device uses, and who owns it – you can check its DNS via the What is my DNS server website.

Unfortunately, a DNS server (like any other technology) could fall victim to a cyber attack.

What Is DNS Hijacking?

There are two types of DNS hijacking. 

One is the so-called transparent DNS proxy which ISPs usually use. It intercepts your requests and forces them to go through the ISP’s server. Thankfully, a DNS leak test could easily find out if your ISP is using a transparent DNS proxy. 

The other type of DNS hijacking is when a cybercriminal takes control over a DNS server. It’s also known as DNSChanger malware. That way, the corrupted DNS server could redirect you to a fake version of the site you’re trying to reach. The FBI even published a report on the threat. 

So, if you have any doubts about a website, make sure you do a quick background check before you interact with it in any way.

• Do a nslookup online to find the site’s IP.
• Once you obtain it, perform a DNS check via this website. If you see something like the next picture, contact your ISP, or change your DNS server (more on that later.)

For this example, I used the IP of a malicious website.Here’s how it should look if everything’s fine, like with Techjury’s site:

Alright, now that you know what a DNS is and how it works, let’s take it further. 

What Is a DNS Leak and Why Does It Matter?

There’s one relevant question you can ask yourself– “What is my DNS, and is it secure?”

You can find the answer by asking Mr. Whoer. It’s a useful tool, which provides tips on how to improve your privacy. 

Anyway, back to what a DNS leak is.

As mentioned before, your requests travel through your ISP’s DNS server. So, in theory, your ISP knows everything you do online. That’s why a DNS leak is a serious privacy issue. Your ISP logs your IP, the sites you visit, and their IP addresses. 

In a perfect world, you shouldn’t care that your ISP monitors all your internet traffic. Unfortunately, that’s not the world we live in. 

But it gets worse.

Your Internet service provider can sell your data to third parties – like corporations or malicious actors. This data includes your browsing history, the physical location of your device, your name, and other sensitive information. There’s even an experiment by Vice.com that proves it. 

You see, your ISP’s monitoring isn’t wrong by itself. The problem is that it can sell or hand out (if an agency demands it) your data. Usually, whoever buys this data has a financial benefit in mind. Be it to show you better-targeted ads, or to use your information for criminal activities. 

So, If you aren’t taking any precautions to ensure the safety of the “online you,” you can forget about online privacy. Thankfully, we’ll fix that by the end of this article.

Your personal data isn't a product for sale. That’s why you should protect it. Find out how.

That’s one of the reasons why more and more people get a VPN - to ensure their online safety and anonymity. Unfortunately, your DNS may leak even if you use a VPN. 

Usually, a VPN service guides your data streams through an encrypted tunnel. Although it’s considered secure, sometimes not all of your data goes through that tunnel. Instead, it can leak to your ISP or a third-party’s DNS server.

So before you start trusting your VPN service, make sure you perform a DNS leak test first. Generally, it’s a good rule of thumb to test a VPN before you pay money for it. If you need any help with this task - we tested this and many other important factors, when choosing a VPN service in our evaluations.

Now you know how a DNS leak can jeopardize your online privacy. So let’s see what may cause this issue.

What Causes a DNS Leak and How To Fix It?

Many problems can lead to DNS leaks, no matter if you are using a VPN or not. Coming up next are the most common ones.

#1 - Smart Multi-Homed Name Resolution

Since Windows 8, Microsoft has added Smart Multi-Homed Name Resolution (SMHNR). This feature enables DNS requests to search for other servers outside of the VPN tunnel - in case the central DNS server fails to respond. 

In theory, Windows searches for “the fastest server.” In practice, however, It makes Windows devices liable to DNS leaks. 

The SMHNR could eventually open the door for cybercriminals, even if you are using a VPN. 

How to Disable Smart Multi-Homed Name Resolution

You can find the SMHNR feature in Windows 8, 8.1, and Windows 10. 

How to Disable SMHNR for Windows 8/8.1?

To disable the feature for Windows 8 and 8.1, you have to change your DNS server manually. Here’s how to do it:

• Right-click on the “Network” icon.
• Select “Properties.”
• Click on “Change adapter settings.”
• Right-click on your network and choose “Properties.”
• Scroll down to find “Internet Protocol Version 4.” Double-click on it.
• There you can type in the preferred DNS server you wish to use.

How to Disable SMHNR for Windows 10?

• Press “Windows” + R to open the run tab on Windows 10.
• Type in “gpedit.msc” to open the Local Group Policy Editor.
• Go to Administrative Templates -> Network -> DNS Client.
• Double-click on “Turn off smart multi-homed name resolution.”
• Select “Enabled,” click “Apply,” and then “OK.” 

When you finish this operation, perform a DNS leak test to make sure everything works.

#2 – Teredo

Once again, Microsoft aims to enhance its OS, making VPN users unhappy in the process. The billion-dollar company created Teredo to improve the compatibility between IPv4 and IPv6. The Internet Protocol version 4 (IPv4) is the most common standard for IP addresses. It represents four sets of up to three digits – like 221.221.221.221. There are “only” four billion IPv4 addresses, which will eventually run out. That’s why IPv6 was developed. IPv6 is IPv4’s successor. Since the number of IPv4 addresses is limited, the new IPv6 standard enlarges that number immensely. It consists of eight sets of up to four characters, including both letters and numbers – like 2001:0db8:85a3:0000:0000:8a2e:0370:7334. IPv6 expands the number of available addresses to 340 trillion trillion trillion (that’s 340 undecillion). In simple words, Teredo allows IPv4 connections to read IPv6 addresses. 

In essence, this feature aims to improve users’ online experience and provide extended access to websites. Unfortunately for VPN users, Teredo is a tunneling protocol, which can redirect requests away from the VPN tunnel, thus allowing DNS leaks to happen. 

How to Disable Teredo?

This one is relatively easy to remove. Here’s a step-by-step guide.

• Open your command prompt (Press “Windows” + R, type “cmd” in the Run box).
• Type in “netsh” -> “interface” -> “teredo” -> “set state disable”.
• If you want to be sure you’ve disabled it, type in “show state.” 

#3 – IPv6

Although IPv4 addresses are still the majority throughout the Web, IPv6 is slowly, but surely becoming the new standard for IP addresses. 

When you use a VPN which doesn’t support IPv6, every request you make to an IPv6 address bypasses the VPN tunnel. That way you may experience DNS leaks without even knowing it.

How to Make Sure Your VPN Doesn’t Leak Your DNS When Accessing IPv6 Addresses?

For the best DNS leak protection, look for a VPN service which explicitly supports IPv6 addresses. Once you’ve set your mind on one, do a DNS leak test first to make sure IPv6 won’t cause any DNS leaks. 

#4 – Manual DNS Configuration

This problem could have several explanations– users may improperly configure their VPN settings, those of their device, or both. This issue could occur most often with users who connect to the Web from different locations – home, office, café, etc. In that case, the network may automatically assign DNS servers to your requests. 

In that case, your requests may bypass the VPN tunnel and cause DNS leaks.

Configuring the proper settings is of utmost importance for protection against a DNS leak. 

How to Fix This?

If your VPN provider doesn’t own its DNS servers, that means it rents them from a third-party. In that case, the best option to ensure all your requests are going through the VPN tunnel is to use a public DNS resolver. 

Popular options include OpenDNS,  Google Public DNS, and Cloudflare’s 1.1.1.1. All three DNS resolvers are free and will redirect your traffic through the VPN tunnel. 

You could use any of those or other, even if you aren’t concerned with DNS leaks. They are a great option if you experience slow internet speed, for example.

Here’s a tip on VPN configuration that could save you a ton of trouble. And it applies to every technology! 

If you aren’t sure what you’re doing – leave the settings to default. Most VPN services are configured by default to keep your traffic in the encrypted tunnel. Still, it’s worth it to test your DNS for leaks from time to time. 

#5 – a Compromised Router

If cybercriminals control a router, chances are they will redirect your traffic outside the safety of the VPN tunnel. What’s worse is you’ll get redirected to malicious websites, which could cause you a severe headache. 

How to Fix This?

If your home router is infected, the best thing to do is to call your ISP and let them fix the problem. Otherwise, if you have the skills for it, you can reconfigure your router to communicate with a trusted DNS server.

If this happens at a café (the so-called eavesdropping, or Man-in-the-Middle attack), you probably won’t notice it outright. That’s why you should use a VPN service, combined with a secure DNS server to create adequate protection against such a threat.

#6 – Your VPN Service May Leak Your DNS

Although the primary purpose of VPN services is to ensure you browse the Web securely and anonymously, they aren’t flawless. Even if you take all the necessary precautions, your VPN may still give you away. Be it because its server went down, its kill switch didn’t work correctly, and so on. That’s why it pays to perform a DNS leak test when using a VPN. 

How to Fix a VPN DNS Leak?

First of all, make sure your VPN is DNS and IP leak secure. Most of the VPN services are, but it’s still worth checking. 

There are also VPN monitoring services you can use for this exact purpose. This adds another layer of security on top of the VPN you’re using. 

Unfortunately, all VPN monitoring services are either paid or a more expensive version of an already paid service. So it may not be the right solution for average users because of their price. 

With that in mind, find a VPN service that has a built-in kill switch and DNS leak protection.

Now. 

If you don’t want to face any of these problems (and I bet you don't,) take all the necessary precautions. It’s easy as pie.

How To Prevent a DNS Leak?

Since you already know what a DNS leak is and why it could be a privacy threat, let’s see how you can protect yourself.

If you’ve read everything so far, you’d already have a good enough idea how to prevent a DNS leak. Still, let’s summarize the most bulletproof methods for DNS leak prevention. 

Use a VPN Service

We talk about VPNs a lot here on Techjury. That’s because they are quite the practical pieces of software. 

So what do you need from a VPN service to feel safe and anonymous online?

Here’s a quick summary of the features you'll need from your VPN service if you don't want to worry about DNS leaks.

• Look for a VPN with built-in DNS and IP leak protection.

Most VPN providers offer this feature. These features rarely fail, and they provide another layer of protection that increases your overall online security. 

• Choose a VPN service with an automatic kill-switch.

You can’t predict if your VPN connection will last during the whole session. Sometimes the VPN server may shut down, due to an unexpected error, or your secure connection may drop. 

That’s when the kill-switch kicks in, automatically disconnecting your device from the network. That way, it protects any data that may slip out of the encrypted tunnel.

• Find a VPN provider that owns its DNS servers.

Some VPN providers out there only rent their servers. This means they have limited to no control over them. In terms of privacy, that’s not the best option, since you can’t possibly know what happens to your data.

Furthermore, a VPN leak test can’t reveal what happens with the information on the server, so keep that in mind when you choose your provider.

• Just to be super-safe, make sure your VPN provider has a strict no-logging policy.

Even if your VPN software is secure, it may still log your IP and what you do online. That’s why you should be extra careful with logging policies and government jurisdiction. 

You can find out everything you need to know about policies and jurisdictions in our VPN guide. 

So Which VPN Service Provider Should I Choose?

Now that you know you need a VPN service, you can read reviews on the best VPN service providers. To make it even easier for you to choose one – here are the top three services, which can guard you against a DNS leak:

• NordVPN
• ExpressVPN
• Perfect Privacy VPN

Although VPN services are a great tool to keep your connections safe and private, you can add an extra layer of security.

Use a Public DNS Resolver 

There are at least a dozen public DNS resolvers that you could use. 

The most famous ones are Google Public DNS, OpenDNS, and Cloudflare’s 1.1.1.1. They are all free and provide reasonable safety. Still, speed is also an essential factor, and Cloudflare wins the trophy. 

On top of that, Cloudflare’s 1.1.1.1 encrypts your data, which adds additional security against data breaches and Man-in-the-Middle attacks.

You’ve probably noticed DNSFilter didn’t enter the list mentioned above. That’s because it’s an industry solution and you can’t use it for free. 

Whichever one you choose, again, a DNS leak test is in order.

Configure Your Firewall

Think of your firewall as a defensive army in front of the gates of your castle (your device.) It doesn’t allow the enemy in, nor the eventual traitors out of the castle. In terms of DNS leaks, you should tell your army to stop anyone from leaving, except the trusted messenger – your VPN service. 

In other words – configure your firewall, so it allows traffic to go only through the VPN tunnel. That way it will block all other apps sending requests to the Web, thus preventing a DNS leak.

Use a Safe Browser

Yep, your browser could also leak your address. It’s because of a built-in API definition in Chrome, Firefox, and Opera to enable Real-Time Communications. RTC enables voice and video chat, as well as peer-to-peer file sharing. It’s called WebRTC.

The problem with WebRTC is it sends data packets containing your IP address to a server, which isn’t always your default DNS server.

You can check if your browser is leaking any information by performing a WebRTC leak test.

Furthermore, hundreds of browser extensions could leak your DNS even if you are using a VPN.

If you want to minimize the risk of a DNS leak (or any other data leak) you can switch to a safer browser.

TOR is the first option that comes to mind in terms of online privacy and security.

However, TOR has many drawbacks, which make it an unpopular option. Since the traffic goes through the so-called “onion layers” to provide better protection, it does so as a trade-off with speed. Not to mention that by default, using TOR is considered a shady business.

Anyway, if you aren’t using TOR for illegal activities, it’s still one of the best (and likely an overkill) option for browsing the Web privately.

There are also some Chromium-based browsers – like Brave and Iridium, which are tweaked for privacy.  

Although they are privacy-focused, all Chromium-based browser use WebRTC, so you should disable all browser fingerprinting.

In case you are a Firefox fan, you could use Waterfox or IceCat, which are forks of Mozilla’s browser. They are both free and provide better privacy than Firefox.

Whichever one you choose, or continue to stick with your own, guess what - do a DNS leak test. And here’s how you can do one.

Free DNS Leak Test Tools Online

Usually, even one test could tell you if your system is leaking your DNS, IP, or any other information.

Here’s where you can do that:

• IPleak

This tool will tell you if your system is leaking not only your IP address but DNS and WebRTC as well. It also provides some other useful information like geo-location and system information.

• DNSleaktest

This website’s “Extended” DNS leak test performs 36 queries to find out all DNS servers and any potential leaks.

• DNSLeak

Here you can do a DNS leak test, an email leak test (which is a rare option), and an IPv6 leak test. 

• Whoami IP

If you want more detailed information about your connection, this is the tool to use. It offers information about your IP, DNS, ISP, browser headers, etc.

These tools can determine if your system is leaking your DNS or any other sensitive information. Furthermore, almost every VPN provider’s website offers such a test, so feel free to check them out as well.

Wrap Up

Your online privacy and security aren’t a given. You have to take some precautions to keep your online identity safe and anonymous. 

If you value your privacy, you’ll need to combine several solutions – a VPN service, a firewall, and a browser.  You could also add another layer of security by using a public DNS resolver, which will guarantee your traffic doesn’t go through your ISP’s DNS server. 

Yeah, I know it sounds like a lot of work, but rest assured – it’s not. Once you’ve chosen the best VPN for you, configuring the firewall and the public DNS takes only a few minutes. On top of that, it’s fairly easy to do.

So don’t hesitate to take the steps toward better online privacy. 

Stay safe online, and I’ll see you next time.