Pinterest Stumbleupon Whatsapp
Ads by Google

When you’re trying to stay anonymous online, a VPN is the simplest solution—with a click or two, your IP address, service provider, and location will be masked from any site that you go to and anyone trying to spy on your connection. But a DNS leak can totally undermine the purpose of a VPN. Here’s how to keep that from happening.

(A quick note before we go on: a DNS leak is only a privacy concern if you’re worried about your ISP monitoring your browsing. It has nothing to do with NSA surveillance Your Interest in Privacy Will Ensure You're Targeted By The NSA Your Interest in Privacy Will Ensure You're Targeted By The NSA Read More or other forms Could These NSA Cyber-Espionage Techniques Be Used Against You? Could These NSA Cyber-Espionage Techniques Be Used Against You? If the NSA can track you – and we know it can – so can cybercriminals. Here's how government-made tools will be used against you later. Read More of digital snooping.)

What’s a DNS Leak?

The domain name system (DNS) is a system for linking URLs (like www.makeuseof.com) and IP addresses (54.221.192.241). When you use your browser to go to a website, it sends a request to a DNS server with the URL that you typed in, and it’s pointed to the correct IP address. This is a crucial piece of how the Internet works How The Internet Works [Technology Explained] How The Internet Works [Technology Explained] Read More .

us-network-map

Usually, DNS servers are assigned by your internet service provider (ISP), which means that they can monitor and record your online activities whenever you send a request to the server. When you use a virtual private network What Is The Definition Of A Virtual Private Network [Technology Explained] What Is The Definition Of A Virtual Private Network [Technology Explained] Read More (VPN), the DNS request should be directed to an anonymous DNS server through your VPN, and not directly from your browser; this keeps your ISP from monitoring your connection.

Unfortunately, sometimes your browser will just ignore that you have a VPN set up and will send the DNS request straight to your ISP. That’s called a DNS leak. This can lead to you think that you’ve stayed anonymous and that you’re safe from online surveillance, but you won’t be protected.

Ads by Google

Obviously this is not good. So let’s take a look at diagnosing and stopping it.

Diagnosing the Leak

If your computer is using its default settings and not routing DNS requests through the VPN’s DNS server, it’s not going to be obvious; you’ll need to use a leak test. Fortunately, there’s an easy one to remember: www.dnsleaktest.com.

dnsleaktest

Just go to the site and click the “Standard test” button (if you’re really concerned about surveillance, you can click “Extended test”—it’s slightly more comprehensive, but takes a bit longer). If you see your own country and ISP listed on the results page, you’ll know that your ISP can monitor your connection. That’s not good.

Stopping the Leak

Okay, so we’ve diagnosed the leak. Now what? There are a few steps you can take to stop your DNS leak and prevent future ones. We’ll start with the simplest one.

Change DNS Servers

If your default DNS server is one that was assigned by your ISP, one of the easiest ways to keep them from seeing what you’re doing online is to change your DNS server. Even if you aren’t worried about DNS leaks, changing your default DNS server might be a good idea, as it might result in faster Internet speeds Find Fastest DNS and Optimize Your Internet Speed Find Fastest DNS and Optimize Your Internet Speed Read More .

worldwide-dns-routing

The following DNS servers are well-maintained and will provide you with high performance and security:

  • Open DNS (preferred: 208.67.222.222, alternate: 208.67.222.220)
  • Comodo Secure DNS (preferred: 8.26.56.26, alternate: 8.20.247.20)
  • Google Public DNS (preferred: 8.8.8.8, alternate: 8.8.4.4)

To learn how to change the DNS settings on your computer, check out Danny’s article, “How To Change Your DNS Servers & Improve Internet Security How To Change Your DNS Servers & Improve Internet Security How To Change Your DNS Servers & Improve Internet Security Imagine this - you wake up one beautiful morning, pour yourself a cup of coffee, and then sit down at your computer to get started with your work for the day. Before you actually get... Read More .”

Use a VPN with DNS Leak Protection

Some VPNs come with a feature that will monitor your DNS requests to make sure that they’re going through the VPN instead of directly to your ISP. To see if your VPN has this protection, open the settings; you should see an option that will check for and prevent DNS leaks.

So which VPNs include DNS leak protection? According to BestVPNz.com, Private Internet Access, TorGuard (both of which made it to our best VPNs list The Best VPN Services The Best VPN Services We've compiled a list of what we consider to be the best Virtual Private Network (VPN) service providers, grouped by premium, free, and torrent-friendly. Read More ), VPNArea, PureVPN, ExpressVPN, VPN.AC, and LiquidVPN all provide protection. If you’re using one of these VPNs, make sure your settings are set correctly. If you’re not, and you’re concerned about ISP surveillance, you might want to consider switching.

Using VPN Monitoring Software

Some VPN monitoring software also includes support for fixing DNS leaks. The pro version of VPNCheck will do this for you, as will OpenVPN Watchdog (if you’re using OpenVPN).

vpn-monitoring

Because the options for fixing a leak this way are only with premium software, this likely won’t be the go-to strategy for many people, unless you’re already using VPN monitoring software to make sure your VPN connection is totally secure.

Disable Teredo

Teredo is a Windows-based techology that, in essence, allows communication across two IP protocols: IPv4 and IPv6. Both are present on the Internet, and in some cases, you’ll need to use something like Teredo to allow them to communicate (the specifics are pretty complicated, but you can learn more at the Teredo tunneling Wikipedia page). However, Teredo can sometimes cause DNS leaks, so you may want to disable it.

To disable Teredo, open the command line and type the following command:

netsh interface teredo set state disabled

If you need to re-enable Teredo at some point, you can use this command:

netsh interface teredo set state type=default

Plug Those Leaks

If you’re using a VPN, a DNS leak could be revealing more information than you’re aware of—so take the steps above to make sure that you’re not leaking information and, if you are, plug the leak.

Have you used any of the above strategies for diagnosing or stopping DNS leaks? Do you have any other recommendations? Share your best tips below!

Image credits: Leaky faucet (edited), United States network night map, Various connections implying a world map, Businesswoman with magnifier glass via Shutterstock.

  1. armtAdm
    December 3, 2016 at 11:53 pm

    Express VPN Leaks IPv6 and DNS information. I have been a customer for over two months. I found a way to plug it however it is not through their software. I informed them as well. They told me that they didn't support IPv6 thus I should have disabled it. This might or might not have been hidden in their troubleshooting section (at least I didn't see it) however, I have not seen this stated anywhere in their advertising. Nonetheless, with or without blocking the IPv6, DNS is still leaking and their advertisements about privacy are not entirely accurate.
    They do have however a great customer service, security, server speed/relaibility/availibility/bandwidth. But a compromised privacy.

  2. Richard
    January 14, 2016 at 11:26 pm

    Hmmm be careful. DNSleaktest.com is not very good. I had a leak and it wasn't detected. Went to DNSleak.com. There it was. Leaking all over the place. That's after a number of checking web sites said everything was ok.

    • Dann Albright
      January 17, 2016 at 9:26 pm

      Thanks for pointing this out! I'll keep that in mind when I'm writing another tutorial on DNS issues.

      • brother m
        August 8, 2016 at 11:11 pm

        WOT gives DNSleak.com bad scores. Apparently the test is inaccurate and only tries to sell you their own VPN.

        • Dann Albright
          August 16, 2016 at 2:09 pm

          Hm. Maybe there are fewer reputable sites than I realized.

  3. Lean
    December 6, 2015 at 10:52 am

    Yes, absolutely agree. DNS leaks are so often overlooked, but it's a very common issue. Another one that most people do not consider is browser fingerprints https://en.wikipedia.org/wiki/Device_fingerprint. Obviously, fingerprints are not as bad as DNS leaks, but when this info is tied together it can lead to a much faster identification of a particular user.

    I'm not sure the VPN companies mentioned here have the best protection, though. Neither expressvpn nor PIA have dns leak protection or any other anti-tracking features in their software. They are great providers, of course. But it seems that if we consider some more advanced features, Cyberghost http://www.review-vpn.com/cyberghost-vpn/ and maybe ZenMate have more tracking protection that most of the other VPN providers.

  4. Stéphane Moureau
    September 18, 2015 at 11:22 am

    Do not forget that if you connect to a free service like gmail, pinterest, facebook... with or without cookies, you are still leaving tracks...

    Privacy & Security Conscious Browsing:
    https://gist.github.com/atcuno/3425484ac5cce5298932

    See also browser fingerprint:

    https://panopticlick.eff.org
    http://noc.to

    To force usage of HTTPS, see
    https://www.sslenforcer.com
    https://www.eff.org/https-everywhere

    You can get also very good information and tools:

    https://www.browserleaks.com

    https://github.com/drduh/OS-X-Yosemite-Security-and-Privacy-Guide

    http://whoer.net - IP and DNS Resolver IP.

    Private search engines - do not track you
    https://ixquick.com
    https://duckduckgo.com
    https://www.searchlock.com
    https://searx.laquadrature.net
    https://www.qwant.com

    For lots of deals, redeems for software, web services and VPN subscription go to
    https://stacksocial.com/?rid=1465893

  5. Fouga4
    May 22, 2015 at 1:52 pm

    Ernesto:
    Doesn't work for me. Installed the addon to disable WebRTC. The media.peerconnection. enable now shows "false" but IPLeak.net still sees all my DNS addresses.

  6. Ernesto Colina
    May 19, 2015 at 6:05 pm

    Have you forgotten the WebRTC leak ?
    http://ipleak.net/

    Try it with Chrome or Opera and even with a VPN they can trace you.

    • Kannon Y
      May 21, 2015 at 3:37 am

      Thanks for bringing up WebRTC Ernesto. It appears that Firefox doesn't suffer from the bug. I think the best advice is to, well, use Firefox when using a VPN. Are there any other options?

    • Dann Albright
      May 21, 2015 at 7:17 am

      Using Firefox with a VPN, at least for now, is probably your best bet. Thanks for pointing this out, Ernesto!

      • Richard
        January 14, 2016 at 11:52 pm

        Firefox, seriously? The guys who use WebRTC. Try Iceweasel. Linux wouldn't hurt either.

    • Ernesto Colina
      May 21, 2015 at 3:47 pm

      Curiously, IE is not vulnerable to WebRTC, but only because it doesn't support it, for the moment. Some people recommend using "Pale Moon", but I cannot tell you if this is true. And about FireFox, to be sure, to disable WebRTC in Firefox, go to about:config and toggle media.peerconnection.enabled to false or use the addon "Disable WebRTC" https://addons.mozilla.org/en-US/firefox/addon/happy-bonobo-disable-webrtc/?src=api

      However, some sites like Amazon don't like this solution. So, I have no choice but to use FireFox for my regular browsing and Chrome exclusively for Amazon.

  7. Alex.
    May 19, 2015 at 7:51 am

    Hello Dan,

    Thank you very much for this article.It just goes to sure,you can NEVER stop learning !

    • Dann Albright
      May 21, 2015 at 7:16 am

      There's always more to learn, especially when it comes to privacy and anonymity.

      Keep reading! :-)

  8. Godel
    May 18, 2015 at 10:16 pm

    Thanks, good to know.

    • Dann Albright
      May 19, 2015 at 6:49 am

      Always glad to be helpful!

  9. Mr P.
    May 18, 2015 at 1:46 am

    Just to be sure to understand : you want to preserve anonymity, but you suggest to use google dns. I know that your anonymity will be somehow preserve, but telling to the biggest activity monitoring company the whole use you do of the internet, is it wise ? (sorry for my probably bad english :-) !)

    • Dann Albright
      May 19, 2015 at 6:49 am

      I had that thought too, but Google DNS has come pretty highly recommended. Worrying about a DNS leak really only makes sense if you're trying to hide your activity from your ISP anyway. If you're worried about other sorts of anonymity, there are a lot of other concerns that you'll have to take into account—like if you should use Google DNS.

  10. ReadandShare
    May 15, 2015 at 4:45 am

    Thanks for the article and the link to DNSleaktest.com. Good to know that I hail from "Romania" when I clicked over with my VPN.

    • Dann Albright
      May 16, 2015 at 7:49 am

      Glad you liked the article! DNSleaktest is a fantastic website, and it's a great tool for people who use VPNs. Hopefully this article helps get the word out that it's out there.

  11. dood
    May 14, 2015 at 8:37 pm

    If you are using OpenDNS you might want to check out dnscrypt-proxy on Github for an easy way to change your dns and have it run as a Service.

    https://github.com/jedisct1/dnscrypt-proxy/blob/master/README-WINDOWS.markdown

    When used in combination with the dnsfix instructions at dnsleaktest.com
    you can ensure that even your non-VPN traffic does not use your isp dns servers.

    https://www.dnsleaktest.com/how-to-fix-a-dns-leak.html

Leave a Reply

Your email address will not be published. Required fields are marked *