How DNS Leaks Can Destroy Anonymity When Using a VPN, And How to Stop Them
When you’re trying to stay anonymous online, a VPN is the simplest solution—with a click or two, your IP address, service provider, and location will be masked from any site that you go to and anyone trying to spy on your connection. But a DNS leak can totally undermine the purpose of a VPN. Here’s how to keep that from happening.
(A quick note before we go on: a DNS leak is only a privacy concern if you’re worried about your ISP monitoring your browsing. It has nothing to do with NSA surveillance or other forms of digital snooping.)
What’s a DNS Leak?
The domain name system (DNS) is a system for linking URLs (like www.makeuseof.com) and IP addresses (220.127.116.11). When you use your browser to go to a website, it sends a request to a DNS server with the URL that you typed in, and it’s pointed to the correct IP address. This is a crucial piece of how the Internet works; see our introduction to DNS servers for more info.
Usually, DNS servers are assigned by your internet service provider (ISP), which means that they can monitor and record your online activities whenever you send a request to the server. When you use a virtual private network (VPN), the DNS request should be directed to an anonymous DNS server through your VPN, and not directly from your browser; this keeps your ISP from monitoring your connection.
Unfortunately, sometimes your browser will just ignore that you have a VPN set up and will send the DNS request straight to your ISP. That’s called a DNS leak. This can lead to you think that you’ve stayed anonymous and that you’re safe from online surveillance, but you won’t be protected.
Obviously this is not good. So let’s take a look at diagnosing and stopping it.
Diagnosing the Leak
If your computer is using its default settings and not routing DNS requests through the VPN’s DNS server, it’s not going to be obvious; you’ll need to use a leak test. Fortunately, there’s an easy one to remember: www.dnsleaktest.com.
Just go to the site and click the “Standard test” button (if you’re really concerned about surveillance, you can click “Extended test”—it’s slightly more comprehensive, but takes a bit longer). If you see your own country and ISP listed on the results page, you’ll know that your ISP can monitor your connection. That’s not good.
Stopping the Leak
Okay, so we’ve diagnosed the leak. Now what? There are a few steps you can take to stop your DNS leak and prevent future ones. We’ll start with the simplest one.
Change DNS Servers
If your default DNS server is one that was assigned by your ISP, one of the easiest ways to keep them from seeing what you’re doing online is to change your DNS server. Even if you aren’t worried about DNS leaks, changing your default DNS server might be a good idea, as it might result in faster Internet speeds .
The following DNS servers are well-maintained and will provide you with high performance and security:
- Open DNS (preferred: 18.104.22.168, alternate: 22.214.171.124)
- Comodo Secure DNS (preferred: 126.96.36.199, alternate: 188.8.131.52)
- Google Public DNS (preferred: 184.108.40.206, alternate: 220.127.116.11)
To learn how to change the DNS settings on your computer, check out Danny’s article, “How To Change Your DNS Servers & Improve Internet Security .”
Use a VPN with DNS Leak Protection
Some VPNs come with a feature that will monitor your DNS requests to make sure that they’re going through the VPN instead of directly to your ISP. To see if your VPN has this protection, open the settings; you should see an option that will check for and prevent DNS leaks.
So which VPNs include DNS leak protection? According to BestVPNz.com, Private Internet Access, TorGuard (both of which made it to our best VPNs list ), VPNArea, PureVPN, ExpressVPN, VPN.AC, and LiquidVPN all provide protection. If you’re using one of these VPNs, make sure your settings are set correctly. If you’re not, and you’re concerned about ISP surveillance, you might want to consider switching.
Using VPN Monitoring Software
Some VPN monitoring software also includes support for fixing DNS leaks. The pro version of VPNCheck will do this for you, as will OpenVPN Watchdog (if you’re using OpenVPN).
Because the options for fixing a leak this way are only with premium software, this likely won’t be the go-to strategy for many people, unless you’re already using VPN monitoring software to make sure your VPN connection is totally secure.
Teredo is a Windows-based techology that, in essence, allows communication across two IP protocols: IPv4 and IPv6. Both are present on the Internet, and in some cases, you’ll need to use something like Teredo to allow them to communicate (the specifics are pretty complicated, but you can learn more at the Teredo tunneling Wikipedia page). However, Teredo can sometimes cause DNS leaks, so you may want to disable it.
To disable Teredo, open the command line and type the following command:
netsh interface teredo set state disabled
If you need to re-enable Teredo at some point, you can use this command:
netsh interface teredo set state type=default
Plug Those Leaks
If you’re using a VPN, a DNS leak could be revealing more information than you’re aware of—so take the steps above to make sure that you’re not leaking information and, if you are, plug the leak.
Have you used any of the above strategies for diagnosing or stopping DNS leaks? Do you have any other recommendations? Share your best tips below!