DNS Leaks

Abstract

Virtual Private Networks (VPN) are used to provide security and privacy, but information can still be exposed through DNS leaks. This article describes how DNS leaks occur and what can be done about it.

Information leak

You use a Virtual Private Network (VPN) to provide security and privacy. For example, at home you might not want your Internet Service Provider (ISP) to see the information sent between your computer and your office or for them to know where you are going on the Internet. If you are using a hotel or coffee shop's wi-fi, you also don't want them (or their ISP) to see that information.

But a VPN might not provide the security you'd expect: your DNS queries might not be going over the VPN. The hotel, coffee shop or ISP can still track you, because it knows where you are going (the domain names in your DNS queries). Or worse, others might be able to access your data (by sending you to fake sites with false IP addresses in the DNS results you are provided).

This happens because VPNs protect all network traffic except traffic destined for a local area network. That exception is what causes the DNS leak.

When your laptop connects to the wi-fi network at a hotel, it is automatically configured using the Dynamic Host Configuration Protocol (DHCP). The hotel's DHCP server: assigns your laptop its IP address, usually a random unused IP address on the local network (e.g. 192.168.1.123); assigns the gateway to send network traffic for unknown networks to, the local router (e.g. 192.168.1.1), and assigns the DNS servers for it to use, typically also running on a local router (e.g. 192.168.1.1).

Without a VPN, all your network traffic goes through the local router (e.g. 192.168.1.1): both the DNS queries and the actual connection.

With a VPN, all traffic for unknown networks are redirected through the VPN. So your actual connection is secured. But your DNS requests are not destined for an unknown network: it is destined for the local network, which is known to your computer. It is sent directly to the local DNS server without going through VPN. (In fact, in this example it can't go through the VPN because the VPN would not be able to route it to the local area network. The local DNS server know what DNS queries you made and that it was you who made them.

Solutions

Automatically using your VPN provider's DNS server

One solution is to configure your computer to use your VPN provider's DNS server. The DNS queries will then go over the VPN directly to the that DNS server, and your queries will never be exposed to any third party (although the VPN's DNS server might make its own DNS queries to the Internet, they won't be assocaited with you directly.) Of course, this assumes you trust your VPN provider.

Protocols like OpenVPN can automatically configure the DNS server your computer uses as a part of establishing the VPN connection. But this requires the OpenVPN server to be configured to push DHCP options to the clients.

Unfortunately, not all VPN client programs support this. And some that do might cause other problems, because they disable DHCP (so the new DNS server settings are not subsequently changed) and sometimes don't reenable it when the VPN connection is gone.

Also, it requires your VPN provider to have set up their VPN server to support it. So this might not work for you.

Manually using your VPN provider's DNS server

Alternatively, you could manually configure your computer's DNS server to be the VPN provider's DNS server (if you know what it is).

To use different DNS servers when connected and not connected to the VPN, this could involve manually changing DNS servers every time you connect or disconnect from the VPN. That is a lot of work and there is a security risk that you'll accidently forget to do it. It depends on where the DNS servers are set on your computer and how that interacts with the DNS client.

Manually configuring another DNS server

This third method is to manually configure your computer's DNS server to be a DNS server you want to use all the time: both when using the VPN and not using the VPN.

When using the VPN, that DNS server will receive DNS queries that appear to originate from the VPN provider (i.e. not from you).

When not using the VPN, that DNS server will receive DNS queries that directly originate from you. So it will have to be a DNS server that you trust. Perhaps you trust OpenDNS or Google Public DNS servers.

This is the method I'm using, since my VPN client software does not automatically set up DNS servers (even though the software is provided by the VPN provider and they are providing the information when establishing the VPN connection). If I used another OpenVPN client it would change the DNS server automatically when connecting to the VPN. If I used the operating systems PPTP VPN client, I could manually assign a DNS server for the PPTP VPN that takes precedence over the DHCP provided DNS server, but I do not wish to use PPTP.

Further information