What is DNS?
Before we get into any explanation regarding what a DNS Leak is and how you can protect yourself from one, it is important to clarify what DNS is.
DNS essentially is one of the many protocols that the Internet is built upon, much like HTTP or FTP.
It represents a naming system used by any device or service connected to the Internet or a private network.
In layman’s terms, it is used to transform the URL which you type into the web browser into an IP address of the site you’re looking to connect to.
Given that the true name of a certain site is not, for example, google.com, but rather 18.104.22.168, which is obviously a lot harder to remember, a system had to be set into place to increase the comfort of use.
The main users of DNS are usually the ISP, and the use of a DNS is included in the service they offer. And this is essentially where the problem occurs.
Because the ISP is in charge of deciphering all of our outbound traffic; it means that they have a clear insight into every single page we visit on the internet.
In an age where privacy has become a great luxury, having our entire Internet usage monitored is quite a chilling concept.
Ways to protect privacy
After learning that ISPs can monitor their Internet usage, many users will decide that using a VPN or some other service could be a good idea to help protect their privacy.
To explain the concept of a DNS leak, it is first important to determine what methods you would use to protect your true IP address.
Virtual Private Networks or VPNs are the most common way an average Internet user will try to protect their Internet usage from curious eyes. It works in such a way that it creates an encrypted “tunnel of computers” with different IP addresses that the VPN user routes their connection through in order to mask their IP.
After using a VPN the user’s IP address will be different than their original one, effectively denying the ISP the knowledge of their Internet search habits.
Since there are many different VPN providers, there are also many approaches to how they are organized, some of which are good and some of which can prove to be a catastrophic security risk.
The main point to look into when deciding on a VPN is whether the said provider logs the Internet usage of their customers.
If they do, the problem of protecting your privacy is not at all resolved, but instead is transferred from your ISP to your VPN provider.
Another thing to worry about is how much information the VPN provider asks from you before allowing you to use their services.
If you do not have to give any personal information and the payment can be made in Bitcoin, it becomes much harder to track you even if they do keep logs.
You can use this resource to find the best VPN for your needs here, they do a pretty good job at testing and rating VPNs for use with Tor on the darknet.
Another service that is oftemeron used to protect one’s privacy is the TOR web browser. When used for the purpose of searching ordinary Internet content, TOR browser uses a similar method of protection to that of a VPN.
The downside to using TOR is that your ISP will be aware of it at all times, but will still be unable to determine what websites you are visiting.
So, what is a DNS leak and what causes it? As we have seen above, the main concern of many Internet users is hiding their real IP address from their ISP or any other potential eavesdropper.
To do this, several software or service solutions can be used, and most of them use some form of rerouting the Internet traffic over a network of computers.
A DNS leak occurs when, for one reason or another, our Internet no longer goes through the protected network we arranged for it and instead takes a direct path through our ISP, effectively revealing our real IP address to the public.
This can be caused by several different reasons; some of them resulting from a user error, while some are software bugs or even malicious attempts to de-anonymize us. Common causes for a DNS leak are as follows:
The first and most common cause for a DNS leak is observed with VPN usage and is known as a VPN dropout.
What happens mostly is that while you use the VPN to protect your identity from your ISP, you are still using a regular browser like Chrome or Mozilla.
From time to time, there is a possibility of losing your connection to the VPN, and if you are unaware of this happening, you will continue your use of the Internet unprotected.
This is especially problematic if your VPN of choice is running in the background and has an unnoticeable or even non-existent warning of disconnection.
Smart Multi-Homed Name Resolution
The next cause for a DNS leak is a Windows only problem, and it has become much more relevant with the release of Windows 10.
As it stands Windows 8 has a system known as Smart Multi-Homed Name Resolution and what it does is that it sends DNS requests to all available DNS servers, only picking those that the user has marked as “non-preferred” in case the main server is unresponsive.
This has caused some DNS leaks in the past, but the situation had not become severe enough until Windows 10 was released.
The problem with Windows 10 is that it will send requests to all DNS servers in parallel and chooses the one that responds the quickest, which obviously poses a catastrophic security risk, since it will often choose an unencrypted route, thus causing a DNS leak.
WebRTC, short for Web Real-Time Communication is a standard used by web browsers like Chrome, Firefox, and Opera to allow the use of voice calling or a video chat directly from a browser.
What it also does is it recognizes the user’s true IP address no matter which VPN they use. As of now, there is no way of protecting yourself from WebRTC causing a DNS leak aside from completely turning off WebRTC from your respected browser, which in turn decreases its functionality in that respect.
Ways to prevent DNS leak?
Given that there are many different ways that a DNS leak can occur it is only logical that there is more than one way to protect yourself from it.
The solutions themselves are actually surprisingly simple, given how big of a problem you would be facing and usually do not take more than few mouse clicks or keyboard strokes.
Firstly let’s address the issue of a VPN dropout. A good VPN provider will make sure that their service is as close to 100% consistency and reliability as possible.
Despite that even the best VPN providers will have some problems and their service will stop working for a short period of time.
The best way to protect yourself from this is to have a sort of a “kill switch” ready, which would shut down your internet connection in case of a VPN dropout.
Any good VPN provider will have such a system already implemented in the client interface of their service for the sole purpose of preventing a DNS leak from happening, but in case you want extra protection, some good options include VPN Watcher or VPN Check.
Smart Multi-Homed Name Resolution
There is not much to be said on the topic of protection from Smart Multi-Homed Name Resolution.
The good folks over at Github have a nifty little plugin designed and developed by people behind OpenVPN that solves this issue.
All one has to do is download and run it, and it will deal with Smart Multi-Homed Name Resolution problem we are facing.
The problem with WebRTC and the fact that, as of yet there is no solution to it, has already been addressed previously in this article.
The only way you can protect yourself from WebRTC causing a DNS leak and exposing your IP address is turning it off completely.
This creates a dilemma whether it is worth risking our privacy over what little utility WebRTC provides.
The way to turn off WebRTC is actually quite straightforward. All one has to do is enter “about:config” into the URL bar and set “media.peerconnection.enabled” to false.
The alternative is to use one of the many plugins designed to accomplish this task such as NoScript or uBlock Origin.
In the current age of internet surveillance and reduced privacy, it can be a really tough job to protect your identity.
While services like VPNs provide us with some level of security, they are not perfect and knowing where they fail to deliver is something one must be aware before using them.
These fixes provide the solution for most common DNS leak causes, but there can always be an issue that a usual solution does not cover.
Given this, it is wise to check sites like ipleak.net and test-ipv6.com in order to check if our layer of protection is as sound as we believe it to be.