In this article, we'll dig a bit deeper into our subject and focus on DNS leaks. But don't worry, it won't be one of those articles that only geeks can understand. As usual, I'll try to explain things clearly and make it accessible for you dear reader. By the end, you'll know what is a DNS leak and how to fix a DNS leak. Protecting your privacy is one of my priority! Fixing your IP leaks is a step forward a safer Internet. And my mother hoped I'd be a plumber.
Why you should worry about DNS leak protection
First, I must say that it's not a strategy to convince you to purchase a VPN – even if you should. Indeed, it's a problem VPN users are facing… There is no leak when you're not using a VPN: All your data are flowing in the clear anyway! But for people who are protecting their privacy, it's a real threat. A threat that millions of Internet users are facing. Sometimes without being aware of it. Let me put on a bib overall and brush my mustache. Here we go!
DNS 101: Dynamic Name System
If you're on my website, it's a good bet that you've used the DNS even without realizing it. So what is it? Wikipedia says: The Domain Name System is a hierarchical decentralized naming system for computers, services, or any resource connected to the Internet or a private network. In other words, it's a system which resolves domain names on the Internet.
You'll ask me: Why do we need to resolve domain names? Well, every internet connected device, and every internet connection, has a unique IP address that is used to identify it. And websites are hosted on servers, with public IP addresses. But does 18.104.22.168 ring a bell? No, it doesn't, even if you've been visiting the website every day. Because we're using user-friendly addresses, thanks to the DNS. Therefore, if you want to reach 22.214.171.124, you'll type the domain name www.bbc.co.uk. Pretty cool huh?
To make it simple, when you type the name of a website, you send a request for information to DNS servers. In these servers, there are the correspondence tables with domain names and public IP address. And the servers will connect you to the corresponding IP address. It's like the yellow pages, but without the hassle. This process is the DNS name resolution.
It often happens that several sites have the same public IP address. Because they are hosted on the same server. In this case, the server decides which website to connect you to, depending on your request.
So what's the problem doc?
This DNS process is usually performed by your Internet Service Provider. But using your ISP's DNS is the best way to make sure that your provider always knows your online activity. And even if you have nothing to hide, your information is stored for years. Sometimes used for advertising purposes.
When you're using a VPN, your requests should be handled by your VPN provider. That's the reason why most VPN offer their own proprietary DNS servers, like VyprVPN or NordVPN. In consequence, all your requests should be transferred through the VPN encrypted tunnel.
Unfortunately, it's quite common for Operating Systems to use the default settings, instead of the VPN's. And send your requests to the wrong server. This is where you find a DNS leak. If it happens, then anybody (ISP, government, hacker…) monitoring your traffic will be able to log your activity. DNS leaks are a major privacy threat since your VPN may be providing a false sense of security while your private data is leaking.
IPv4 DNS leaks
First, you need to know about Internet Protocols (IP). IPv4 is the fourth version of the Internet Protocol. It uses 32-bit addresses. So what? Well, it means there are about 4.3 billion addresses available. Only. With the rapid development of Internet, IPv4 addresses are running out. But it still routes most Internet traffic today, despite the ongoing deployment of IPv6 – its replacement.
As I explained previously, your Operating System is not so good at handling DNS requests between your VPN and your ISP (especially Windows). And your traffic is at risk.
IPv6 DNS leaks
IPv6 is the most recent version of the Internet Protocol. It uses 128-bit addresses. The main advantage of IPv6 over IPv4 is its larger address space. With IPv6, every new device can get its own unique IP address. The deployment of IPv6 started in 2008, but its adoption has been slow. Nowadays, we use both protocols. However, it might introduce more security threats as hosts could be subject to attacks from both IPv4 and IPv6…
The DNS leak is different with IPv6. Basically, VPN software can't handle IPv6 requests yet. So, every time you send an IPv6 DNS request, your ISP DNS server answers it. Bummer.
How to fix a DNS leak?
Before fixing anything, you should check if you're suffering from a DNS leak. Some websites offer to test your connection, for free. Visit IPLeak for example. If you can see your real IP address and/or the address of your ISP, you have a DNS leak.
DNS leak fix 1: Use a VPN with built-in DNS leak protection
This is the safest solution. If you choose a VPN with a DNS leak protection, there won't be any leak with Ipv4. And it will automatically deactivate IPv6. You get the best protection: 100% sure.
I already explained what is a VPN and what are the VPN protocols. You can also check my VPN reviews. In case you're wondering which VPN to choose, I made a list of the best VPN with DNS leak protection:
Let's make a test. If I go to IPLeak, I get these results for the IP address:
And these for the DNS servers (VyprDNS):
I'm all good, no DNS leak at all. My IP is hidden and my traffic is encrypted. Oh yeah!
DNS leak fix 2: Change your DNS server and disable IPv6
Second option is to change your DNS server. Either if you don't use a VPN. Or if your VPN doesn't provide a proprietary DNS. The DNS always work in pairs, a preferred DNS server and an alternate DNS server. Consequently, when changing the DNS of your device, always change 2 IP addresses. You can also delete the DNS servers you're not using.
With a new DNS server, you get a more secure service. And you can also get a faster service. The public DNS servers below are reliable options. Sometimes, I use OpenDNS myself.
|Public DNS Provider||Preferred DNS server||Alternate DNS server||Website|
|Comodo DNS||126.96.36.199||188.8.131.52||Visit Now|
|Google DNS||184.108.40.206||220.127.116.11||Visit Now|
|Neustar DNS||18.104.22.168||22.214.171.124||Visit Now|
Change DNS tutorial on Windows 10
1. Open Network and Sharing Centre (in the Control Panel or from the Start Menu)
2. Click on the active Internet connection. It's a blue link in the top right of the window.
3. In the new window, click on Properties.
4. In the new window, double click on Internet Protocol Version 4 (TCP/IPv4) or select Internet Protocol Version 4 (TCP/IPv4) and click on Properties.
5. In the new window, select Use the following DNS server addresses and input the server preferred and alternate addresses. In my case, OpenVPN server. Then click OK. You're all set!
Disable IPv6 tutorial on Windows 10
Once you're done, you can disable IPv6 from the WiFi Properties window. You just need to clear the Internet Protocol Version 6 (TCP/IPv6) check box.
DNS leak fix 3: Setup your firewall
This solution is a bit more of a hassle. It's not just enabling or disabling features. But it's very efficient. You need to setup your firewall to:
- Block all outgoing connections from you device
- Allow outgoing connections for
- Your DNS server's IPs
- Your VPN software IP
These are the general steps. Each firewall software is different. A little search on Google will help you set yours up.
Protect Your Passwords
A VPN is not enough, it is necessary to protect your passwords, so read my article on how to protect your passwords in which I give you my TOP 10 of do's and don'ts!
Other potential leaks
Teredo: Leaks while torrenting
Wait, what? What is Teredo? Ok, a little explanation: Microsoft uses a protocol called Teredo to allow communication between IPv4 and IPv6.
And some torrent software can access it. But the problem is that when they do, they may send requests outside the VPN tunnel. Therefore, there's another risk of not being protected while using torrents, even with a VPN.
Fortunately, we can solve it easily by disabling Teredo with Command Prompt:
1. Open Command Prompt with a right click and select Run as administrator.
2. Copy the following command and paste it in the window.
netsh interface teredo set state disabled
If you want to re-enable Teredo, copy and paste the following command in the Command Prompt:
netsh interface teredo set state enabled
WebRTC: Leaks from your browser
Sorry Windows users. But there's another threat due to the features of your browser. WebRTC is a free, open project that provides browsers and mobile applications with Real-Time Communications (RTC) capabilities. Thanks to WebRTC, you can use voice calling, video chat, and P2P file sharing from your browser. There are 3 supported browsers so far: Chrome, Firefox, and Opera.
But the drawback is that your browser communicates outside of your VPN encrypted tunnel… Therefore sharing your real IP address on the websites you visit.
To solve the problem, you must disable this feature on your browser. There is no other way…
As of today, there are no reliable ways to disable it on Chrome and Opera. You can install an extension. But in some cases, the browser can leak your IP address.
Here is the tutorial for Firefox:
- Type about:config into the URL bar.
- Click the button I accept the risk! to access the settings
- Look for media.peerconnection.enabled
- Double click the line to get Value to False. Done
VPN connection fails: Leaks when your VPN is down
Ok, s*** can happen. You're connected to your favorite VPN and the connection drops. For whatever reason. So your Operating System takes over and connects your device to the Internet, with the default settings. What gives?You're back in the clear…
Fortunately, VPN providers thought about that. That's why most of them offer a kill switch feature. With an Internet kill switch, your VPN software monitors your connection. If the connection drops, then the VPN software stops all your Internet traffic. Until it can get the connection back. I enabled Kill Switch on VyprVPN. Here's what happen if I manually disconnect: I'm not connected to the Internet anymore. Conclusion: No leak at all.
This was my guide: What is a DNS leak? How to prevent your IP to leak on Internet? Stay tuned for more articles coming soon.