It is by now a well-worn cliche that the Internet is a double-edged sword. It places an extraordinary range of information at our fingertips and allows us to communicate virtually instantaneously will people all over the world. But the sheer number and sophistication of the cyberattacks to which Internet users are vulnerable is just as incredible. Cybersecurity professionals have had to work overtime to patch up security flaws and try to stay one step ahead of malicious hackers in an ongoing arms race.
At a time when increasing numbers of people are concerned about online privacy and maintaining control over their personal data, DNS leaks are an especially frightening prospect. Below, we’ll explain what DNS leaks are, why they can be such a security threat to you when you’re online, how to detect them and prevent them, and what role VPNs play in all of this.
But first, to round out your understanding and set things in context, we must explain what DNS is.
What is DNS?
DNS, or the Domain Name System, is, if you like, the beating heart of the Internet. It’s the key feature of the Internet that allows you to navigate to your favorite websites using human-readable names.
Fundamentally, the Internet consists of a network of computers, called servers, each of which contains all of the information associated with some given website. When you try to access a website, your computer sends a message to that website’s server requesting access to a webpage. The server then responds and you are granted access.
But how does your computer know which other computer to send the request to? Computers are organized on the Internet by their IP addresses. An IP is a string of numbers, like 192.168.1.1, which identifies a computer. Web browsers are tools that your computer uses to send messages to other computers via their IP addresses. In a nutshell, that’s how the Internet works.
But IPs are often complex and difficult for humans to remember. It is much easier to remember google.com than it is to remember 18.104.22.168, even though entering either one into the search bar of your web browser will allow you to access Google. This is where DNS comes in.
DNS is the service that maps a human-readable domain name like google.com to an IP address like 22.214.171.124. Your ISP does this by way of its DNS resolvers. Your ISP contacts a DNS server and requests the IP address that matches the domain name you entered into your browser. That way, you can enter “google.com” into your browser and your browser will know to send requests to the IP address 126.96.36.199.
How Does a DNS Leak Happen?
Because your ISP ordinarily contacts public DNS servers when you browse the Internet, it has a complete record of all of your online browsing history. Furthermore, these public DNS servers, because they must respond to your requests, have records of your personal IP address. Anyone who properly inspects these public DNS servers will be able to discover your IP address and use it to hack your computer.
A DNS leak is a security flaw wherein the IP addresses and other personal data of Internet users “leak out” because the connections between user ISPs and DNS servers were unencrypted or not secure.
How to Prevent DNS Leaks
For hackers, the IP addresses of their targets are essentially their Holy Grail. IPs are the one crucial bit of information that, more than any other, will allow hackers to exploit the systems they target. As such, it’s paramount that your IP address does not fall into the wrong hands, meaning that anticipating and safeguarding against DNS leaks is deeply important. How should you go about doing this?
First, it is important to detect DNS leaks when they happen or detect when they are likely to happen. This way, you can minimize the risk and damage. Second, perhaps the most important device for preventing DNS leaks is a VPN, or Virtual Private Network. We will discuss each in turn.
Are You At Risk of a DNS Leak?
If you aren’t using a VPN, then, as discussed above, your ISP’s DNS resolvers are already a major source of risk. Since your ISP communicates with public DNS servers over which you have no control, there’s really nothing you can do to detect or prevent a leak. The prudent thing to do in such a situation is to assume that you’re at risk and get a VPN.
VPNs and DNS Leaks
VPNs put a layer of encryption between your personal devices and the broader Internet. Basically, they create a special encrypted tunnel through which all of your devices’ traffic is routed as it goes out to other devices connected to the Internet. Thus, personal information about you, particularly your IP address, is obscured whenever you use a VPN.
In particular, VPNs route your traffic through multiple proxy servers, making it difficult for potential hackers to determine the original source of your traffic, and thus, your real IP address.
Especially important from the point of view of protecting yourself against DNS leaks is that many VPN providers have their own special DNS servers to which they route all DNS requests. Thus, when you browse the Internet with such a VPN and enter a domain name into your web browser, your request doesn’t go to your ISP's public DNS servers, but to private DNS servers owned by your VPN provider. Since everything is encrypted and private, this gives you an added layer of security.
However, it is very important to understand that even with a VPN, you’re not necessarily always safe from DNS leaks. Some VPN providers don’t own their own DNS servers. In other cases, your browser may simply ignore the VPN’s requests to send traffic to the VPN’s DNS servers and may send it to your ISP’s servers instead.
To protect yourself against this possibility, we strongly recommend using a VPN with built-in DNS leak protection features. That feature constantly monitors all DNS requests to ensure that they only go to the VPN provider’s servers.
Testing and Stopping DNS Leaks
To make absolutely sure that you aren’t vulnerable, it also important to periodically carry out DNS leak tests. There are many websites that allow you to test your VPN for DNS leaks, like dnsleaktest.com. If test results show that there has been a leak, you may have to change your DNS server. Here is a comprehensive guide to doing so for all kinds of devices and operating systems.
If you’re using a Windows computer, you may have to disable Teredo, a software that allows your computer to work with both the IPv4 and IPv6 protocols and sometimes causes DNS leaks. To do this, open up the command line and enter the following command exactly as it is written: netsh interface Teredo set state type=default.
Because they can expose your IP address to hacker, DNS leaks are dangerous business. Luckily, there is much you can do to protect yourself against them. In particular, there are many VPNs with special features designed to tackle this very problem. While even such VPNs are not perfect, there are steps you can take to detect and plug up DNS leaks when even your VPN software fails you.