can I fix a DNS leak
The solution is to ensure that once connected to the VPN,
you are using ONLY the DNS server/s provided by the VPN service.
OpenVPN v2. 3. 9+
As of OpenVPN version 2. 9 you can now prevent DNS leaks by specifying a new OpenVPN option. Simply open the
(or) file for the server that you are connecting to
and add the following on a new line. For more information see the OpenVPN manual.
block-outside-dnsIf for any reason you are unable to use the solution above continue reading.
If you are using a version of OpenVPN older than v2. 9
Please note that as this problem normally only affects windows clients, only solutions for Windows appear
3 basic steps to fix the problem;
Before connecting to the VPN, set static IP address properties if you are using DHCP
After connecting, remove DNS settings for the primary interface
After disconnecting, switch back to DHCP if neccessary or reapply original static DNS servers
Solution A – Automatic
If you are using OpenVPN on Windows XP/Vista/7 then a fully automated solution is available.
Download – (md5 checksum:
After installation, when you connect to a VPN server, a batch file will be run executing the 3 steps
Three scripts are generated for each OpenVPN configuration file;
– executed when you initiate the connection but before the
connection is established – Calls – If any active DHCP adapters exist, switch to static
– executed when the connection is established – Calls –
Clear the DNS servers for all active adapter except the TAP32 adapter
– executed after the connection is disconnected – Calls
– Reconfigure adapters back to their original configuration
Solution B – Manually clearing the DNS
The solution below does not switch the adapter to static if you are using DHCP. If you do not
switch to a static IP configuration and your computer renews its IP address whilst connected to
the VPN, the DNS settings may be overwritten. It is highly recommended to switch to a static
Open the command prompt () as an administrator.
Before connecting identify the name of the connected network interface. In the case below it is
“Local Area Connection”
netsh interface show interface
Connect to the VPN. Once connected proceed to the next step.
Flush the DNS resolver cache
Disable the DNS configuration for the Interface identified in step 1
netsh interface IPv4 set dnsserver “Local Area Connection” static 0. 0. 0 both
Test for DNS leaks.
After disconnecting, reconfigure the adapter to renew the previous DNS settings
netsh interface IPv4 set dnsserver “Local Area Connection” dhcp
Once again, flush the DNS resolver cache.
What Is A DNS Leak And How To Prevent It? | Techjury
You know they are spying on you online, don’t you?
This isn’t another conspiracy theory. It’s merely a fact you need to know before you understand what a DNS leak is and why it matters.
So, who’s they?
Well, we can start with your ISP, continue with corporations, and reach national agencies and governments.
Businesses do it for better ad-targeting, thus making more sales and increasing their revenue. Security agencies mostly want to make sure you aren’t building a bomb in your basement.
The other reason is someone could be using the Web for criminal activities. In that case, logging your behavior might be acceptable.
We can all agree that terrorism and crime prevention are admirable.
Still, what about our online privacy?
There are over one billion people worldwide who use VPN services to stay safe and anonymous online.
Unfortunately, if your DNS leaks, the primary purpose of a VPN service becomes moot.
So, if you believe that what you do online should be strictly your business, keep reading.
Alright then, let’s start with the basics.
What Is a DNS?
Let’s find out the meaning of DNS, for starters. The acronym stands for “Domain Name System. ” You can think of it as an online version of the Yellow Pages.
For instance, when you type in “” in your browser, your device asks a DNS server where to find it.
See, computing is based on math, and it doesn’t get along with words that well. The Web prefers numbers. The domain names are just a human-friendly mask of the real address of a website.
For instance, the real address of is 93. 184. 216. 34, but no one in their right mind can remember all the websites’ addresses. That’s why the Domain Name System translates a domain name to an IP address, so your device could reach the desired content.
Here’s how it works:
So you see, there are several DNS servers, which communicate with each other to carry out your requests. Let’s break it down step-by-step.
What Is a DNS Server?
The DNS server is essentially a server with databases of IP addresses. When you type in a URL in your browser, a DNS resolver will communicate with other DNS servers to find the IP address of the particular website. A DNS resolver, a. k. a. a DNS lookup tool, transforms the domain name into the IP of the website. Since the domain name itself doesn’t provide enough information, a DNS resolver finds its IP, thus gaining knowledge of where exactly the site is and how to reach it. You can think of the online space as a treasure map. X marks the spot of the site you want to visit. Still, without a DNS lookup, your device wouldn’t have a clear idea of where to start the search.
These DNS servers are also known as nameservers (NS). You can check a nameserver to find out information about a website – like where it’s hosted, what its IP is, etc.
This is especially helpful if you want to check out a brand, or a website (especially ecommerce sites) to avoid any online frauds. There are many tools you can use to find information about a specific website – here’s an example of an NSlookup online tool.
Usually, you don’t have to worry about DNS servers. Your ISP runs its own, and your router acts as a gateway between your device and the DNS server. So once you search for a website, the ISP’s DNS server finds out where its resources are located – like pictures, videos, text, etc. That’s how sites appear on your screen.
If you are wondering what DNS server your device uses, and who owns it – you can check its DNS via the What is my DNS server website.
Unfortunately, a DNS server (like any other technology) could fall victim to a cyber attack.
What Is DNS Hijacking?
There are two types of DNS hijacking.
One is the so-called transparent DNS proxy which ISPs usually use. It intercepts your requests and forces them to go through the ISP’s server. Thankfully, a DNS leak test could easily find out if your ISP is using a transparent DNS proxy.
The other type of DNS hijacking is when a cybercriminal takes control over a DNS server. It’s also known as DNSChanger malware. That way, the corrupted DNS server could redirect you to a fake version of the site you’re trying to reach. The FBI even published a report on the threat.
So, if you have any doubts about a website, make sure you do a quick background check before you interact with it in any way.
If you notice anything strange with a website (there always are some tell-tale signs if the site is fake, ) perform a quick check first. Here’s what to do in two simple steps:
Do a nslookup online to find the site’s IP.
Once you obtain it, perform a DNS check via this website. If you see something like the next picture, contact your ISP, or change your DNS server (more on that later. )
For this example, I used the IP of a malicious website.
Here’s how it should look if everything’s fine, like with Techjury’s site:
Alright, now that you know what a DNS is and how it works, let’s take it further.
What Is a DNS Leak and Why Does It Matter?
There’s one relevant question you can ask yourself– “What is my DNS, and is it secure? ”
You can find the answer by asking Mr. Whoer. It’s a useful tool, which provides tips on how to improve your privacy.
Anyway, back to what a DNS leak is.
As mentioned before, your requests travel through your ISP’s DNS server. So, in theory, your ISP knows everything you do online. That’s why a DNS leak is a serious privacy issue. Your ISP logs your IP, the sites you visit, and their IP addresses.
In a perfect world, you shouldn’t care that your ISP monitors all your internet traffic. Unfortunately, that’s not the world we live in.
But it gets worse.
Your Internet service provider can sell your data to third parties – like corporations or malicious actors. This data includes your browsing history, the physical location of your device, your name, and other sensitive information. There’s even an experiment by that proves it.
You see, your ISP’s monitoring isn’t wrong by itself. The problem is that it can sell or hand out (if an agency demands it) your data. Usually, whoever buys this data has a financial benefit in mind. Be it to show you better-targeted ads, or to use your information for criminal activities.
So, If you aren’t taking any precautions to ensure the safety of the “online you, ” you can forget about online privacy. Thankfully, we’ll fix that by the end of this article.
Your personal data isn’t a product for sale. That’s why you should protect it. Find out how.
That’s one of the reasons why more and more people get a VPN – to ensure their online safety and anonymity. Unfortunately, your DNS may leak even if you use a VPN.
Usually, a VPN service guides your data streams through an encrypted tunnel. Although it’s considered secure, sometimes not all of your data goes through that tunnel. Instead, it can leak to your ISP or a third-party’s DNS server.
So before you start trusting your VPN service, make sure you perform a DNS leak test first. Generally, it’s a good rule of thumb to test a VPN before you pay money for it. If you need any help with this task – we tested this and many other important factors, when choosing a VPN service in our evaluations.
Now you know how a DNS leak can jeopardize your online privacy. So let’s see what may cause this issue.
What Causes a DNS Leak and How to Fix It?
Many problems can lead to DNS leaks, no matter if you are using a VPN or not. Coming up next are the most common ones.
#1 – Smart Multi-Homed Name Resolution
Since Windows 8, Microsoft has added Smart Multi-Homed Name Resolution (SMHNR). This feature enables DNS requests to search for other servers outside of the VPN tunnel – in case the central DNS server fails to respond.
In theory, Windows searches for “the fastest server. ” In practice, however, It makes Windows devices liable to DNS leaks.
The SMHNR could eventually open the door for cybercriminals, even if you are using a VPN.
How to Disable Smart Multi-Homed Name Resolution
You can find the SMHNR feature in Windows 8, 8. 1, and Windows 10.
How to Disable SMHNR for Windows 8/8. 1?
To disable the feature for Windows 8 and 8. 1, you have to change your DNS server manually. Here’s how to do it:
Right-click on the “Network” icon.
Select “Properties. ”
Click on “Change adapter settings. ”
Right-click on your network and choose “Properties. ”
Scroll down to find “Internet Protocol Version 4. ” Double-click on it.
There you can type in the preferred DNS server you wish to use.
How to Disable SMHNR for Windows 10?
Press “Windows” + R to open the run tab on Windows 10.
Type in “” to open the Local Group Policy Editor.
Go to Administrative Templates -> Network -> DNS Client.
Double-click on “Turn off smart multi-homed name resolution. ”
Select “Enabled, ” click “Apply, ” and then “OK. ”
When you finish this operation, perform a DNS leak test to make sure everything works.
#2 – Teredo
Once again, Microsoft aims to enhance its OS, making VPN users unhappy in the process. The billion-dollar company created Teredo to improve the compatibility between IPv4 and IPv6. The Internet Protocol version 4 (IPv4) is the most common standard for IP addresses. It represents four sets of up to three digits – like 221. 221. There are “only” four billion IPv4 addresses, which will eventually run out. That’s why IPv6 was developed. IPv6 is IPv4’s successor. Since the number of IPv4 addresses is limited, the new IPv6 standard enlarges that number immensely. It consists of eight sets of up to four characters, including both letters and numbers – like 2001:0db8:85a3:0000:0000:8a2e:0370:7334. IPv6 expands the number of available addresses to 340 trillion trillion trillion (that’s 340 undecillion). In simple words, Teredo allows IPv4 connections to read IPv6 addresses.
In essence, this feature aims to improve users’ online experience and provide extended access to websites. Unfortunately for VPN users, Teredo is a tunneling protocol, which can redirect requests away from the VPN tunnel, thus allowing DNS leaks to happen.
How to Disable Teredo?
This one is relatively easy to remove. Here’s a step-by-step guide.
Open your command prompt (Press “Windows” + R, type “cmd” in the Run box).
Type in “netsh” -> “interface” -> “teredo” -> “set state disable”.
If you want to be sure you’ve disabled it, type in “show state. ”
#3 – IPv6
Although IPv4 addresses are still the majority throughout the Web, IPv6 is slowly, but surely becoming the new standard for IP addresses.
When you use a VPN which doesn’t support IPv6, every request you make to an IPv6 address bypasses the VPN tunnel. That way you may experience DNS leaks without even knowing it.
How to Make Sure Your VPN Doesn’t Leak Your DNS When Accessing IPv6 Addresses?
For the best DNS leak protection, look for a VPN service which explicitly supports IPv6 addresses. Once you’ve set your mind on one, do a DNS leak test first to make sure IPv6 won’t cause any DNS leaks.
#4 – Manual DNS Configuration
This problem could have several explanations– users may improperly configure their VPN settings, those of their device, or both. This issue could occur most often with users who connect to the Web from different locations – home, office, café, etc. In that case, the network may automatically assign DNS servers to your requests.
In that case, your requests may bypass the VPN tunnel and cause DNS leaks.
Configuring the proper settings is of utmost importance for protection against a DNS leak.
How to Fix This?
If your VPN provider doesn’t own its DNS servers, that means it rents them from a third-party. In that case, the best option to ensure all your requests are going through the VPN tunnel is to use a public DNS resolver.
Popular options include OpenDNS, Google Public DNS, and Cloudflare’s 1. 1. All three DNS resolvers are free and will redirect your traffic through the VPN tunnel.
You could use any of those or other, even if you aren’t concerned with DNS leaks. They are a great option if you experience slow internet speed, for example.
Here’s a tip on VPN configuration that could save you a ton of trouble. And it applies to every technology!
If you aren’t sure what you’re doing – leave the settings to default. Most VPN services are configured by default to keep your traffic in the encrypted tunnel. Still, it’s worth it to test your DNS for leaks from time to time.
If you are wondering which of the three DNS resolvers you should use, we would recommend Cloudflare’s 1. It’s the newest and fastest DNS resolver out there and is available for all devices. It encrypts the traffic leaving your device, thus preventing DNS spoofing. Here’s how you can set it up.
#5 – a Compromised Router
If cybercriminals control a router, chances are they will redirect your traffic outside the safety of the VPN tunnel. What’s worse is you’ll get redirected to malicious websites, which could cause you a severe headache.
If your home router is infected, the best thing to do is to call your ISP and let them fix the problem. Otherwise, if you have the skills for it, you can reconfigure your router to communicate with a trusted DNS server.
If this happens at a café (the so-called eavesdropping, or Man-in-the-Middle attack), you probably won’t notice it outright. That’s why you should use a VPN service, combined with a secure DNS server to create adequate protection against such a threat.
#6 – Your VPN Service May Leak Your DNS
Although the primary purpose of VPN services is to ensure you browse the Web securely and anonymously, they aren’t flawless. Even if you take all the necessary precautions, your VPN may still give you away. Be it because its server went down, its kill switch didn’t work correctly, and so on. That’s why it pays to perform a DNS leak test when using a VPN.
How to Fix a VPN DNS Leak?
First of all, make sure your VPN is DNS and IP leak secure. Most of the VPN services are, but it’s still worth checking.
There are also VPN monitoring services you can use for this exact purpose. This adds another layer of security on top of the VPN you’re using.
Unfortunately, all VPN monitoring services are either paid or a more expensive version of an already paid service. So it may not be the right solution for average users because of their price.
With that in mind, find a VPN service that has a built-in kill switch and DNS leak protection.
If you don’t want to face any of these problems (and I bet you don’t, ) take all the necessary precautions. It’s easy as pie.
How to Prevent a DNS Leak?
Since you already know what a DNS leak is and why it could be a privacy threat, let’s see how you can protect yourself.
If you’ve read everything so far, you’d already have a good enough idea how to prevent a DNS leak. Still, let’s summarize the most bulletproof methods for DNS leak prevention.
Use a VPN Service
We talk about VPNs a lot here on Techjury. That’s because they are quite the practical pieces of software.
So what do you need from a VPN service to feel safe and anonymous online?
Here’s a quick summary of the features you’ll need from your VPN service if you don’t want to worry about DNS leaks.
Look for a VPN with built-in DNS and IP leak protection.
Most VPN providers offer this feature. These features rarely fail, and they provide another layer of protection that increases your overall online security.
Choose a VPN service with an automatic kill-switch.
You can’t predict if your VPN connection will last during the whole session. Sometimes the VPN server may shut down, due to an unexpected error, or your secure connection may drop.
That’s when the kill-switch kicks in, automatically disconnecting your device from the network. That way, it protects any data that may slip out of the encrypted tunnel.
Find a VPN provider that owns its DNS servers.
Some VPN providers out there only rent their servers. This means they have limited to no control over them. In terms of privacy, that’s not the best option, since you can’t possibly know what happens to your data.
Furthermore, a VPN leak test can’t reveal what happens with the information on the server, so keep that in mind when you choose your provider.
Just to be super-safe, make sure your VPN provider has a strict no-logging policy.
Even if your VPN software is secure, it may still log your IP and what you do online. That’s why you should be extra careful with logging policies and government jurisdiction.
You can find out everything you need to know about policies and jurisdictions in our VPN guide.
So Which VPN Service Provider Should I Choose?
Now that you know you need a VPN service, you can read reviews on the best VPN service providers. To make it even easier for you to choose one – here are the top three services, which can guard you against a DNS leak:
Perfect Privacy VPN
Although VPN services are a great tool to keep your connections safe and private, you can add an extra layer of security.
Use a Public DNS Resolver
There are at least a dozen public DNS resolvers that you could use.
The most famous ones are Google Public DNS, OpenDNS, and Cloudflare’s 1. They are all free and provide reasonable safety. Still, speed is also an essential factor, and Cloudflare wins the trophy.
On top of that, Cloudflare’s 1. 1 encrypts your data, which adds additional security against data breaches and Man-in-the-Middle attacks.
You’ve probably noticed DNSFilter didn’t enter the list mentioned above. That’s because it’s an industry solution and you can’t use it for free.
Whichever one you choose, again, a DNS leak test is in order.
Configure Your Firewall
Think of your firewall as a defensive army in front of the gates of your castle (your device. ) It doesn’t allow the enemy in, nor the eventual traitors out of the castle. In terms of DNS leaks, you should tell your army to stop anyone from leaving, except the trusted messenger – your VPN service.
In other words – configure your firewall, so it allows traffic to go only through the VPN tunnel. That way it will block all other apps sending requests to the Web, thus preventing a DNS leak.
Use a Safe Browser
Yep, your browser could also leak your address. It’s because of a built-in API definition in Chrome, Firefox, and Opera to enable Real-Time Communications. RTC enables voice and video chat, as well as peer-to-peer file sharing. It’s called WebRTC.
The problem with WebRTC is it sends data packets containing your IP address to a server, which isn’t always your default DNS server.
You can check if your browser is leaking any information by performing a WebRTC leak test.
Furthermore, hundreds of browser extensions could leak your DNS even if you are using a VPN.
If you want to minimize the risk of a DNS leak (or any other data leak) you can switch to a safer browser.
TOR is the first option that comes to mind in terms of online privacy and security.
However, TOR has many drawbacks, which make it an unpopular option. Since the traffic goes through the so-called “onion layers” to provide better protection, it does so as a trade-off with speed. Not to mention that by default, using TOR is considered a shady business.
Anyway, if you aren’t using TOR for illegal activities, it’s still one of the best (and likely an overkill) option for browsing the Web privately.
There are also some Chromium-based browsers – like Brave and Iridium, which are tweaked for privacy.
Although they are privacy-focused, all Chromium-based browser use WebRTC, so you should disable all browser fingerprinting.
In case you are a Firefox fan, you could use Waterfox or IceCat, which are forks of Mozilla’s browser. They are both free and provide better privacy than Firefox.
Whichever one you choose, or continue to stick with your own, guess what – do a DNS leak test. And here’s how you can do one.
Free DNS Leak Test Tools Online
Usually, even one test could tell you if your system is leaking your DNS, IP, or any other information.
Here’s where you can do that:
This tool will tell you if your system is leaking not only your IP address but DNS and WebRTC as well. It also provides some other useful information like geo-location and system information.
This website’s “Extended” DNS leak test performs 36 queries to find out all DNS servers and any potential leaks.
Here you can do a DNS leak test, an email leak test (which is a rare option), and an IPv6 leak test.
If you want more detailed information about your connection, this is the tool to use. It offers information about your IP, DNS, ISP, browser headers, etc.
These tools can determine if your system is leaking your DNS or any other sensitive information. Furthermore, almost every VPN provider’s website offers such a test, so feel free to check them out as well.
Your online privacy and security aren’t a given. You have to take some precautions to keep your online identity safe and anonymous.
If you value your privacy, you’ll need to combine several solutions – a VPN service, a firewall, and a browser. You could also add another layer of security by using a public DNS resolver, which will guarantee your traffic doesn’t go through your ISP’s DNS server.
Yeah, I know it sounds like a lot of work, but rest assured – it’s not. Once you’ve chosen the best VPN for you, configuring the firewall and the public DNS takes only a few minutes. On top of that, it’s fairly easy to do.
So don’t hesitate to take the steps toward better online privacy.
Stay safe online, and I’ll see you next time.
DNS Leaks: 5 Common Causes and Fixes – TheBestVPN.com
Disclosure: TheBestVPN is reader-supported. When you buy a VPN through links on our site, we may earn commissions. Learn more.
Browsers use the Domain Name System (DNS) to bridge the gap between internet IP addresses (numbers) and website domain names (words).
When a web name is entered, it is sent first to a DNS server where the domain name is matched to the associated IP address so that the request can be forwarded to the correct computer.
This is a huge problem for privacy since all standard internet traffic must pass through a DNS server where both the sender and destination are logged.
That DNS server usually belongs to the user’s ISP, and is under the jurisdiction of national laws. For example, in the UK, information held by ISPs must be handed to law enforcement on demand. Similar happens in the USA, but with the added option for the ISP to sell the data to marketing companies.
While the content of communications between the user’s local computer and the remote website can be encrypted with SSL/TLS (it shows up as ‘’ in the URL), the sender and recipient addresses cannot be encrypted. As a result, every destination visited will be known to whoever has legal (or criminal) access to the DNS logs – that is, under normal circumstances, a user has no privacy over where he goes on the internet.
VPNs are designed to solve this problem by creating a gap between the user’s computer and the destination website. But they don’t always work perfectly. A series of issues means that in certain circumstances the DNS data can leak back to the ISP and therefore into the purview of government and marketing companies.
The problems are known as DNS leaks. For the purpose of this discussion on DNS leaks, we will largely assume that your VPN uses the most common VPN protocol, OpenVPN.
What is a DNS leak?
A VPN establishes an encrypted connection (usually called a ‘tunnel’) between your computer and the VPN server; and the VPN server sends your request on to the required website. Provided the VPN is working correctly, all your ISP will see is that you are connecting to a VPN – it cannot see where the VPN connects you. Internet snoopers (government or criminal) cannot see any content because it is encrypted.
A DNS leak occurs when something unintended happens, and the VPN server is bypassed or ignored. In this case, the DNS server operator (often your ISP) will see where you are going on the internet while you believe he cannot.
This is bad news, since it defeats the purpose of using a VPN. The content of your web traffic is still hidden (by the VPN’s encryption), but the most important parts for anonymity – your location and browsing data – are left unprotected and most likely logged by your ISP.
How to tell if my VPN has a DNS leak?
There’s good news and bad news for detecting a DNS leak. The good news is that checking whether your VPN is leaking your DNS requests is quick, easy and simple; the bad news is that without checking, you’re unlikely to ever know about the leak until it’s too late.
There are many in-browser tools to test whether your VPN has a DNS or other form of data leak, including some made by VPN providers such as AirVPN (review) or If you’re not sure what to do, you could simply go to while you believe your VPN to be operational. This site will automatically check for a DNS leak (and, incidentally, provides a lot more information as well).
Enter into your browser’s address bar.
Once the web page loads, the test begins automatically and you will be shown an IP address.
If the address you see is your IP address and shows your location, and you are using a VPN, this means you have a DNS leak. If your VPN’s IP address is shown, then it’s working normally.
If possible, it’s a good idea to test with multiple online checkers.
Figure 1 shows used with a badly configured VPN. It returns the correct IP address. This is a DNS leak.
Figure 2 shows ipleak used with ExpressVPN configured to use a Belgian server (ExpressVPN lets you select from a range of different countries). There is no DNS leak apparent.
For most users, performing this check before continuing to browse other sites will be sufficient. For some users, this won’t be a perfect solution, as it requires you to connect to the internet and send DNS requests to access the checker tools.
It is possible to test for DNS and other leaks without using one of these websites, although it requires you to know your own IP address and how to use the Windows command prompt, It also requires a trusted test server for you to ‘ping’ directly; this could be a private server you know and trust, or one of the following public test servers:
To do this, open the command prompt (go to the start menu, type “cmd” and press Enter), and then enter the following text:
ping [server name] -n 1
Replace [server name] with the address of your chosen test server (for example “ping -n 1”), and press Enter. If any of the IP addresses found in the resulting text match your personal or local IP, it’s an indicator that a DNS leak is present; only your VPN’s IP address should be shown.
Figure 3 shows the result with ExpressVPN running. Notice that the only IP address returned is the Belgian IP as shown in Figure 2. There is no DNS leak apparent.
If you find that that your VPN has a DNS leak, it’s time to stop browsing until you can find the cause and fix the problem. Some of the most likely causes of a DNS leak and their solutions are listed below.
DNS Leaks Problems and Solutions
The Problem #1: Improperly configured network
This is one of the most common causes of DNS leakage for users who connect to the internet through different networks; for example, someone who often switches between their home router, a coffee shop’s WiFi and public hotspots. Before you connect to your VPN’s encrypted tunnel, your device must first connect to the local network.
Without the proper settings in place you can be leaving yourself open to data leaks. When connecting to any new network, the DHCP settings (the protocol that determines your machine’s IP address within the network) can automatically assign a DNS server to handle your lookup requests – one which may belong to the ISP, or one that may not be properly secured. Even if you connect to your VPN on this network, your DNS requests will bypass the encrypted tunnel, causing a DNS leak.
In most cases, configuring your VPN on your computer to use the DNS server provided or preferred by your VPN will force DNS requests to go through the VPN rather than directly from the local network. Not all VPN providers have their own DNS servers though, in which case using an independent DNS server such as OpenDNS or Google Public DNS should allow DNS requests to go through the VPN rather than directly from your client machine. Unfortunately, changing the configuration in this way depends a great deal on your specific VPN provider and which protocol you’re using – you may be able to set them to automatically connect to the correct DNS server no matter which local network you connect to; or you may have to manually connect to your preferred server each time. Check the support for your VPN client for specific instructions.
If you have to manually configure your computer to use a chosen independent DNS server, you can find step-by-step instructions in the section ‘Change your settings to a trusted, independent DNS server’ below.
The Problem #2: IPv6
Usually, when you think of an IP address, you think of a 32-bit code consisting of 4 sets of up to 3 digits, such as 123. 123. 123 (as described above). This is IP version 4 (IPv4), currently the most common form of IP address. However, the pool of available unused IPv4 addresses is getting very small, and IPv4 is being replaced (very slowly) by IPv6.
IPv6 addresses consist of 8 sets of 4 characters, which can be letters or numbers, such as 2001:0db8:85a3:0000:0000:8a2e:0370:7334.
The internet is still in the transition phase between IPv4 and IPv6. This is creating a lot of problems, especially for VPNs. Unless a VPN explicitly has IPv6 support, any request to or from your machine sent over IPv6 – or sent using a dual-stack tunnel to convert IPv4 to IPv6 (see Teredo below) – will completely bypass the VPN tunnel, leaving your personal data unprotected. In short, IPv6 can disrupt up your VPN without you being aware of it.
Most websites have both IPv6 addresses and IPv4 addresses, though a significant number are still IPv4-only. There are also a few websites which are IPv6 only. Whether your DNS requests are for IPv4 or IPv6 addresses will usually depend on your ISP, your network equipment (such as wireless router) and the specific website you’re trying to access (with implementation of IPv6 still incomplete, not all users will be able to access IPv6-only websites). The majority of DNS lookups will still be IPv4, but most users will be unaware of whether they are making IPv4 or IPv6 requests if they are able to do both.
A study by researchers from Sapienza University of Rome and Queen Mary University of London in 2015 examined 14 commercial VPN providers, and found that 10 of them – a disturbingly high proportion – were subject to IPv6 leaks.
Hotspot Shield Elite
While IPv6 leakage is not strictly the same as a standard DNS leak, it has much the same effect on privacy. It is an issue that any VPN user should be aware of.
If your VPN provider already has full support for IPv6 traffic, then this kind of leak shouldn’t be a problem for you. Some VPNs without IPv6 support will instead have the option to block IPv6 traffic. It’s recommended to go for an IPv6-capable VPN in any case, as dual-stack tunnels could conceivably still bypass an IPv6 block. (See Teredo below. ) The majority of VPNs, unfortunately, will have no provision made for IPv6 and therefore will always leak IPv6 traffic. Make sure you know before using a commercial VPN whether they have made provisions for IPv6, and only choose one which has full support for the protocol.
The Problem #3: Transparent DNS Proxies
Some ISPs have adopted a policy of forcing their own DNS server into the picture if a user changes their settings to use a third-party server. If changes to the DNS settings are detected, the ISP will use a transparent proxy – a separate server that intercepts and redirects web traffic – to make sure your DNS request is sent to their own DNS server. This is effectively the ISP ‘forcing’ a DNS leak and trying to disguise it from the user. Most DNS-leak detection tools will be able to detect a transparent DNS proxy in the same way as a standard leak.
Fortunately, recent versions of the OpenVPN protocol have an easy method to combat transparent DNS proxies. First, locate the or file for the server you wish to connect to (these are stored locally and will usually be in C:\Program Files\OpenVPN\config; see the OpenVPN manual for more details), open in a text editor like notepad and add the line:
Users of older versions of OpenVPN should update to the newest OpenVPN version. If your VPN provider does not support this, it may be time to look for a newer VPN. As well as the OpenVPN fix, many of the better-made VPN clients will have their own provisions built-in for combating transparent DNS proxies. Refer to your specific VPN’s support for further details.
The Problem #4: Windows 8, 8. 1 or 10’s insecure “features”
Windows operating systems from 8 onward have introduced the “Smart Multi-Homed Name Resolution” feature, intended to improve web browsing speeds. This sends out all DNS requests to all available DNS servers. Originally, this would only accept responses from non-standard DNS servers if the favorites (usually the ISP’s own servers or those set by the user) failed to respond. This is bad enough for VPN users as it greatly increases the incidence of DNS leaks, but as of Windows 10 this feature, by default, will accept the response from whichever DNS server is fastest to respond. This not only has the same issue of DNS leakage, but also leaves users vulnerable to DNS spoofing attacks.
This is perhaps the most difficult kind of DNS leak to fix, especially in Windows 10, because it’s a built-in part of Windows and can be almost impossible to change. For VPN users using the OpenVPN protocol, a freely-available open-source plugin (available here) is possibly the best and most reliable solution.
Smart Multi-Homed Name Resolution can be switched off manually in Windows’ Local Group Policy Editor, unless you’re using a Home Edition of Windows. In this case Microsoft simply doesn’t allow you the option of switching off this feature. Even if you are able to switch it off this way, Windows will still send the request to all available servers in the event that the first server fails to respond. It’s highly recommended to use the OpenVPN plugin to fully address this issue.
It may also be helpful to check US-CERT’s guidelines here as well. Smart Multi-Homed Name Resolution has such significant security issues associated with it that the government agency issued its own alert on the subject.
The Problem #5: Teredo
Teredo is Microsoft’s technology to improve compatibility between IPv4 and IPv6, and is an in-built feature of Windows operating systems. For some, it’s an essential transitional technology that allows IPv4 and IPv6 to coexist without issues, enabling v6 addresses to be sent, received and understood on v4 connections. For VPN users, it’s more importantly a glaring security hole. Since Teredo is a tunneling protocol, it can often take precedence over your VPN’s own encrypted tunnel, bypassing it and thus causing DNS leaks.
Fortunately, Teredo is a feature that is easily disabled from within Windows. Open the command prompt and type:
netsh interface teredo set state disabled
While you may experience some issues when connecting to certain websites or servers or using torrent applications, disabling Teredo is a much more secure choice for VPN users. It’s also recommended to switch off Teredo and other IPv6 options in your router or network adapter’s settings, to ensure that no traffic can bypass your VPN’s tunnel.
Preventing future leaks
Now that you’ve tested for a DNS leak and either come out clean, or discovered and remedied a leak, it’s time to look into minimizing the chances of your VPN springing a leak in future.
First of all, make sure that all the above fixes have been performed in advance; disable Teredo and Smart Multi-Homed Name Resolution, make sure your VPN either supports or blocks IPv6 traffic, etc.
1. Change settings to a trusted, independent DNS server
Your router or network adapter should have a way to change TCP/IP settings, where you can specify particular trusted DNS servers by their IP addresses. Many VPN providers will have their own DNS servers, and using the VPN will often automatically connect you to these; check your VPN’s support for more information.
If your VPN doesn’t have proprietary servers, a popular alternative is to use an open, third-party DNS server such as Google Open DNS. To change your DNS settings in Windows 10:
Go to your control panel
Click “Network and Internet”
Click “Network and Sharing Center”
Click “Change Adapter Settings” on the left-hand panel.
Right-click on the icon for your network and select “Properties”
Locate “Internet Protocol Version 4” in the window that opens; click it and then click on “Properties”
Click “Use the following DNS server addresses”
You can now enter a preferred and alternative address for DNS servers. This can be any server you wish, but for Google Open DNS, the preferred DNS server should be 8. 8. 8, while the alternative DNS server should be 8. 4. See Figure 4.
You may also wish to change the DNS settings on your router – refer to your manual or support for your specific device for further information.
2. Use a firewall or your VPN to block non-VPN traffic
Some VPN clients will include a feature to automatically block any traffic not going through the VPN – look for an ‘IP Binding’ option. If you don’t have a VPN yet, consider getting one from here.
Alternatively, you can configure your firewall to only allow traffic in and out via your VPN. You can also change your Windows Firewall settings:
Make sure you’re already connected to your VPN.
Open the Network and Sharing Center and make sure you can see both your ISP connection (which should show up as “Network”) and your VPN (which should show up as the name of the VPN). “Network” should be a Home Network, while your VPN should be a Public Network. If either of them are set to something different, you’ll need to click on them and set them to the appropriate network type in the window that opens.
Make sure you’re logged in as Administrator on your machine and open the Windows Firewall settings (exact steps for this vary depending on which version of Windows you’re running).
Click on “Advanced Settings” (see Figure 5).
Locate “Inbound Rules” on the left panel and click it.
On the right-hand panel, under Actions, you should see an option for “New Rule…”. Click this.
In the new window, choose “Program” and click Next.
Choose “All Programs” (or select an individual program you want to block non-VPN traffic for) and click Next.
Choose “Block the Connection” and click Next.
Tick “Domain” and “Private” but make sure that “Public” is not ticked. Click Next.
You should be back in the Advanced Settings menu for Windows Firewall; locate “Outbound Rules” and repeat steps 6 through 10.
3. Regularly perform a DNS leak test
Refer to the section “How do I Tell if my VPN has a DNS Leak? ” above for instructions. Prevention is not ironclad, and it’s important to check frequently that all your precautions are still holding fast.
4. Consider VPN “monitoring” software
This can add an extra expense on top of your existing VPN subscription, but the ability to monitor your VPN’s traffic in real time will allow you to see at a glance if a DNS check goes to the wrong server. Some VPN monitoring products also offer additional, automated tools for fixing DNS leaks.
5. Change your VPN if necessary
You need the maximum possible privacy. The ideal VPN will have built-in DNS leak protection, full IPv6 compatibility, support for the latest versions of OpenVPN or the protocol of your choice and have functionality in place to counteract transparent DNS proxies. Try ’s in-depth comparisons and reviews to find the VPN that offers everything you need to keep your browsing data private.
Frequently Asked Questions about dns leak fix
Is DNS leak bad?
As mentioned before, your requests travel through your ISP’s DNS server. So, in theory, your ISP knows everything you do online. That’s why a DNS leak is a serious privacy issue. Your ISP logs your IP, the sites you visit, and their IP addresses.Oct 3, 2021
Why is my DNS leaking?
A DNS leak occurs when something unintended happens, and the VPN server is bypassed or ignored. In this case, the DNS server operator (often your ISP) will see where you are going on the internet while you believe he cannot. This is bad news, since it defeats the purpose of using a VPN.Dec 1, 2017
How do I stop DNS leaks on my router?
How can I prevent a DNS leak?Make sure you are connected to VPN on your FlashRouter.We recommend using the FlashRouters Privacy App to connect to VPN as it was thoroughly tested against DNS leaks and automatically uses your VPN provider’s DNS servers.More items…•Jun 11, 2019