How to Test for and Fix a DNS Leak

Protect yourself with these tips

Check For and Fix DNS Leaks

Your DNS can leak out of your VPN connection from time to time, and it can seriously complicate things in terms of your online privacy and security.

What Are DNS Leaks?

You can think of your Internet connection in two parts. There's the part you expect, where you connect to a website and receive the data that makes up that website. However, there's another part; to find the location of a website, your computer needs to reach out to a domain name service (DNS) to connect the domain name you entered as the URL and the IP address of the server where the website's hosted.

Now, when you connect through a VPN, occasionally, the DNS part of your connection might not go with everything else through the VPN. Instead, it goes straight to your ISP, selling out all the information about the websites you're connecting to. In addition to revealing your browsing activity to your ISP, a DNS leak also reveals information about your ISP and your location to the websites you visit. Essentially, DNS leaks make your VPN mostly irrelevant.

Why Do DNS Leaks Happen?

DNS leaks primarily arise as the result of an improperly configured VPN connection, although they can also happen due to interruptions in your service. DNS leaks aren't specific to one operating system or another, but they might be more common with certain configurations, depending on your VPN provider; you can run into leaks on Window, Mac, Linux, Android, iOS, and any other device or operating system you'd connect to a VPN with.

In most properly configured situations, your computer establishes a connection to your VPN. To do that, it'll use your ISP and their DNS servers. That's perfectly fine, as your ISP always see you're connecting to a VPN. Then, the connection should switch to use the VPN's DNS, and that server should be accessed on the same network as the VPN server. This method guarantees DNS traffic is encrypted, as it uses the same tunnel as the other VPN traffic does.

Most of the time, your connection is established this way without your knowledge or explicit instruction because VPN clients you download from your provider set things up for you. However, if you're using a default OpenVPN configuration, it's going to be up to you to ensure your connection follows this pattern.

If, for some reason, something goes wrong, and this pattern isn't followed, your DNS traffic can escape the VPN tunnel and be viewed from the outside. By default, DNS requests aren't encrypted. Some DNS servers are getting better at solving this, but most ISPs don't support it; even if they did, it wouldn't solve much of anything for you, the user.

While it might sound difficult for something to go wrong, it's all too possible. For example, imagine your client is configured to use a specific DNS server on the VPN network. If that server is currently unreachable, or it's experiencing an unreasonably high amount of traffic and times out, your client falls back to the default DNS servers configured in your operating system, and you officially have a leak.

How to Test for DNS Leaks From Your Browser

There are a couple of ways to test for DNS leaks. While plenty of VPN services provide their own, one of the best ways is to use dnsleaktest.com. It's straightforward, and it performs a series of tests which can help reveal leaks that don't pop up every time.

  1. When you first arrive on dnsleaktest.com, it'll greet you and display both your IP address and location. You'll also see two options; select Extended test.

    DNS Leak Test.com Displaying IP
    DNS Leak Test.com Displaying IP.

    The IP address and location should match your VPN server, not your actual location. If you're seeing your real location there, re-check you VPN connection.

  2. The website will try multiple requests to gain information about your connection. After each one, it'll list the number of DNS servers it was able to trace.

  3. When the test concludes, it should list all the servers it found with their IP address and the owner. You should only see servers from your VPN host listed. If you see multiple different IPs, that's usually an indication you're DNS connection is leaking.

    DNS Leak Test Extended Results
    DNS Leak Test Extended Results.

    VPN providers often rent server space from other hosts, so the name might not match up. Instead, pay attention to the IP addresses. They should match, or at least be similar to, your external IP.

  4. If you did uncover a leak, you can always try a new configuration, then return to dnsleaktest.com for as many tests as it takes to fix.

Test for a DNS Leak Using a Torrent

Another instance when your IP can leak is also one of the cases where you want it leaking least: torrents. Because torrents work differently than regular web traffic, you can't exactly test your connection with them by the same means. Instead, you're going to need a different tool to test your torrent IP.

ipMagnet lets you use a magnet link to determine which IP address your torrent client is showing to the world.

  1. Open your browser and visit ipMagnet. It's fairly plain, but it has everything you need to test your connection.

    ipMagnet Displaying VPN IP
  2. First, you'll notice your public IP address. That should be your VPN's IP. Select the "Magnet link" link on the page to get a unique magnet link to test with.

    It's probably best you right-click it and copy the location without actually visiting it.

  3. Open your torrent client of choice, and add the magnet link as a new torrent. Your client will start to download from the link.

  4. Meanwhile, turn your attention back to your browser. The ipMagnet page should start listing out data from your connection. If it doesn't, select Update to force it.

    ipMagnet Torrent Results
  5. The IP address you see listed by ipMagnet's table should be your VPN's. Otherwise, you're dealing with a leak.

What Can You Do?

There are two main steps you can take to prevent DNS leaks. The first, and most obvious, is to ensure your configuration is correct. This isn't always in your hands, depending on how you connect, but do what you can.

Whichever method you choose, you should always take precautions to ensure your VPN connection doesn't leak DNS information. It's imperative you test for and avoid DNS leaks because they can subvert everything you're trying to achieve using a VPN.

Using a VPN Client

If you're using a client from your VPN service, ensure you always have the latest version. Keep an eye on any options you have, and ensure they match your server and there aren't any obvious mistakes. Some clients may even have explicit DNS options.

OpenVPN Configuration On Ubuntu Linux
OpenVPN Configuration On Ubuntu Linux.

Using a Custom Configuration

For those configuring their own client, you can comb through and make sure your settings match the server. Also try to download new configuration files from your VPN provider regularly to prevent options from becoming outdated and incorrect. Mac and Linux users may also be able to script OpenVPN to change your system DNS to only use the VPN and revert back when you disconnect. Some Linux distributions provide these scripts.

VPN Kill Switch

There's another option when you're serous about stopping VPN leaks. You can use a VPN kill switch to shut down your Internet access entirely when not connected to the VPN. Some client software includes a kill switch; check your client's settings to see if you have one available. It's usually as easy as checking a box.

Firewall

A firewall can also serve as a VPN kill switch. One can be set up to prevent all connections outside of the VPN and your local network. The firewall option isn't for everyone, and it's not always easiest, but it can be the most reliable.