What Are DNS Leaks and How to Avoid Them

By Joel Tope
— Last Updated:
2019-06-17T07:33:03+00:00

Do you like your local ISP and government knowing of each and every website you visit? Of course not; you’re a human being and have a right to privacy. However, in the age of the Internet it’s fairly easy for these entities to see what you’re doing online.

While I don’t recommend visiting illicit and nefarious websites, it’s no one’s business what you do online. After all, why should anyone else know if you visit Facebook, Reddit or a website that provides medical advice?

Thanks to something called Domain Name System (DNS), however, you automatically leave a trail of your online activities — whether you want to or not.

To protect their privacy, many people use one of our top picks for VPN to go online, because these services make most online activities invisible to third parties.

For instance, a VPN tunnel will mask private IP addresses, encrypt data (making it impossible to intercept and read), and even spoof the geographic location where your data is sent. If you’ve got a DNS leak, however, all bets are off. So what exactly is DNS, and how do you avoid a leak?

DNS and IP Addresses Explained

DNS is a fundamental mechanism of the Internet. Without it, the entire modern Internet would break down: at the basis, it’s a system that provides aliases for lengthy, complex and hard to remember web servers.

For instance, most people don’t know the IP address of their local computer or mobile device. IP addresses are the way computers can identify each other and work very similar to a home address for the regular mail system.

For instance, if you wanted to mail a letter to a friend, you’d first need to mark the envelope with a unique home address with a unique country, city, street and house number. Otherwise, the mailman wouldn’t know where to send your letter.

Likewise, without an address, the Internet wouldn’t know which computer (i.e.. house) to send the data (i.e. letter) to. But there’s one big problem. Human beings aren’t very good at remembering a string of numbers. Instead, we more easily remember names.

One example of an IP address is 192.168.10.254. Even if you’re good with numbers, that’s pretty tough to remember. So network engineers invented the idea of DNS, which substitutes a name for an address to make things simpler. For example, it is easier to remember the URL www.google.com than 192.168.10.254?.

That’s basically how DNS works; whenever you search for google.com, your computer will automatically use DNS to resolve the domain name into the server’s real IP address. But DNS has some problems, especially concerning your privacy: without a DNS server, your computer can’t resolve domain names. And who runs the DNS server?

Well, there are many different DNS services, but more likely than not, you simply use the DNS server provided by your ISP.

There are, of course, other options for DNS. Some of them are public, such as Google’s DNS server (located at 8.8.8.8), or even a server hosted by your VPN provider.

Nevertheless, DNS servers keep a lot of highly detailed records, and store information regarding which IP address (such as that of your computer) made a request to resolve each and every domain name.

For example, if you searched for www.facebook.com, your ISP’s DNS server would store a record proving that your computer made a request to look up Facebook’s IP address.

That may not sound bad, because most people use Facebook. And while there’s nothing wrong or invasive about that, I think most people look up websites they’d rather not want strangers at an ISP to see.

Health websites, online banking, research, and other information really shouldn’t be seen by others. It’s just a bad feeling to know that strangers can see what you do online. After all, no one wants the feeling that big brother is looking over their shoulder as they browse the web.

To avoid these privacy issues, many turn to VPN tunnels for private DNS servers. That way, there’s no fear of people snooping through records of your online activities.

Using a VPN Tunnel and Circumventing DNS Leaks

Just about every VPN service hosts their own DNS servers (well, the quality ones, anyway). VPN services have privacy policies that explicitly state what information they store, and what information they leave untouched, such as DNS data.

When you log into your favorite VPN service, the default DNS server is switched to one hosted by your provider. In doing so, the ISP can’t see what websites are accessed, because the DNS protocol isn’t using their server.

This is wonderfully useful to block others from seeing what you’re doing online, and especially useful if you’re downloading torrents. In addition, it will help unblock websites that have been blocked or censored at the DNS level.

However, be aware that sometimes configuration issues and flaws in software cause your default DNS server to revert back to your ISP’s. This can happen if there’s a VPN disconnect, which happens fairly regularly.

When your default DNS server isn’t that of your VPN provider’s — even though you’re logged into a VPN server — it is known as a DNS leak. All of your traffic, with exception to the DNS traffic, is routed through the VPN tunnel. But the DNS data “leaks” out of the tunnel.

This is a big problem because it defeats the ultimate purpose, privacy and security, of the VPN tunnel. When a DNS leak occurs, it’s possible to see every website you visit, though it’s still impossible for anyone to see what you did.

For example, your ISP will be able to see if you’ve visited Netflix, but they won’t be able to see what data you sent to the server, what was typed, usernames and passwords, etc (read our best VPN for Netflix guide if you have trouble accessing that).

Still, it’s a frightening and invasive prospect to think that strangers can see what you do online. The good news is that there are a couple simple and effective ways to avoid DNS leaks.

How to Avoid DNS Leaks

There are a few ways that everyone can prevent DNS leaks from happening in the first place.

Firstly, note that some VPN service providers have custom developed mechanisms within their application that protect users from DNS leaks.

For instance, Private Internet Access VPN has a DNS leak protection feature. It will help ensure that your DNS server is set to one of PIA’s private servers, and throw out an error if things go awry.

However, your VPN provider may not have a DNS leak protection feature. They’re not exactly standard, after all. In this case, you can easily create your own with a simple firewall. Just about every firewall worth its salt will include configurations for protocol type and destination IP address.

All that needs to be done is to view network interface settings after you’ve connected to the VPN server. In Windows, simply run the ipconfig /all command to view the IP address of your VPN provider’s DNS server. If using a Linux system, network interface settings can be displayed with the ipconfig command.

Then, setup a firewall rule that blocks all DNS traffic unless it’s destined towards that single specific IP address.

This configuration does admittedly have some drawbacks, though. You won’t be able to resolve domain names unless you are connected to the VPN. The simple solution is to toggle the rule on or off depending upon whether you’re using the VPN tunnel or not. It’s not that big of a hassle, but it is a bit of a nuisance.

Also, I’d highly recommend using a DNS leak test whenever you log into a VPN server as a preventative measure. It never hurts to verify things are working as they’re supposed to.

DNS Leaks 2020 – Final Thoughts

DNS leaks counteract a lot of the privacy provided by a VPN tunnel. Even when you think online browsing activities are invisible and untraceable, your ISP could be seeing every single website you visit.

Most people aren’t aware of DNS leaks, and it’s probably a good idea to factor DNS leak protection features into your choice of a VPN service.

Remember that not all VPN providers include this feature. It’s better to choose a provider with this feature up front. If you already have a provider that doesn’t have this feature, it’s a simple matter to configure DNS leak protection with a firewall rule.

Sign up for our newsletter
to get the latest on new releases and more.

Also, remember to regularly check DNS settings with the DNS leak test website — especially if you’re downloading torrents via VPN. Torrents aren’t illegal in all countries, but even if it’s permissible to download files via BitTorrent, there’s still no reason your ISP needs to know what you’re doing.

If you have any questions or concerns, feel free to post comments below. Thank you for reading.