VPNs may not always be able to protect your device's DNS requests, even if all other traffic is securely protected by the VPN tunnel. This is called a "DNS leak". If DNS queries are leaked, third parties, such as your ISP or DNS server operator, can see which websites you visit and which applications you use.
Since DNS is a system address books, then almost everything you do on the Internet is connected with it. Your browser and other applications use DNS to find the servers that run the sites and services you use. Your device sends requests to a DNS server, which sends back instructions on how to find what you are looking for. This is why DNS queries put your privacy at risk.
What is DNS
How can I check if the VPN is protecting me or not?
When configured correctly, ExpressVPN protects you from DNS leaks. The DNS Leak Test on this page ensures that ExpressVPN is doing its job.
How does ExpressVPN prevent DNS leaks?
Without VPN device usually uses the DNS service provided by your internet service provider. But when you connect to ExpressVPN, your device only uses ExpressVPN's DNS servers. This provides numerous benefits because:
- ExpressVPN DNS servers are fast
- ExpressVPN does not keep any logs of online activity or connections
- All traffic between your device and DNS servers is fully encrypted
This is how it works. To open a web page, you enter a URL or click a link in your browser. This URL is sent through ExpressVPN's encrypted tunnel to ExpressVPN's own DNS server. The DNS server looks up the IP address and sends it to the ExpressVPN server, which accesses desired page... ExpressVPN returns this page to you in an instant. All traffic remains under reliable protection VPN tunnel.
If I am already using a VPN, why would I need to check for a DNS leak?
One of two things can happen:
In both cases, third parties can see a list of websites and applications that you use.
What causes DNS lookups to leak when using a VPN?
DNS leaks can occur for many reasons. Here are some of them:
- Your VPN has been manually configured. If you manually configure a VPN connection, the risk of DNS query leaks increases and depends on your operating system configuration. Using ExpressVPN apps removes many of the dangers.
- Your router is being controlled by an intruder, For example, by Wi-Fi operator in the cafe. An attacker could cause your device to send DNS requests out of bounds VPN tunnel... ExpressVPN apps protect against DNS leaks, but other apps and manual settings may be vulnerable.
- Manual DNS configuration. You (or software on your device) gave the command operating system do not use ExpressVPN DNS servers. Power users can query for a specific DNS service, but most people are better off not doing this for security reasons.
The main problem with most programs used in conjunction with "Tor" (The Onion Router) is DNS query leakage. That is, despite the fact that Tor is used, the programs first send a DNS request “unpatched” to obtain the IP address of the final target. And only after that they turn to the final goal being “overwhelmed”. This means that the task of identifying DNS leaks is critical from the point of view of anonymity.
Let's look at an example. When referring to the domain name of the site (google.com) instead of its IP address (173.194.70.101), the IP is calculated by this name. This is done by the "Domain Name System" (DNS) service. In this case, a leak occurs: an open, unencrypted request to the DNS servers is sent to the network containing Domain name(google.com), which allows the curious (eg SORM-2) to know where you are going. But even if you logged in by typing in address bar IP address (173.194.70.101), then a leak is possible due to requests active elements pages loaded from the site (for example, java scripts can be executed).
DNS queries are short, so they are sent over the transport UDP protocol... If the request is too long, normal TCP transport is used, using port 53. So we will listen to exactly 53 port.
To check the network, use special programs- interceptors-analyzers network traffic(information passing through the network). They are also called sniffers (sniffer).
Option 1: “TCPDump” (Console)
The most famous analyzer is the “tcpdump” program (http://ru.wikipedia.org/wiki/Tcpdump), which is included in most Linux distributions.
Install "tcpdump":
sudo apt-get install tcpdump
sudo tcpdump port 53
In this case, it is advisable to close everything except the investigated application. If, after this command, as a result of the operation of the application under investigation, lines appear in the tcpdump window, then a DNS leak will take place. Then you can analyze which one.
If several network devices, then you may additionally have to specify the required network interface... Their list can be found console program ifconfig.
sudo ifconfig
After finding the name of the network interface, add the following to the command:
I<имя_сетевого_интерфейса или его номер>
sudo tcpdump -i eth0 port 53
The analysis is stopped with the CTRL + C combination.
Option 2: “WireShark” (Console & GUI)
Wireshark (formerly Ethereal) is a traffic analyzer for computer networks Ethernet and some others. Written in GTK + libraries and has graphical interface(GUI). But besides the GUI, there is a console implementation of the program called “TShark”, which has the same functionality as its graphical version. The functionality is very similar to that of tcpdump, but Wireshark has a graphical user interface and much more possibilities for sorting and filtering information. The program allows the user to view all traffic passing through the network in real time, translating network card v promiscuous mode(promiscuous mode). Since the program is very popular as an administrative tool for network analysis, it is available in the repositories of almost any Linux distribution.
- TShark
Install:
sudo apt-get install tshark
Let's start listening to check for DNS leaks:
sudo tshark -i eth0 port 53
Instead of eth0, enter the name of your interface
- Wireshark
Install:
sudo apt-get install wireshark
In all instructions on the network, it is usually suggested to run WireShark as root, otherwise WireShark will not see the network interfaces, since root rights are required to access them. But granting root rights to GUI programs is contraindicated! Therefore, we will not use sudo, but will perform the manipulations described in the official instructions.
Create a wireshark group:
sudo groupadd wireshark
Add a user (that is, ourselves) to the wireshark group, replacing user with our username:
sudo usermod -G wireshark -a user
Note: Enter your username in the place user.
sudo chgrp wireshark / usr / bin / dumpcap sudo chmod 754 / usr / bin / dumpcap sudo setcap "CAP_NET_RAW + eip CAP_NET_ADMIN + eip"/ usr / bin / dumpcap
We will re-login (we will exit and re-enter the system) in order for the performed manipulations with the rights to take effect.
Now WireShark can see network interfaces not only from root but also from a user in the wireshark group.
Launch wireshark:
Open the tab with the mouse Capture ⇒ Capture Filters:
Let's create a DNS interception filter. 
In the block "Properties" in line "Filter name" we enter:
TCP or UDP port 53 (DNS)
And in the line "Filter string":
Click on the button "New".
The filter we created should appear at the end of the list.
Push "Ok".
Push CTRL + I or open the tab with the mouse Capture ⇒ Interfaces:
We put a tick in front of the network interface that we are going to listen to and click "Options":
Click on the button "Capture Filter" and in the window that opens, select the filter “TCP or UDP port 53 (DNS)” that we created.
Push "Start".
Finally, we can see all the packets sent through port 53. 
Some internet users prefer to use VPN services to hide their real IP address and encrypt their data. As a rule, they are driven to such a step by the desire to maintain their online privacy, as well as a number of other reasons. However, all this will be in vain if your personal data is "leaked" to the network due to security vulnerabilities... There are two main types of such leaks: DNS leaks and WebRTC leak(IP).
What is a DNS Leak?
If you have ever logged on to the Internet, then you have come across the Domain Name System (DNS), even if you yourself were not aware of it. DNS maintains a database of domain names (for example, vpnmentor.com) and translates them into the appropriate numeric address (Internet Protocol, IP). It is at these addresses that browsers find sites on the network. Basically, IP addresses and domain names are like phone book where each person has a name and phone number.
As a matter of fact, only people need domain names, while computers work only with numbers in the format. It can be difficult for a person to remember an address like 168.212.226.204, but remembering the domain name of such a site can be much easier. This is what happens when your browser opens a page on a website: Your computer sends a request to the DNS servers of your Internet service provider and receives the IP address of the desired web page in response. But when you use a VPN service, the request goes to the DNS servers not of the provider, but of the VPN service itself..
How does the leak occur?
Due to a security vulnerability, sometimes a DNS request can get to your ISP, and not to the servers of the VPN service, which can hide it from prying eyes... Actually, it is in this case that the DNS leak. This is due to an unencrypted DNS request sent by your computer not through a secure VPN tunnel. This vulnerability is associated with the computer's operating system itself.... Thus, each network interface can have its own DNS system... And sometimes it happens that the computer sends DNS queries directly to the provider or even to third party servers(see picture below), ignoring the default gateway and DNS settings of your VPN service, which leads to data leakage.
All this allows the provider to find out which sites the user is visiting.... And if you are using a VPN service and suddenly find out that you are using your real IP address, then this means only one thing: all your DNS requests also go not to the servers of the VPN service, but directly to the provider. By the way, some providers use Transparent DNS proxy technology, which forces user devices to make DNS requests to the provider's servers even when you set different DNS settings.
What is a WebRTC (IP) leak?
In 2015, Internet security specialist Daniel Roesler reported a vulnerability that allows attackers to intercept a user's real IP address from using the API(application programming interface) built into most modern browsers-Web Real Time Communication (WebRTC). It was even possible to intercept the data of those users who connected to the VPN service. Note that WebRTC is used in different networks to exchange data between browsers, exchange files using the P2P model, video calls and more.
How does the leak occur?
It only takes a few lines of code to get WebRTC to return your real IP address. It's all about the so-called STUN-server (server of utilities for NAT session traversal). STUN Server allows computers and devices from your internal network find their public IP addresses (essentially their internet addresses). VPN services also use a STUN server to translate your internal network address to a public Internet address and vice versa. To do this, the STUN server stores a database that contains records of your local and public IP addresses.
This leak has nothing to do with VPN services at all, from the degree of security to in this case nothing depends. The problem lies in the vulnerability of your browser - more precisely, in WebRTC. When the module WebRTC browser accepts requests from the STUN server, it sends back a message that contains both of your IP addresses (internal and public), as well as other data.
The content of the message, that is, the user's real IP address, can be found by writing a tiny JavaScript program. For it, you only need one thing: for the browser to support WebRTC (well, the program itself still needs to be written, of course). And if WebRTC is enabled in your browser, then it will accept requests from the STUN server and send responses back.
Summarize: ideal systems no, everyone has their own mistakes and vulnerabilities, which remain hidden for the time being. Therefore, it is important to use one that timely eliminates all found vulnerabilities... Be sure to check for data leaks and, if it turns out that you are also at risk.
In browsers, and in this article it will be DNS traffic leak. Which affects everyone, even those who use VPN services and believe that they are behind a stone wall.
Hello, friends! Today I will tell you what a DNS leak is, why you should know about it, and how to protect yourself from it using the free DNSCrypt utility.
- Foreword
- What does a DNS leak mean?
- How to check for a DNS leak
- How to fix a DNS leak using DNSCrypt
- Download DNSCrypt
- Installing DNSCrypt
- Using DNSCrypt
- DNSCrypt in Yandex browser
- DNSCrypt in router
- Conclusion
- Rating and reviews
What does a DNS leak mean?
When using HTTPS or SSL, your HTTP traffic is encrypted, meaning secure (not perfect, but secure). When you use a VPN, all your traffic is completely encrypted (of course, the level and quality of protection depends on correct setting VPN, but usually everything is set up and working correctly).
But there are situations in which even with using a VPN, your DNS queries are transmitted in clear unencrypted form. This opens up to the attacker great opportunities for creativity. can redirect traffic, use a man-in-the-middle attack (MITM), and do a bunch of other things that can jeopardize your online safety and anonymity.
Let's try to understand this issue more deeply. If you are not interested in theory, but worried about safety, you can skip to the next chapter. If you want to know more, make yourself comfortable, now I'll take out your brain.
In our example in the figure below, you see how a user (computer) is trying to access the site www .. In order to get to the site, he must first resolve the symbolic hostname into an IP address.
If the network configuration is such that the provider's DNS server is used (unencrypted connection, marked with a red line), then the resolution symbolic name to the IP address occurs over an unencrypted connection.
What's so terrible about that?
First, in such a situation, the provider can view DNS history and find out what sites you have visited. Of course, he will not find out what kind of data was transmitted, but he can easily view the addresses of the sites.
Secondly, there is Great chance be a victim hacker attack... Such as: DNS cache snooping and DNS spoofing.
What is DNS snooping and spoofing?
In short, for those who do not know.
DNS snooping- with the help of this attack, an attacker can remotely find out which domains were recently resolved on the DNS server, that is, which domains the victim has recently visited.
DNS spoofing- The attack is based on infecting the victim's DNS server cache with a fake entry about the correspondence of the DNS host name that the victim trusts.
Since the requests are not encrypted, someone between you and the provider can intercept and read the DNS request, and then send you a fake response ... com or vk.com, you will be taken to a fake one or, as they say, a hacker (not only the form pages, but also the url in the address bar), after which you enter your username and password, and then you yourself understand what will happen. The authorization data will be in the hands of the attacker.
The situation described is called a DNS leak ( DNS leak ing). It happens when your system to resolve domain names even after connecting to the VPN server or the Tor network keeps asking DNS server and your provider. Every time you try to visit the site, connect to a new server or run some network application, your system will look at your ISP's DNS servers to resolve the name to an IP address. As a result, some hacker or your ISP will be able to find out all the names of the nodes that you are accessing.
If you have something to hide, then I suggest you use a simple solution - DNSCrypt. You can, of course, register some other DNS servers and let traffic through them. For example Google server 8.8.8.8 or the same OpenDNS 208.67.222.222, 208.67.220.220. In this case, of course, you will hide the history of site visits from the provider, but tell Google about your online travels. Other than that, no encryption DNS traffic will not, but this big disadvantage... I don’t know about you, but it doesn’t turn me on, I’d better install DNSCrypt.
How to check for a DNS leak
Before we move on to the utility itself, I would like to introduce you to special online services. They allow you to check for a DNS leak.
The program requires Microsoft. NET Framework 2.0 and up.
You can download DNSCrypt for Mac OS X using the link from Gitab or from the file sharing link above.
OpenDNS software developer.
Installing DNSCrypt
In this article, we will analyze how to work with the console version of the utility. We will configure DNSCript on Windows 10. Installation on other versions of Windows is no different.
So, unpack the downloaded archive and place the contents of the dnscrypt-proxy-win32 folder anywhere on the computer. In my example, I located it in the “C: \ Program Files \ DNSCrypt \” folder.
Then open the command line as administrator.
Run Command Prompt as Administrator in Windows 10 Now in command line go to DNSCrypt folder. This can be done using the command:
cd "C: \ Program Files \ DNSCrypt"
Click if you cannot copy the commands.
After that, let's get ready to install the proxy service. First you need to choose DNS provider... I put the dnscrypt-resolvers.csv file in the archive. This file contains a list of most DNS providers that DNSCrypt supports. Each individual provider has a name, description, location and support for DNSSEC and Namecoin. In addition, the file contains the required IP addresses and public keys.
Select any provider and copy the value in the first column. In my case, I will be using CloudNS, so I copied “cloudns-can”. Now you need to make sure that the proxy can connect. This can be done using this command:
dnscrypt-proxy.exe -R "cloudns-can" --test = 0
If you fail, try choosing a different provider and try again.
If everything went well, continue with the installation and enter the following command:
dnscrypt-proxy.exe -R cloudns-can --install
If everything is working correctly, you will see the following output:
Screenshot of how it should look in the command line:
Then you need to go to the TCP / IP Windows settings and change the DNS settings to 127.0.0.1.
To remove the DNSCript service, you must return network settings DNS to its initial state. This is done using this command:
dnscrypt-proxy --uninstall
This command can also be used to change the DNS provider. After application, you need to repeat the installation with the parameters of another provider.
If, after all this procedure, for some reason, during the check, you still have to determine DNS IP address your Internet provider, click on the "Advanced" button, which is located under the registered IP 127.0.0.1. In the appeared window “ Extra options… ”, Go to the“ DNS ”tab and delete all DNS server addresses except“ 127.0.0.1 ”.
That's it, now the DNS leak has been fixed.
You may also be interested in the article "", which talked about removing DNS records on the computer.
DNSCrypt in Yandex Browser
Recently, the Yandex browser has added support for DNSCripts. Well, what can I say, the guys from Yandex are working and trying to protect the user - this is great, but unlike the DNSCrypt utility, Yandex's protection is implemented only at the browser level, and not at the level of the entire system.
DNSCrypt in router
Also, support for DNSCript is implemented in popular OpenWrt firmware... More about installation and other additional information you can find out on the page.
Conclusion
Of course, the DNSCript utility and DNS encryption in general is not a panacea, and indeed in information security there is no such thing as a panacea. We can only maximize our security and anonymity, but unfortunately it will not work to make our presence on the network 100% invulnerable. Technology does not stand still and there are always loopholes. Therefore, I suggest you subscribe to our news in in social networks to always be in the know. It's free.
That's all friends. Hope this article helped you fix your DNS leak problem. Good luck in the new 2017, be happy!
Evaluating the DNSCrypt Utility
Our rating
DNSCrypt - free utility to protect DNS traffic By encrypting DNS traffic and using DNS servers. Our rating is very good!
User rating: 4.25 (36 ratings)
When connecting to a VPN server in some operating systems (for example, Windows), requests do not always go through the DNS server VPN connections... In this case, some sites may find out that your IP address and DNS servers are located in different countries and your anonymity may be at risk.
What is a DNS server
The main purpose of DNS servers is to translate the domain names of sites into the IP addresses to which these domains are assigned. In simple words by entering the domain Google.com in the browser, the DNS server looks at which IP address is assigned this domain, and the loading of the site page occurs via IP addresses.
Below is an example of determining DNS servers on the Whoer.net website.
From the example you can see that we connected to the VPN and hid our IP address (the IP belongs to the UK), but at the same time the DNS server issues our real location(USA).
In this case, the problem lies in the principle DNS operation windows services... When connecting to a VPN, by default the request is sent to the DNS VPN server. Then the Windows DNS service waits for 2 seconds, and if there is no response, it sends a request to the next DNS server in the Windows OS list. Just following DNS servers and belong to your ISP, but have lower priority compared to DNS VPN servers.
The DNS VPN server may not have time to answer the request on time due to the geographic distance of the VPN server from you, while the DNS server of your provider is located in your city. It can also be affected by the quality of the signal flow from your Internet provider to the VPN server.
Solution: force the use of the DNS server we need. In this case, we will unambiguously indicate to the operating system that it is necessary to use only the specified DNS servers, and then in the list DNS services Windows will not be listed as your real ISP's DNS servers.
Our VPN client Secure Kit is able to protect against DNS leak automatically. Learn more about Secure Kit.
How to hide your real DNS on Windows
Follow these steps on any version of Windows.
Click right click mouse on the network Windows connection and then select Properties.
Please indicate public DNS google server or OpenDNS.
Google DNS:
- 8.8.8.8
- 8.8.4.4
OpenDNS:
- 208.67.222.222
- 208.67.220.220
For complete anonymity we recommend using our DNS servers. The section "My Account" contains DNS servers for each VPN direction. And already in this case, your DNS server will always correspond to your IP address (by country).
After execution these actions, your real DNS server in Windows will be hidden.
How to hide your real DNS on Mac OS X
For forced DNS settings for any Mac versions OS X follow these steps:
In the next window at the bottom, click on the lock icon to allow editing the settings. You will be required to enter a password from account Mac OS X.
Select the connection you are using to get the Internet. Usually this is either Wi-Fi connection or Ethernet. And then click on the "Advanced" button.
Enter the public DNS servers of Google or OpenDNS.
Google DNS:
- 8.8.8.8
- 8.8.4.4
OpenDNS:
- 208.67.222.222
- 208.67.220.220
These DNS servers are most commonly identified as US. In this case, no site will give out your real DNS.
For complete anonymity, we recommend using our DNS servers. DNS servers will appear in your account in the "Subscriptions" section -> the "DNS" tab. VPN servers... Each VPN direction will have its own DNS server. And already in this case, your DNS server will always correspond to your IP address (by country).
After completing the above steps, your real DNS server on Mac OS X will be hidden.
How to hide your real DNS on Ubuntu
To eliminate DNS leak in the operating room Ubuntu system on the Linux based, open the Connections section.
Select your internet connection and click Change.
Select:
- IPv4 Settings Tab
- Automatic (DHCP, address only)
- Enter the DNS server. For example, you can use public DNS servers from Google or OpenDNS
Google DNS:
- 8.8.8.8
- 8.8.4.4
OpenDNS:
- 208.67.222.222
- 208.67.220.220
On Linux, you need to restart the network settings for the changes to take effect.
Click on Network Management.
The message The connection has been broken is displayed.
Then click on Network Management again to enable the connection.
After these steps, your real DNS server will be hidden.
How to hide your real DNS on Linux server
Perform the following steps only if you consider yourself experienced Linux user ... We warn you to make changes by hand dangerous if you have little knowledge of Linux administration... Attention: we disclaim responsibility for the consequences.
Go to the server under root user(or under regular user, but you must have sudo privilege to execute commands).
Enter the following command. You may need to enter the password for the OS account. For editing, use text editor nano. If you do not have it installed, then make the changes with another editor or install nano.
Sudo nano /etc/resolv.conf
- If you have resolvconf installed, then this file will contain a message that after rebooting the OS, all changes in this file will be lost and the settings will return to default to 127.0.1.1. Since we are changing the DNS server temporarily, this is fine for us.
- Make a note of the default DNS server listed in this file. Then change the DNS server. For example, you can take a DNS server from Google or OpenDNS.
Google DNS:
- 8.8.8.8
- 8.8.4.4
OpenDNS:
- 208.67.222.222
- 208.67.220.220
To save in nano editor press:
- Ctrl + X to exit the editor
- Y key to save changes to the file
- Enter key to confirm saving to the same file
The network interface must be rebooted for the changes to take effect.
- for Debian and Ubuntu enter the command:
The network interface will reboot and the DNS leak will be fixed.
Restart your computer to return the original DNS server.
