What Is a DNS Leak and How Can It Be Prevented?

What is a DNS leak?

When you use a proxy or VPN, your connections are routed through a proxy server or a VPN server. Consequently, to the target host (web site or service), they look as though they came from the proxy's or VPN server's IP address. This prevents the target host from knowing your true IP address.

To make connections, your computer needs to know the IP addresses of the target hosts. This is where DNS comes into play. From a security standpoint, DNS requests (usually UDP packets on port 53) should go only through the same VPN or proxy connection. If DNS requests go through other routes, a DNS leak happens. This effectively means that your true location is revealed.

A DNS leak is also a security threat because the leaked DNS data are not secured by the VPN or the proxy. In public networks, it can be intercepted and analyzed.

Why does it happen?

Operating systems are optimized for performance, not for DNS leak prevention. In Windows, a DNS leak may be caused by the feature called Windows Multi-Homed DNS. The logic is simple - the system resolver sends the same DNS request over all available network connections on the system in an attempt to receive an answer as quickly as possible. This is good for performance but effectively creates a DNS leak. Even if this option is disabled, there is a logic that tells the resolver to fall back to the DNS server of the other connection if the primary one (VPN) times out. This condition may happen randomly due to an intermittent connectivity problem. To make matter worse, there are IPv4 and IPv6 addresses (A and AAAA DNS queries) whose handling depends on the current network conditions and capacities.

Real-world test

To illustrate the problem, we tested a built-in Windows 10 VPN (IKEv2/IPsec). The VPN server is located in France. The client's local DNS is in Finland.
There are a number of sites that can test for a DNS leak, for example, https://browserleaks.com/dns

DNS leak detectedDNS leak detected

The testing page displays the client's IP address, which is in France because of the VPN server's location, but DNS requests come from the client's DNS server (Finland) as well. This is a DNS leak.

If we run YogaDNS in bypass mode and check the log (verbose mode) generated through the test, we can see multiple records such as the following:

[03.05 15:40:06] krg5ju3lmloa3kgp2xzyeg3m591kpoge.dnsleak6.browserleaks.org - request : type=A, id=2872, server=103.86.96.100:53, program=svchost.exe, pid=1204
[03.05 15:40:06] krg5ju3lmloa3kgp2xzyeg3m591kpoge.dnsleak6.browserleaks.org - bypass : rule=Default
[03.05 15:40:06] krg5ju3lmloa3kgp2xzyeg3m591kpoge.dnsleak6.browserleaks.org - request : type=A, id=49765, server=10.0.0.1:53, program=svchost.exe, pid=1204
[03.05 15:40:06] krg5ju3lmloa3kgp2xzyeg3m591kpoge.dnsleak6.browserleaks.org - bypass : rule=Default

It is clear that the Windows system resolver (svchost.exe) tries to resolve each hostname through two DNS servers (VPN 103.86.96.100 and local 10.0.0.1) at the same time. This causes a DNS leak, and the true location of the client is revealed.

Prevent DNS leak with YogaDNS

YogaDNS provides an easy, quick, and reliable way to prevent DNS leaks. It can intercept all DNS requests on the system and forward them strictly through the specific DNS server. This eliminates DNS leaks because no other DNS servers will be used.
The setup is quite easy.

  1. Download, install, and run YogaDNS.
  2. Go to Configuration->Rules via the menu or the toolbar icon. Click the Add... button.
  3. Create a rule for all hostnames (*).
    Set Action to match your VPN connection.
    Set DNS Server to Default.
    Click OK.
    Rule to prevent a DNS leakRule to prevent a DNS leak
  4. The rule list should look like this:

That's it. Now, if we repeat the DNS leak test, it will indicate no leak. The client's IP and the DNS server are in the same location. There are no other DNS servers detected.

No DNS leak detectedNo DNS leak detected

In the YogaDNS log (verbose mode), the records will look like this:

[03.05 15:36:54] fkqbiv6hvqnrftyfo2bhf2fnbgbpomkr.dnsleak6.browserleaks.org - request : type=A, id=32085, server=103.86.96.100:53, program=svchost.exe, pid=1204
[03.05 15:36:54] fkqbiv6hvqnrftyfo2bhf2fnbgbpomkr.dnsleak6.browserleaks.org - process : server=103.86.96.100 (Plain, 103.86.96.100), interface=TestVPN (10.6.3.66), rule=Prevent Leak
[03.05 15:36:54] fkqbiv6hvqnrftyfo2bhf2fnbgbpomkr.dnsleak6.browserleaks.org - request : type=A, id=4686, server=10.0.0.1:53, program=svchost.exe, pid=1204
[03.05 15:36:54] fkqbiv6hvqnrftyfo2bhf2fnbgbpomkr.dnsleak6.browserleaks.org - process : server=103.86.96.100 (Plain, 103.86.96.100), interface=TestVPN (10.6.3.66), rule=Prevent Leak

The system resolver (svchost.exe) still sends requests to two DNS servers (VPN 103.86.96.100 and local 10.0.0.1), but YogaDNS intercepts both requests and forces them through the DNS server of the VPN (103.86.96.100). Thus, there is no DNS leak.

Additional security

YogaDNS allows you to add even more security and anonymity to DNS. Instead of a plain, unencrypted DNS protocol, you can use encrypted protocols: DNSCrypt and DNS over HTTPS. DNS data can be authenticated with DNSSEC.
The following is an example of a Swiss DNS over HTTPS server.

DNS over HTTPS server exampleDNS over HTTPS server example

  1. You can add a secure DNS server in YogaDNS using the Configuration->DNS Servers->Add... menu or the toolbar icon.
    The Import from the web... button allows you to import publicly available, secure DNS servers from the web automatically.
  2. Once server(s) are added, go to Configuration->Rules via the menu or the toolbar icon.
    Click the Add... button.
  3. Create a rule for all (*) or specific hostnames. Set Action to match your VPN connection. Set DNS Server to the one that you have added in step #1.Click OK.

Your rule list will look like this:

DNS rulesDNS rules

Henceforth, YogaDNS will forward all DNS requests through the specified DNS server.

A DNS leak test will show that all queries are now processed by the DNS server located in Switzerland. Your local and VPN DNS servers will no longer be detected.

A DNS leak test shows the server in SwitzerlandA DNS leak test shows the server in Switzerland

Yoga DNS log (verbose mode):

[03.06 13:42:28] q3rxd4q8lxim99xi88d3cyd8n9ynds6f.dnsleak4.browserleaks.org - request : type=A, id=15447, server=103.86.96.100:53, program=svchost.exe, pid=1204
[03.06 13:42:28] q3rxd4q8lxim99xi88d3cyd8n9ynds6f.dnsleak4.browserleaks.org - process : server=dns.digitale-gesellschaft.ch (DNS over HTTPS, https://dns.digitale-gesellschaft.ch/dns-query), interface=TestVPN (10.6.3.66), rule=Prevent Leak
[03.06 13:42:28] q3rxd4q8lxim99xi88d3cyd8n9ynds6f.dnsleak4.browserleaks.org - request : type=A, id=23413, server=10.0.0.1:53, program=svchost.exe, pid=1204
[03.06 13:42:28] q3rxd4q8lxim99xi88d3cyd8n9ynds6f.dnsleak4.browserleaks.org - process : server=dns.digitale-gesellschaft.ch (DNS over HTTPS, https://dns.digitale-gesellschaft.ch/dns-query), interface=TestVPN (10.6.3.66), rule=Prevent Leak

At this point, you can anonymize DNS even further by using Anonymized DNS. In this scenario, YogaDNS will access the DNS server through a special relay server. This prevents DNS servers from learning anything about the client's IP address.