DNS leak

The Domain Name System, known in short as DNS, is a globally distributed system for translating Internet domains into IP addresses. The DNS translates an IP address corresponding to a domain name and therefore acts as a kind of “address book” for the Internet. Using this analogy, an IP address is equivalent to a postal address, and this is where “packages” of information are sent to. Here are a few examples of DNS queries:

For this to work, the IP address of a DNS server must be entered on each end device. The end device sends its DNS queries to this server. The resulting data reveals a lot about the surfing behavior of Internet users. If you want to protect your privacy, you should send outgoing DNS queries only to trusted servers. But what happens if something goes wrong?

Unlike DNS hijacking and DNS spoofing DNS leaks solely effect users who aim to keep their online behavior private. Specifically, users are affected who connect to the Internet via a virtual private network (VPN) or who route a proxy. Both technologies are used to disguise personal identity when using the Internet.

The desire to keep surfing behavior secret does not indicate illegal activities. After all, the right to privacy and informational self-determination are fundamental human rights. Providers of commercial VPN services support this legitimate desire of users against the payment of a fee. The use of proxies, which used to be common, is less common nowadays. We’ll therefore limit our article to the occurrence of DNS leaks when using a VPN.

VPN services aim to route all outgoing network traffic through the VPN. Under certain circumstances, however, individual connections may be routed directly from the user’s device to communication partners on the Internet. A DNS leak occurs when a DNS request that should be sent through the VPN reaches a DNS server unprotected. This is often the DNS server of the Internet service provider (ISP). ISPs are known for collecting, evaluating, and selling the resulting data.

So, what happens when a DNS leak occurs, and what information is leaked out? First, we have to distinguish between three cases:

1. Information that goes to the user’s ISP
2. Information that is tapped on the way to the DNS server
3. Information that is disclosed on the part of a service operator

A DNS query received by the ISP’s DNS server contains the domain name to be resolved in addition to the end user’s undisguised IP address. Time-stamped in the ISP’s server logs, this provides information about when which user wanted to access which domains. This is a serious privacy issue. On the one hand, the DNS data is often packaged into profiles and sold; on the other hand, government agencies can gain access to the data. In the worst case, this can be fatal for dissidents and activists.

DNS requests use the User Datagram Protocol (UDP) as the connection protocol. UDP packets can be seen on their way to the DNS server by any actor who is able to monitor the line. To keep the end user’s surfing behavior private, DNS requests should be routed through the VPN. Since the Snowden revelations, it has been known that intelligence agencies monitor, leak, evaluate, and store Internet traffic on a massive scale. The personally identifiable DNS packets resulting from a DNS leak thus pose a serious threat to the security and privacy of Internet users.

In addition to the dangers already mentioned in connection with DNS leaks, there is another risk. This is because a DNS leak can be exploited by third parties. This can be a service provider, e.g., the operator of a website. The provider can use a technique to determine that a user is accessing the service via a VPN. The ISP of the user may be revealed to the service provider. This, in turn, reveals the user’s approximate geographical location. The same technique is used – for the benefit of the user – by the DNS leak testers.

There are a variety of services that attempt to detect DNS leaks. One such service, known as a “DNS leak tester”, is usually implemented as a normal website that the user accesses via the browser. To test for the presence of a DNS leak, the DNS leak tester triggers a series of special connection attempts. The goal is to trace where the resulting DNS queries originate from. But how exactly does it work?

To understand how a DNS leak tester works, you need to understand how the DNS is structured. The DNS is a hierarchical system of name servers. A distinction is made between authoritative and non-authoritative name servers. An authoritative name server serves as the source of the DNS data of a DNS zone. You can think of a DNS zone as a domain, with additional subdomains.

In addition to authoritative name servers, there are name servers that store parts of the DNS data in a cache. This means that queries that have already been made can be answered quickly without having to check with the authoritative name server each time. The ISP’s DNS server is a non-authoritative name server for most domains. Let’s look at what happens when the ISP’s DNS server receives a request for a domain name:

1. A client wants to retrieve a resource hosted under a domain name.
2. The client makes a domain name request to the DNS server of its ISP.
3. If the DNS server knows the IP address associated with the domain name, it returns it.
4. Otherwise, the ISP’s DNS server queries the authoritative DNS server of the DNS zone that is parent to the domain name.
5. The authoritative DNS server returns the IP address for the domain name.
6. The ISP’s DNS server passes the IP address to the client and caches the request.
7. The client can now make the request for the resource to the server accessible under the domain name.

A DNS leak tester is based on this fundamental principle. Below is an example using the website DNS Leak Test:

1. Open dnsleaktest.com in a browser. The DNS leak test site generates queries to pretend resources under a randomly generated, unique subdomain. Here is an example of the name of this kind of domain:
   c6fe4e11-d84d-4a32-86ef-ee60d9c543fa.test.dnsleaktest.com
2. To retrieve one of the resources, the browser needs the IP address associated with the domain name. Since it is a randomly generated domain name, no DNS server except the authoritative one can know the IP address.
3. Therefore, the DNS server that receives the request asks the authoritative DNS server for the DNS zone test.dnsleaktest.com. The authoritative DNS server for this domain name is under the control of the site operator of dnsleaktest.com.
4. The authoritative DNS server matches the randomly generated unique part of the domain name with entries in an internal database. This allows dnsleaktest.com to track which incoming DNS query belongs to which website visitor.
5. With the IP address, the authoritative DNS server can find out from which external DNS server the request for the IP address of the randomly generated domain name came. If the source of the query is the DNS server of an ISP, there is a DNS leak.

It is possible to implement a DNS leak tester as a web service quite easily. For more information, check out this article for a detailed description. If you want to check whether you have been a victim of a DNS leak, you can use one of the existing DNS leak testers. We have compiled a list of these for you here, although this list is by no means exhaustive:

• dnsleaktest.com
• ipleak.net
• surfshark.com
• browserleaks.com
• perfect-privacy.com

The best strategy to prevent DNS leaks is based on the IT security concept “defense in depth”, in which you build multiple layers to protect against a threat. If a single layer is eliminated, the protection remains in place. We recommend the following steps – in this order – to prevent DNS leaks:

1. Set DNS servers on your local device and the home router that are not under the control of the ISP. This is a basic protective measure that also prevents other risks such as DNS hijacking.
   Here, the use of Quad9 or Cloudflares 1.1.1.1 is a good idea. Do not forget to clear the DNS cache after changing the DNS server.
2. Use software that encrypts DNS connections, e.g. via DNS over HTTPS (DoH) or DNS over TLS(DoT). This protects against tapping and manipulation of the DNS packets on the way to the DNS server and so also prevents DNS spoofing attacks.
   The use of DNS encryption depends on the software used. Among the most popular browsers, Firefox is the leader in switching to encrypted DNS connections. However, the browser settings must be adjusted for this, as described in our article about DoH.
3. Use a VPN client that routes DNS requests through the VPN and provides its own DNS servers. This protects against all the dangers associated with DNS leaks. There is an almost unmanageable range of different VPN providers. Some provide their services free of charge, others as a commercial service. In general, be careful with free VPN services; usually you cannot expect the same level of protection from them.

The above points provide a basic level of protection against DNS leaks and should be sufficient for most Internet users. Members of particularly vulnerable groups, such as human rights activists, should take additional precautions:

• Use browsers such as Tor which are known to effectively prevent DNS leaks when accessing websites.
• To ensure that all outgoing network connections are routed through the Tor network and depersonalized, boot Linux from a USB stick. This approach is considered the best standard when it comes to concealing your identity on the Internet.