1

I have recently started using a VPN. I visited dnsleak.com and dnsleaktest.com and was informed by both of these sites that my DNS was leaking. Indeed, I could see in the list of servers, that a couple were associated with my ISP.

dnsleaktest.com claims:

  1. The owners of the servers above have the ability to associate your personal IP address with the names of all the sites you connect to and store this data indefinitely. This does not mean that they do log or store it indefinitely but they may and you need to trust whatever their policy says.
  2. If you are connected to a VPN service and ANY of the servers listed above are not provided by the VPN service then you have a DNS leak and are choosing to trust the owners of the above servers with your private data.

I contacted the VPN provider about this issue. I was told they do not currently provide their own standalone DNS addresses. I was provided with addresses to use instead. These are OpenDNS addresses. I then asked them to confirm whether using these OpenDNS addresses would ensure a secure and encrypted connection and use of DNS.

The VPN provider replied:

  • Using these third party DNS addresses over the VPN connection, still encrypts your requests, by sending them to the VPN server, where they are then passed to the DNS resolving service, thus making your connection secure.

Using the provided DNS addresses, only OpenDNS related addresses come up when testing on the two afformentioned sites.

My question is: Are they correct in telling me that my DNS queries are being encrypted by the VPN service(assuming the VPN does indeed work!), and are therefore secure and private?

Something about this claim didn't feel quite right.. Another couple of questions that occur to me regarding this:

  • Can a DNS service, unrelated to the VPN provider really deal with an encrypted DNS request?
  • Does the DNS request really go through the VPN BEFORE the DNS service?
Totem
  • 113
  • 5
  • If you are using Windows, it often leaks your IP Address because it uses Smart Multi-Homed Name Resolution service which sends out out DNS requests to all available interfaces but only used non-preferred servers if the main DNS server failed to respond. **ipconfig /flushdns** to avoid dns leak. – defalt Oct 24 '17 at 16:04
  • Your VPN service says they keep details about you. You have tagged `openvpn` in your question, how about if you use openvpn or softeteher instead? Openvpn also have an option to `block-outside-dns`. – defalt Oct 24 '17 at 16:09
  • @defalt Thanks for the comments. I was wondering what you were referring to when you say "Your VPN service says they keep details about you."? I don't believe they do.. at least they claim not to keep any logs. The VPN is implemented on my Linux system via OpenVPN.. I was not aware of any 'block-outside-dns' options – Totem Oct 24 '17 at 16:18
  • Just add `block-outside-dns` in the `ovpn` configuration file just below the line of IP Address or hostname of the VPN server. After initializing, it won't allow any DNS query which is not passing through your VPN tunnel. – defalt Oct 24 '17 at 16:26

1 Answers1

3

Your DNS queries will not be visible to your ISP or anyone watching your ISP connection (assuming you are routing all your traffic through your VPN), but will be visible (but not traceable to you, unless you are the only user of that VPN) from the VPN exit point to the OpenDNS provider.

Note that if the VPN provider logs traffic, those logs would be visible to anyone who can compel the VPN provider to turn them over and the DNS requests would be visible then.

And, of course, everything you do will be visible to your VPN, unless you use further encryption. For example, even if you are using a VPN, always use HTTPS where available.

crovers
  • 6,311
  • 1
  • 19
  • 29
  • Thanks for this. Just so I'm clear then, my DNS requests go first through the VPN(encrypted), and come out the other end(now unencrypted again) at the VPN exit point, to the OpenDNS provider... essentially anonymised, but they are still 'readable' by the VPN unless I use https, in which case the VPN won't know what's in them? – Totem Oct 24 '17 at 16:57
  • One more thing, from what you say it sounds like OpenDNS would not know anything about which requests were mine so long as I use the VPN for my requests... is this right? If so, would that mean that I could actually use the DNS servers provided by my ISP through the VPN, and the ISP would be none the wiser as to my DNS requests? Sorry for all the extra questions. Perhaps I should ask all this in a separate question(s). – Totem Oct 24 '17 at 17:01
  • 1
    Mostly correct. HTTPS won't help with your DNS traffic, but will help with your email, etc, if you're using web providers. But yes, everything going through the VPN is likely readable by the VPN providers unless otherwise encrypted (which is why I gave the advice for HTTPS) – crovers Oct 24 '17 at 17:15
  • 1
    Also, I wouldn't use the ISP DNS servers, since those servers are identifiable as the ISP DNS servers (and may be geographically identifiable, too). Someone who is watching your ISP could see that you are connecting to a VPN and that someone on that VPN is using the same DNS servers that you would normally be using. They could then deduce that you are the one doing that - use OpenDNS servers or Google's servers - something that lots of people are using and that has no connection to you. – crovers Oct 24 '17 at 17:18
  • "HTTPS won't help with your DNS traffic".. Because of DNS using UDP I assume? – Totem Oct 24 '17 at 17:50
  • 1
    Yes. There are some DNS over SSL mechanisms, but they aren't the standard ones. Unless you are working at it, you are almost certainly doing DNS over UDP, in the clear – crovers Oct 24 '17 at 19:37