Skip to Main Content
Psst! Don’t let your DNS leak all over the internet, DNS-Leak

Psst! Don’t let your DNS leak all over the internet

When it comes to encryption, it’s that last mile in front of the house that matters. Encryption offered by some security products can leave a lot to be desired – particularly the last mile up to your front door. While they might be encrypting the contents of your online activities, they are often failing to do this for your DNS – the Domain Name System – the process for converting URLs into numerical IP addresses.

Hey you down there!

That’s like living in a second-floor apartment with a secured main door and a broken intercom. When a friend comes to visit, you stick your head out the window and shout down below, “Hey Robert! The PIN code for the front door is 12345 and I’m on the second floor.”
What a security failure. Everyone within earshot knows exactly where you live, that you have a visitor, what his name is – and let’s not talk about that private security code.

This little shout out the window is what security people call a DNS leak. It’s very clear that the two individuals were talking but we just don’t know about what Robert and John were speaking (that part might have been encrypted). From just a common sense perspective, “John was talking to Robert” is a much less secure and private conversation than “John was talking to someone.”

The who, what, and where

For a “normal” unencrypted online interaction, this means that the Internet Service Provider (ISP) – or anyone else rubbernecking their way into the conversation between John and Robert – knows three basic details about the conversation:

  1. They know who was speaking (thanks to the DNS).
  2. They know what was being said (reading those unencrypted data packets).
  3. They know the where (geo-locating that IP address).

When it comes to the benefits from a VPN, the where and the what are at the top of the list. Where – yes, people like being able to get geo-restricted content. Especially those everyday sites that you go to at home and would really like to see when on vacation. What is also important. The knowledge that about anyone can intercept and track online activity over an open WiFi is unsettling. In many ways, it does not matter if it is the network manager at the local café or a cyber criminal sitting across from me in that same café – I just don’t want them listening in to my conversation. So I will encrypt the conversation and keep it a private conversation.

Let’s talk about the who

The who is where the DNS, short for Domain Name System, comes in. This is the process for translating domain names like into a numerical IP address such as Once you go online under normal circumstances and type in an URL, your device contacts the DNS server run by your internet provider and asks it for the DNS address so it can send them your data packets.
They know who you are talking to – but it is not a given. You don’t have to give your ISP this information – if you have a VPN properly working.

More than a wee little DNS leak

The problem is that VPNs and proxy PNs have DNS issues – they can leak. And they leak a LOT. Researchers from Australia’s Commonwealth Scientific and Industrial Research Organization (CSIRO), the University of New South Wales, and the University of California, Berkeley looked at 283 VPN apps for Android-powered smartphones and found more than just small leaks. Their report stated, “66% of the VPN apps do not forward DNS traffic through the VPN tunnel so any in-path observer can monitor the DNS networking activity of the user.” Yes, leaking apps are “not effective against surveillance and malicious agents.”

DNS puddle is a dual problem

A DNS leak is a dual problem. First, it lets the ISP – and about anyone else listening in – know just whom you are contacting. While the contents of the conversation may be private, they would know that “John was talking to Robert”
Second, it lets the ISP be a potential traffic cop. Not only do they know who you are communicating with, they are potentially in the position to block access to certain sites. This could be an app such as Twitter or a website with streaming content that has upset the local authorities.

Remember the DNS

A VPN should – if done correctly – keep your DNS info private and encrypted. And it should be doing this regardless of whether your device is running on something by Android, Apple, or Windows and regardless of whether it is a free or a premium app. If you want to talk to Robert, make it really private.

This post is also available in: GermanFrenchItalian

As a PR Consultant and journalist, Frink has covered IT security issues for a number of security software firms, as well as provided reviews and insight on the beer and automotive industries (but usually not at the same time). Otherwise, he’s known for making a great bowl of popcorn and extraordinary messes in a kitchen.