![\"What](\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/04\/DNS-Opener-300x300.png\")
<\/figure>\n<\/div>\n\n\nIf that\u2019s the case, I envy you. In fact, maybe even consider just taking a rain-check on the rest of this article and then just continue living your life \u2013 because ignorance truly is bliss. <\/p>\n\n\n\n
But for the rest of us, privacy is an unfortunate consideration in many of the decisions we make online. <\/p>\n\n\n\n
And when it comes to our digital privacy, DNS leaks are a\nparticularly pernicious threat to said privacy. But despite their ability to\ncompromise your anonymity, DNS leaks are also one of the least understood\nthreats faced by the modern internet user. That\u2019s owing to a lot of different\nfactors, chief among them that aforementioned blissful ignorance.<\/p>\n\n\n\n
If we\u2019re being honest, the average internet user doesn\u2019t understand how the connections being made by their own computer actually work, nor do they understand the Internet Protocol, IP addresses, the Domain Name System or even Virtual Private Networks. In turn, that lack of information makes everything else feel abstract and basically blunts any concern we would otherwise have about the threat.<\/p>\n\n\n\n
So, today we\u2019re going to talk about DNS Leaks, what they\nare, why they\u2019re dangerous and how to fix them.<\/p>\n\n\n\n
Let\u2019s hash it out.<\/span><\/p>\n\n\n\n If you\u2019ll recall a few weeks ago we went in-depth on the TCP\/IP model for network connections<\/a>. If you want a complete explanation of all that, I recommend checking it out. But for now, here\u2019s the abridged version:<\/p>\n\n\n\n Anytime you make a connection on the internet, data is being routed across multiple layers, in multiple ways, to facilitate the connection itself. In fact, calling it a singular connection can even be a little misleading as there are actually multiple connections being made throughout the process. Of course, this all happens in the background, so for most of us our only exposure to a lot of it is the error messages that are triggered when something goes wrong (TLS handshake error<\/a>, I\u2019m looking at you). <\/p>\n\n\n\n So, while on the user side visiting a website might seem as straightforward as typing \u201camazon.com\u201d into your address bar and within seconds you\u2019re connected to Amazon. But that belies just how complicated making that connection actually was. <\/p>\n\n\n\n Let’s illustrate with an example. Here\u2019s a quick breakdown of what a mail connection would look like:<\/p>\n\n\n Again, we\u2019re not going to go too far into the weeds on thre of the four layers you see here, instead we\u2019re going to focus in on the Network Layer where the Internet Protocol functions. <\/p>\n\n\n\n The top two layers, Application and Transport, largely deal with the defining the connection itself. What port will it use. What connection type (TCP or UDP). Data is ported, segmented and put into transmittable packets. <\/p>\n\n\n\n On the Network Layer you\u2019re handling the connection between different networks via the Internet Protocol and the networks\u2019 respective IP addresses.<\/p>\n\n\n\n You\u2019re likely familiar with IP addresses, but you might not know why they\u2019re significant. While Google has plans to kill it<\/a>, colloquial use of the internet has always relied on the URL or Uniform Resource Locator. Asking people to remember strings of numbers has historically not been a good idea. Our cell phones have largely eliminated the problem, but before everyone had a mobile device in their pocket, remembering phone numbers was a huge pain in the rear. (Also, using Maps.) People often had to carry around black books full of phone numbers or else record them on the walls of bathroom stalls for their use in perpetuity. <\/p>\n\n\n So, asking you to remember an IPv4, or even worse an IPv6 address is going to yield a lot less success than just rolling with a URL like \u201ccompany.com.\u201d People remember \u201ccompany.com.\u201d Thus, we use URLs.<\/p>\n\n\n\n But that creates its own issue, now you need to keep a dedicated resource that serves as a de facto phone book, pairing URLs with their respective IP addresses. But given the fact the internet is constantly growing, that websites can change IP addresses, and considering the amount of space that would be required to keep an ongoing record of all that, how do you reconcile letting users use URLs when networks and websites use IP addresses? <\/p>\n\n\n\n The Domain Name Service or DNS. <\/p>\n\n\n\n DNS is that resource. In the example above, after the information has been segmented and ported, it needs to be delivered to the correct network. In order to do this, the Internet Protocol will likely be used, which will require the correct IP address to be affixed to the data in the form of a header that will be used to route it to the correct destination.<\/p>\n\n\n\n But in order to get the correct IP address, you\u2019re going to need to perform a DNS look-up.<\/p>\n\n\n This occurs on the network layer. Before the data can be\nrouted to its intended recipient, the sender\u2019s computer system or network is\ngoing to need to reach out to a DNS server or resolver to pair the given URL\nwith its IP address. This is a highly technical step that many people never\ngive a second thought to. But if you\u2019re worried about your privacy this is also\none of those critical steps in a connection that can effectively muck up everything.<\/p>\n\n\n\n Here\u2019s why\u2026<\/p>\n\n\n\n Ideally, in a perfect world, you wouldn\u2019t need to worry about your DNS lookups being a problem. Guess what, that\u2019s not the world we live in. This issue really plays out on two different levels depending on your geography. But before we get to that, let\u2019s contextualize just a little bit more by bringing VPNs into this conversation.<\/p>\n\n\n\n People use VPNs for two primary reasons: <\/p>\n\n\n\n And those two reasons are hardly mutually exclusive. Aptly named, a VPN<\/a> is a literal virtual network through which all of a user\u2019s internet traffic can be funneled through to improve privacy. <\/p>\n\n\n A well-configured VPN can block your IP address, shield you from tracking and all but make you anonymous. A third party might know that you\u2019re using a VPN, but it doesn\u2019t know what you\u2019re doing with it. <\/p>\n\n\n\n DNS leaking screws all of that up. Typically, the result of\nmisconfiguration (or using a shoddy VPN), DNS leaking occurs when a device or\nnetwork attempts to make a DNS call outside of the VPN tunnel. <\/p>\n\n\n Now, if you\u2019re not using a VPN, then all of this information is already being logged by your Internet Service Provider (ISP), anyway. Every time you try to resolve a URL your ISP\u2019s DNS server records your IP address, the given URL and the IP address you\u2019re attempting to reach. That means it can effectively track you across the internet.<\/p>\n\n\n\n And that\u2019s a big part of why you would want to use a VPN, DNS records provide myriad information about an internet user and their behavior online. Remember how we started this section by mentioning that the severity of your DNS lookups not being private varies by your geography and typically breaks down into one of two different categories?<\/p>\n\n\n\n In the developing world, where internet freedom is not at a premium, DNS records can be used to track internet use, help censor material and even punish people for trying to access banned or blocked content. There are some places around the world where even being tangentially connected to the wrong website or network can land you in a labor camp or jail. <\/p>\n\n\n\n Fortunately, that\u2019s a reality most of us will never experience. For internet users around the rest of the world, VPN use and digital privacy are concerned more with \u201cfirst world problems” than anything that registers on a human rights scale. <\/p>\n\n\n\n In more developed countries having a DNS leak can lead to:<\/p>\n\n\n So, admittedly, having your ISP throttle your speed when you\u2019re trying to watch Netflix kind of pales in comparison to being sent to the Gulags for visiting the wrong news site, but across the world there are real reasons for people to want to keep their DNS look-ups off the radars of their governments and ISPs. <\/p>\n\n\n\n Having your DNS records leak completely undermines that goal, it could also allow a third party to fingerprint you, and figure out your actual IP address, which is its own problem in and of itself. Your IP address reveals a treasure trove of information, things like:<\/p>\n\n\n\n So while many people have never given a single thought to\nDNS leaking, if you care about your digital privacy you need to start thinking\nabout it.<\/p>\n\n\n<\/span><\/span>\n\n\n Like carbon monoxide poisoning, there\u2019s really no telltale\nsign that you have a problem without monitoring for it. That\u2019s kind of a\nmacabre comparison, but also apropos. Fortunately, there are some pretty good\ntools that can help you to test for DNS leaks. <\/p>\n\n\n\n Using them is simple enough, just navigate to the website\nand follow their instructions. They\u2019ll give you a pretty clear idea about what\u2019s\nleaking.<\/p>\n\n\n Some even explain what exactly the ramifications of a leak\nare.<\/p>\n\n\n\n One thing to note is that you may occasionally see a discrepancy\nor two when switching between tests. This can be attributed to the various\ndatabases in use. As long as the IP address shown corresponds to your network\nor VPN, you\u2019re fine. <\/p>\n\n\n\n There\u2019s a few main reasons these DNS leaks occur, again it\u2019s\ntypically the result of misconfiguration in some form \u2013 either a VPN or a\nnetwork issue \u2013 or Microsoft Windows working against itself. It could also be\nsomething much more malignant, for instance if an attacker takes control of\nyour router \u2013 in which case you\u2019ve got much bigger problems than a DNS leak.\nSo, we\u2019ll assume it\u2019s not that.<\/p>\n\n\n\n Major factors that contribute to DNS leaks:<\/p>\n\n\n\n We\u2019ll cover a few of the more common ones:<\/p>\n\n\n\n Let\u2019s start with network misconfiguration and work our way out. The most common type of network misconfiguration mostly occurs for remote workers that are connecting to the organization\u2019s network via VPN\/Split Tunneling. To understand this we\u2019re going to have to take a (very) quick detour into DHCP or Dynamic Host Configuration Protocol. And rather than get too technical, we\u2019ll just pick up the explanation in media res and catch DHCP in action. <\/p>\n\n\n\n Devices don\u2019t have native IP addresses, they have MAC addresses, networks have IP addresses that they delegate to devices upon their connection. Say you\u2019re visiting a friend and feel like checking your email, they give you their (probably never-changed) WiFi password and you go online. Before your device can start communicating on the network, it needs to have an IP address assigned to it (as well as receiving any other network configuration parameters that are in place). DHCP facilitates that.<\/p>\n\n\n\n Ok, back to DNS leaks, one of the aforementioned network\nconfiguration parameters that DHCP handles is DNS \u2013 it automatically assigns a\nDNS server to handle any requests. Ideally, things should be configured so that\nthe DNS call is made to a secure DNS server, typically one under the auspices\nof your VPN. It\u2019s when the DNS server that\u2019s assigned (usually the ISP\u2019s) is\noutside of that tunnel that DNS leaks occur. <\/p>\n\n\n\n This can be addressed at the client level, or it can be handled at the admin level, depending on your setup.<\/p>\n\n\n\n IP addresses are more Ross Thomas<\/a>\u2019s area of expertise, and he\u2019s written about them extensively<\/a> (if you\u2019re interested check it out), so we\u2019ll keep this high level. When most people think of an IP address they think of IPv4 addresses, which are basically four sets of three numbers divided by a period. Those are on their way out. They\u2019re being replaced by IPv6 addresses. <\/p>\n\n\n\nInternet Connections and VPNs<\/h2>\n\n\n\n
![\"How](\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/04\/DNS-TCPIP-Model-1.png\")
<\/figure>\n<\/div>\n\n\n![\"\"](\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/04\/bigstock-168117545-300x300.jpg\")
<\/figure>\n<\/div>\n\n\n![\"How](\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/04\/DNS-Diagram.png\")
<\/figure>\n<\/div>\n\n\nWhat\u2019s the Big Deal About a DNS Leak?<\/h2>\n\n\n\n
\n
![\"How](\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/04\/VPN-Diagram.png\")
<\/figure>\n<\/div>\n\n\n![\"How](\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/04\/DNS-Leak.png\")
<\/figure>\n<\/div>\n\n\n![\"Your](\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/04\/ISP-300x300.png\")
<\/figure>\n<\/div>\n\n\n\n
\n
How Do I Know If I Have a DNS Leak?<\/h2>\n\n\n\n
\n
![\"You](\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/04\/DNSLeak.com_-1024x455.png\")
<\/figure>\n<\/div>\n\n\n![\"What](\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/04\/DNSLeakTest.com_-1024x762.png\")
<\/figure>\n\n\n\nWhat Causes DNS Leaks?<\/h2>\n\n\n\n
\n
Improperly Configured Networks<\/h3>\n\n\n
![\"Improperly](\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/04\/Network-Misconfigured-292x300.png\")
<\/figure>\n<\/div>\n\n\nNot Supporting IPv6<\/h3>\n\n\n\n
![\"How](\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/04\/Transparent-Proxy.png\")
<\/figure>\n<\/div>\n\n\n![\"\"](\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/04\/Windows-300x300.png\")
<\/figure>\n<\/div>\n\n\n![\"\"](\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/04\/SMHNR-1024x476.png\")
<\/figure>\n\n\n\n![\"VPN](\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/04\/VPN-Recolor-300x300.png\")
<\/figure>\n<\/div>\n\n\n![\"Cloudflare](\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/04\/cloudflare-dns-1024x762.png\")
<\/figure>\n<\/div>\n\n\n![\"\"](\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/04\/bigstock-211692241-300x300.jpg\")
<\/figure>\n<\/div>\n\n\n![\"Hashed](\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2018\/08\/bigstock-222348568-1024x267.jpg\")
<\/figure>\n","protected":false},"excerpt":{"rendered":"