Home of internet privacy

Technical Overview: Preventing DNS Leaks When Switching Network Interfaces

To effectively offer a user privacy and security, a VPN application must ensure that a user’s DNS requests remain private for the entire duration of the connection to the VPN. Applications usually do this by guaranteeing that all DNS requests are sent encrypted through the VPN tunnel and handled by the VPN provider’s DNS servers.

To maintain this guarantee, it is important to understand under what scenarios DNS leaks might occur. Considering only simple scenarios, such as when network connections are stable, is not sufficient. In the real world, networks are often unstable, or their configurations can change, and generally, this is when leaks occur. Investigating complex scenarios is thus a crucial part of the process of engineering a leak-proof VPN application.

At ExpressVPN, we spend considerable time and effort investigating complex scenarios under which your VPN application might leak. In the rest of this article, we discuss one particular scenario which we uncovered where DNS leaks could occur. We’ll explain how and why the DNS leak occurs and give you a way to test for the leaks yourself.

Scenario: DNS leaks after a switch in network interfaces

Switching between network interfaces is a common scenario where DNS leaks are possible. Consider the following example:

Most VPN applications will not detect this network configuration change. They will continue to inform you that your privacy and security are still 100% protected, however, the reality can be very different.

Under the covers, your DNS requests can be persistently leaking out to your ISP or other third parties, and you may never realize it.

Technical Breakdown

When can this really happen?

Let’s take the example of a Mac (do note, though, that this leak also occurs with Windows devices). Suppose you have a Wi-Fi and Ethernet connection available. Open the “System Preferences” app and navigate to “Network.” You will see something like the following:

This indicates that you’re connected to both Wi-Fi and Ethernet, but Ethernet is your preferred connection.

Suppose further that your DNS is let to a “local” IP address. You can check this by clicking on “Advanced” when your Ethernet connection is highlighted and then navigating to “DNS.” You should see something like this:

If the IP addresses under “DNS Servers” are of the form 10.x.x.x, 192.168.x.x or between 172.16.x.x and 172.31.x.x, then they’re “local” IP address. This most likely means that your router is acting as your DNS server and thus, without a VPN, your ISP can see all your DNS requests. If you have such a setup, then you may be vulnerable to this DNS leak.

Note that even if your DNS servers do not have local IP addresses, you will likely still be vulnerable to DNS leaks. In this case, the DNS requests may go through the VPN tunnel. However, they would not be routed to the VPN’s DNS server but to some other DNS server, such as that of your ISP or a third party DNS provider.

How can you check whether you leak?

The simplest method is to use ExpressVPN’s DNS leak tool and do the following:

You can also check for DNS leaks without relying on our webpage by using tcpdump as follows.

Firstly, find the network interface corresponding to your Ethernet connection:

Now, let’s run the test: