-
Why DNS leak tests might fool you
What is a DNS leak test
Even after you connect to a VPN, your DNS queries might still be sent to your ISP instead of your VPN service. This situation is called a DNS leak. DNS leak tests will tell you who your DNS provider is. You’ll find multitude of DNS leak test sites when you search for “dns leak test“.
Usually, people assume that there’s no leak if the DNS servers reported by the DNS leak test are not that of their ISP.
Why the DNS leak test might fool you
DNS leak tests tell you who your DNS provider is, but they don’t tell you how you reached your DNS service.
As a simple example, disconnect your VPN but set your DNS service to Cloudflare (IP addresses 1.1.1.1 & 1.0.0.1). Now run a DNS leak test. It’ll tell you that your DNS provider is Cloudflare.
Are your DNS queries protected? No. Your DNS queries are going through your ISP connection unencrypted. Your ISP is still able to monitor your DNS requests.
Using the
tracertcommand, you can see how you are reaching your DNS server.- The following tests are performed with VPN off.
- ISP DNS server
- Cloudflare through ISP
As you can see, in both cases the DNS requests will go through the ISP network.
- ISP DNS server
-
With VPN turned on (on the router):
- Cloudflare through VPN
- ISP DNS server through VPN
In both cases, your DNS queries will go through the VPN network. Even if you still use your ISP’s DNS servers, they won’t be able to associate those queries with you, because the DNS queries are coming from the IP address of the VPN server.
- Cloudflare through VPN
Conclusion
In order to make sure that your DNS queries are properly protected, you need to:
- Run a DNS leak test to make sure that your DNS service is what you set it to. I.e., your DNS service is not being hijacked (sometimes misleadingly called transparent proxying when an ISP does it).
- Run
tracertto make sure that you’re reaching the DNS servers through your VPN connection.
What to do if you can’t run
tracert? I offer two options here, but there may be other ways.- Connect your VPN to a remote server (e.g., Europe if you are in the US). Then run a DNS leak test and verify that the location of the DNS server is where your VPN server is.
- Run the DNS leak test twice, before and after you connect to the VPN. The results should be different.
- The following tests are performed with VPN off.
Recent Posts
- How to reset the pcWRT router
- How to create your SSH key and use it on the router
- How to reset router password by email
- How to set up SurfShark WireGuard VPN on the pcWRT router
- How to set up Proton VPN WireGuard on the pcWRT router
Recent Comments
- on How to create your SSH key and use it on the router
- on How to create your SSH key and use it on the router
- on How to setup TunnelBear OpenVPN on the pcWRT router
- on How to setup TunnelBear OpenVPN on the pcWRT router
- on How to enable native dynamic DNS on the pcWRT router
Archives
- April 2024
- March 2024
- August 2023
- May 2023
- February 2023
- June 2022
- December 2021
- November 2021
- August 2021
- January 2021
- December 2020
- October 2020
- August 2020
- July 2020
- June 2020
- May 2020
- April 2020
- February 2020
- January 2020
- December 2019
- October 2019
- December 2018
- August 2018
- July 2018
- June 2018
- January 2018
- November 2017
- October 2017
- September 2017
- August 2017
- July 2017
- June 2017
- January 2017
- August 2016
- May 2016
- December 2015
- August 2015
- July 2015
- May 2015
- April 2015
- March 2015
Categories
