This post was originally published on October 12, 2017.
Sometimes a VPN can fail to protect your device’s DNS (Domain Name System) queries even when the rest of your traffic is protected by the VPN tunnel. Such DNS leaks can compromise your privacy and security by letting unauthorized entities, like your ISP or DNS provider, see what websites you visit and apps you use, even when your VPN appears to be on.
That’s why ExpressVPN takes such leaks very seriously. We spend a lot of time investigating complex scenarios in which your DNS could leak—and coming up with fixes. Our goal is to protect you from DNS leaks in all circumstances imaginable—and for ExpressVPN to raise privacy and security standards in the VPN industry.
Our engineering team recently identified and fixed a particular class of DNS leaks that can occur when you switch network connections (for example, when your connection changes from Ethernet to Wi-Fi). Our research indicates that this type of leak is present among most major VPN services on the market. In this blog post, we’ll explain three things: the issue, how to reproduce it, and how to test for it yourself.
Leak scenario: DNS leaks when switching between Wi-Fi and Ethernet
Consider the following common situation:
- You’re at home with your laptop and are connected to Wi-Fi
- You connect with your VPN application
- After browsing for some time, you receive an important work email
- You head to your home office and connect your laptop to an Ethernet cable
In many cases, our testing showed it was possible to generate a DNS leak in this scenario. With the latest release of ExpressVPN for Mac and Windows, we have ensured that your privacy will be maintained and you can be confident there is no leak in these circumstances.
How can I test this leak for myself?
If you’d like to see whether you’re vulnerable to this leak, then you can try testing for yourself.
- Ensure your Ethernet cable is unplugged
- Ensure you are connected to a Wi-Fi network
- Connect with your VPN application
- Use ExpressVPN’s DNS leak tester or a third party tester
- You should see only one DNS server listed (Figure 1)
- If you’re using ExpressVPN, then our tester will also tell you that it’s a recognized server of ours (Figure 2)
- Plug in your Ethernet cable
- Refresh the DNS leak page—If you’re leaking DNS then you’ll now see a different list of DNS servers
This test should work regardless of your VPN provider.
How DNS leaks undermine your privacy and security
The Domain Name System (DNS) is fundamental to the internet. Every time you visit a website, you use DNS to ensure you are connecting to the correct server. Unfortunately, this also means that anyone who sees your DNS requests has a record of all the websites you visit. That’s why it’s important for your privacy and security to use a private, encrypted DNS and to ensure that your VPN is preventing DNS leaks.
ExpressVPN’s focus on providing reliable, leak-free VPN services
We know that when you use ExpressVPN, you place your trust in us—and that’s why we work very hard to maintain it. In practice, this means constantly updating our products to stay on the cutting edge of speed, security, and vigilance against threats to your privacy, which include leaks.
How can you trust that your VPN is leak-proof? While there’s no way to definitely prove that any VPN is 100% leak-proof, we are able to identify the usage scenarios and patterns that users are expected to encounter and ensure that no leaks occur in those situations through extensive testing—and that’s exactly what ExpressVPN is focused on. At ExpressVPN we also aim to increase your confidence in our product by being open and transparent. By disclosing our research, investigations, and improvements and giving you the power to check for leaks yourself, we hope you’ll be as confident in our product as we are.
Get the technical lowdown
So why can DNS leaks occur when you’re switching network connections, even if your VPN appears to still be connected? Learn more in our technical overview.