What are DNS leaks and how to prevent them

  • DNS leaks could reveal information to a third-party
  • Use a trusted VPN to mitigate leaks
  • ExpressVPN's leak test tool checks for DNS leaks
Tips & tricks
3 mins
Protect against DNS leaks.

In a previous blog, we talked about what DNS is, how it works, and why it can give away more information than you might expect.

In this post, we’ll take a more in-depth look at what an ISP can see and how ExpressVPN can protect your privacy.

Simply put, a DNS leak is when your VPN connection reveals some or all information about your DNS requests to a third party. DNS leaks mostly come in two forms:

  • Your DNS requests are sent to a server not hosted by the VPN provider
  • Your DNS requests are sent unencrypted, i.e., not through the VPN tunnel

When a leak occurs, typically you will browse sites believing you’re doing so privately, but actually, your ISP (or some other snooping third party) can see every website you visit. Leaks are especially scary now that in many countries ISPs are required to log and record certain traffic, and U.S. ISPs can even legally sell your internet data.

A potentially more significant issue, though, is that you might have visited sites or searched for content that you otherwise would not have, under the belief that your VPN protected your internet history.

How do DNS leaks occur?

DNS leaks can occur for a wide range of reasons, but broadly they fall into three categories:

VPN provider doesn’t have DNS protection

Your VPN doesn’t protect your DNS requests, which almost certainly means they are sent to a third party.

VPN provider’s DNS protection isn’t robust

Building robust protection against DNS leaks is not easy, or cheap, and comes with a range of difficult technical challenges.

VPN disconnects and exposes your DNS requests

Your VPN doesn’t notify you or protect you against dropped connections, which means your computer will start using your ISP’s DNS servers and expose whatever you’re doing at the time.

How does ExpressVPN test for DNS leaks?

ExpressVPN has a leak test tool that works by asking your browser to make a DNS request to an ExpressVPN owned website.

ExpressVPN DNS Leak Test

  1. The leak test tool requests your browser visits random pages (technically, subdomains) of the ExpressVPN site
  2. The browser will make a DNS request for these sites

As ExpressVPN owns the site names, the DNS requests are guaranteed to come to our DNS server and, thus, our leak test tool. If the leak test tool only sees ExpressVPN server IPs in the DNS request, then you don’t have a leak. However, if any requests come from your ISP, we can report this immediately to you as a leak.

To protect against a man-in-the-middle, the site names are randomized to ensure the DNS requests always come to the ExpressVPN DNS server and not a third-party server which has cached the answer.

ExpressVPN doesn’t record the results of the leak tests; we simply offer it as a service for your peace of mind.

ExpressVPN has also released open source leak tests, which allow advanced users to probe their VPN connection for all sorts of leaks, including DNS leaks. You can find more information about the Leak Testing Tools here, or inspect the code on Github.

Always use a trusted VPN to avoid DNS leaks

To secure yourself against DNS leaks, use a high-quality VPN service that will take active steps to prevent the most common causes of DNS leak in the first place.

With ExpressVPN, you are protected against DNS leaks because our app blocks DNS requests to any other DNS server other than our own. We also ensure that all your DNS requests are encrypted and sent through the VPN tunnel.

When the ExpressVPN app says you’re protected, you can be assured that your DNS requests aren’t leaking to your ISP.

The devs are the backbone of ExpressVPN and occasionally contribute their otherworldly wisdom to the blog.