vanilla leaks case study“Vanilla” leaks occur when a user’s IP addresses, DNS requests, or even web traffic aren’t protected by their VPN even during normal operation under stable networking and system environments. If present, they represent a severe privacy and security risk.

This case study from our Privacy Research Lab describes the types of vanilla leaks to be aware of, and how to test for them using the ExpressVPN Leak Testing Tools.


Types of vanilla leaks

There are three categories of vanilla leaks to test for:

Public IP address leaks

No website or app should ever be able to see your public IP addresses.

DNS leaks

DNS leaks can be classified into several categories with different severities:

DNS requests don’t go through the VPN tunnel AND go to a third party DNS server

This is the most severe type of leak. It means all of the user’s DNS requests are visible to any Man in the Middle (MitM) and to the third party running the DNS server, such as their ISP. Moreover these requests will come from the user’s IP address, and thus can be directly associated to that individual with ease.

DNS requests don’t go through the VPN tunnel AND go to the VPN DNS server

This leak is slightly less severe than the previous, as the DNS server is deemed to be trustworthy. However, since the DNS requests are being made outside of the VPN tunnel, they are unencrypted and any MitM, e.g. the ISP, could listen in and record the DNS requests. Those observing a user’s DNS requests will also be able to associate them with that individual based on their IP address.

DNS requests go through the VPN tunnel AND go to a third party DNS server

This type of leak is the least severe. The DNS requests will be encrypted all the way to the VPN server, preventing any MitM from eavesdropping and seeing the DNS requests. This makes it effectively impossible to determine which individual sent a given DNS request. However, in a very targeted attack there may be complex methods an attacker could employ to use this to determine information about the sender.

(Note that these descriptions assume that the DNS servers run by the VPN providers are both logless and secure. This is an important aspect of protecting of any VPN provider, but is beyond the scope of this leak case study.)

IP traffic leaks

This means that arbitrary traffic is leaving the device outside of the VPN tunnel. If such leaks are happening then it implies that DNS leaks are likely also happening, as these are more general leaks than DNS leaks. If these sorts of leaks are occurring with a given VPN service, then in terms of privacy and security protection, it’s little better than not having a VPN enabled at all.


Testing for leaks

Manual Testing

Testing for IP leaks and DNS leaks can be partially done online with the following web-based tools:

Note that the IP leak test doesn’t currently check for IPv6 leaks, but the WebRTC leak test can be used equally well for testing this.

The DNS leak test isn’t capable of verifying that DNS requests actually went via the VPN tunnel. Testing this is much more complex, thus we recommend using the the leak testing tools indicated below for testing this.

Testing using the ExpressVPN Leak Testing Tools

The ExpressVPN Leak Testing Tools are an extensible suite of open-source Python tools designed for both manual and automated leak testing of VPN applications. Please see our introduction to the tools for instructions on downloading and setting up the tools.

Once you’ve set up the tools, ensure you are in the tools root directory and execute:

./run_tests.sh -c configs/case_studies/vanilla_leaks.py

This command will run several test cases that will check for basic vanilla leaks.