At SecurityTrails we analyze DNS servers, along with their records, domains and IP addresses, to bring you the ultimate cybersecurity treasure trove for identifying and preventing infosec issues on your company’s websites and apps. Some time ago, we published a great guide on how to prevent DNS server attacks, and today we’re moving one step forward: to explore how to prevent DNS leaks, which became a pretty popular topic with the end of the net neutrality months ago.
What is a DNS?
DNS (Domain Name Service) is the key service that makes the Internet work and allows you to map hostnames to IP addresses. That way, you can easily remember any website by its name, and you won't need to remember where the IP address is responding. In other words, it’s like a giant phone book for those who surf the internet.
Every time you browse a website, your local computer asks your ISP DNS resolvers to identify the IP address of that website. Then, the ISP returns the information and you can start browsing the specified website.
For nearly everyone using the internet, this is an ordinary situation. What most people don’t know is that using the DNS resolvers provided by your ISP can cost you your privacy!
When net neutrality was declared officially over, we all knew it was going to be hard to keep your data private; ISPs will eventually start filtering traffic (slowing down online streaming shows, movies, music or games), or analyzing data from those who use their DNS servers. Even worse, they’re forced to give all of your personal resolving hosts and DNS-related information to any government or federal agencies who legally request it.
Using a public ISP-based DNS server may lead you to a common security problem known as a DNS leak. The good news is that you can choose to avoid using DNS resolvers provided by your ISP.
So let’s find out more about DNS leaks and ways to prevent it.
What is a DNS leak?
As we mentioned, ISPs and especially DNS servers can keep tons of data about their users and store information about which IP addresses made original requests to any hostname on the Internet. If your public DNS provider is able to monitor and store this information in their servers forever, then you invite the huge risk of a DNS leak.
A DNS leak is the act of monitoring, storing and filtering your DNS traffic at ISP level -- by inspecting the public DNS servers you use to resolve internet hostnames into IP addresses.
Here’s how it works:
- Open up your browser.
- Type “Twitter.com”.
- At this point, your ISP DNS servers will store a record in their servers with this activity:
- The originating computer IP (yours).
- The target hostname.
- The target server IPs.
In other words, a DNS leak is a security problem between your computer and the DNS resolvers, one that affects your online privacy because all queries are sent using an unencrypted DNS request over the network.
In a world with net neutrality, users shouldn’t be worried about whether their browsing activity is being inspected or not. As a user, you should have the freedom to browse and contact different kinds of websites and online services without any concern about DNS leaks.
That is no longer the case. But even if net neutrality is over, there are ways to prevent DNS surveillance activity.
How can I prevent DNS leaks?
Is there any way to avoid DNS leaks? Let’s find out.
Use a VPN service, your own or from a third party
One of the most popular ways to avoid a DNS leak is by using a VPN server.
VPN (Virtual Private Network) services allow you to set up a private tunnel between your computer and the Internet. This way, you can connect to the VPN server, and then start browsing anonymously without revealing your origin IP.
While the main goal of VPN servers is to hide your real IP address and encrypt your traffic, not all VPN providers can ensure this. Many VPNs are in fact vulnerable to DNS leaks. Always double check the VPN features before choosing your next provider, and ensure they will not allow any DNS leaks.
If you don’t feel you can trust any VPN provider, another thing you can do is set up your own dedicated or Cloud VPS box located in an offshore country, where ISPs are not leaking (as much) information as your current ISP, and install your own VPN service with software like OpenVPN.
Stay in the loop with the best infosec news, tips and tools
Follow us on Twitter to receive updates!Follow @SecurityTrails
Use Cloudflare DNS servers
This is another good option.
Months ago, Cloudflare launched their 220.127.116.11 public DNS servers, claiming to be the fastest and most secure DNS resolvers in the world.
Chances that Cloudflare can leak DNS information to your provider are actually really low, as they store little to no information about your connection. If any information is stored, it’s destroyed after 24 hours. At least that’s their commitment to users. In their own words:
Logs are kept for 24 hours for debugging purposes, then they are purged.
If you want to change your local resolvers on Unix and Linux, try setting these two values inside your /etc/resolv.conf file:
nameserver 18.104.22.168 nameserver 22.214.171.124
For Windows, Mac and other mobile operating systems, check out the official setup instructions.
This is probably the fastest and most secure way to prevent a DNS leak, although you should also remember that Cloudflare can, and will, give the last 24 hours of your internet DNS activity to law enforcement agencies if requested.
An extra benefit: Cloudflare can also speed up your Internet speeds tremendously. They are currently ranked as the fastest DNS resolvers in the world.
Use your own DNS resolving server
Here’s another solution: you can mount your own DNS resolver using any Domain Name System server software. However, same as in the “build your own VPN” solution, this must be done in an offshore country, where the ISP can ensure there will be no logging of your DNS requests.
Am I at risk? Run a DNS leak test
First things first: if you’re using your local ISP DNS public resolvers, and not protecting your IP using a VPN provider or Cloudflare DNS (126.96.36.199), there’s a big chance you’re exposing yourself to DNS leaks.
If you are using a VPN service, there are several ways to run a DNS leak test. Use an online DNS leak test app:
These online tests usually yield quick results, but be aware that some of the most popular VPN companies are the same ones who developed these DNS leak testing tools. Know that they could manipulate results to reflect their own interests, to sell you their own VPN services.
Run a DNS leak test byusing the command line
Another way to test your provider against DNS leaks is by querying Akamai. Simply run:
This should return the IP address of your VPN provider, and not your local ISP allocated IP. And while this means you’re browsing the Internet and responding from the VPN-assigned IP, the question remains: can you really trust your VPN provider?
How long do they store your browsing activity? What’s their logging and data-retention policy?
These are questions you should always ask before purchasing a VPN service.
Luckily, most VPN providers allow trial tests so you can run the VPN service to find out if it’s really secure.
On the other hand, if you decide to avoid VPNs and opt to use Cloudflare secure DNS servers, this should be the output while testing against Akamai:
[firstname.lastname@example.org ~]$ nslookup whoami.akamai.net Server: 188.8.131.52 Address: 184.108.40.206#53 Non-authoritative answer: Name: whoami.akamai.net Address: 220.127.116.11 Name: whoami.akamai.net Address: 2400:cb00:44:1024::c629:e804
As you can see, the results show the DNS resolvers used belong to Cloudflare.
Using-ISP based DNS resolvers can lead to losing your online privacy entirely, including, but not limited to, filtering your entertainment subscriptions, slowing down your internet speed depending on the content you browse, or giving all of your details to law enforcement agencies.
In our experience, the best way to prevent DNS leaks is to build up your own VPN server or use one that can completely guarantee your privacy. Other recommendations are using Cloudflare 18.104.22.168 public servers, and as a last resort, running your own DNS resolver.
DNS is still one of the most targeted internet services in existence. The good news? We can help you prevent most known DNS security issues.
Start using SecurityTrails so you can manually audit your DNS servers, records, IP addresses, and domain names to prevent security issues in your business. Or grab a free API account to automate all the processes from your own apps.