What is a DNS Leak

A DNS leak test provides users with information about their VPN connection, including the active IP address and location. This can be compared against their real IP address and location for a DNS leak check. Users can also run a DNS status check, which displays whether they are using DNS servers that belong to their ISP or their VPN. The tests also provide advice on DNS leak protection as well as how to fix an issue.

How to prevent DNS leaks

If you have a DNS leak it means that you are using a DNS server that does not belong to Mullvad. This guide will tell you about the most common causes for this so you can prevent it.

You can read about why this is important from a privacy perspective in our guide All about DNS servers and privacy.

Using Mozilla Firefox? Make sure to turn off DNS over HTTPS.

How to check for DNS leaks

You can use the Mullvad Connection check to look for DNS leaks. The result can be one of the following:

�� Green – “No DNS leaks”

This means that your web browser does not have any DNS leaks. No further action is required.

�� Yellow – “Failed to check for DNS leaks”

This means that the DNS leak test was not able to look for DNS leaks due to a technical problem. You can try to open the Connection check again in a new private window, or in another web browser.

�� Red – “Leaking DNS servers”

This means that you have a DNS leak. Click on the red box to expand it. Read the information below about what causes DNS leaks to see how you can stop it. If you need help then send a screenshot of the IP addresses to Mullvad support. You can also look up the IP addresses at MaxMind to find out who they belong to.

What can cause a DNS leak

The Mullvad app

The Mullvad VPN app protects you from DNS leaks, unless you enable Use custom DNS server in the Mullvad app settings.

Web browsers

Many web browsers have a setting for enabling or disabling DNS over HTTPS. In Chrome based browsers it’s called Secure DNS. Read the steps below to make sure that you have disabled that.

Firefox on desktop

To turn off DNS over HTTPS follow these steps:

  1. Click on the menu button and select Settings.
  2. Click on Privacy & Security in the left column.
  3. Scroll down to the bottom. Under Enable DNS secure DNS, click on Off.

Mozilla has currently enabled DNS over HTTPS using Cloudflare DNS by default in Firefox in the following counties:

  • United States
  • Canada
  • Russia
  • Ukraine

Chrome on desktop

  1. Click on the menu button with three vertical dots in the top right corner.
  2. Click on Settings.
  3. Click on Privacy and security in the left column.
  4. Click on Security.
  5. Turn off “Use secure DNS”.

Brave on desktop

  1. Click on the menu button with three horizontal lines in the top right corner.
  2. Click on Settings.
  3. Click on Privacy and security in the left column.
  4. Click on Security.
  5. Turn off “Use secure DNS”.

Microsoft Edge on desktop

  1. Click on the menu button with three horizontal dots in the top right corner.
  2. Click on Settings.
  3. Click on Privacy, search, and services in the left column.
  4. Scroll down to Security.
  5. Turn off “Use secure DNS to specify how to lookup the network address for websites”.

Anti-virus apps

Some third party anti-virus apps has built in DNS hijacking.

Avast Premium Security

Find instructions for turning off Real Site on the Avast website.

AVG Internet Security

Find instructions for turning off Fake Website Shield on the AVG website.

Android

Chrome on Android

  1. Tap on the menu button with three vertical dots in the top right corner.
  2. Tap on Settings.
  3. Tap on Privacy and security.
  4. Tap on Use secure DNS.
  5. Turn off “Use secure DNS”.

Brave on Android

  1. Tap on the menu button with three vertical dots in the top right corner.
  2. Tap on Brave Shields & privacy.
  3. Under “Other privacy settings”, tap on Use secure DNS.
  4. Turn off “Use secure DNS”.

Private DNS

Android 9 and newer has a Private DNS feature which uses DNS over TLS (DoT).

Routers

If you have configured your router to connect to Mullvad VPN using WireGuard or OpenVPN, then you can find help in the Troubleshooting section of our router guides if you get a DNS leak.

  • Asus Merlin and Mullvad VPN
  • WireGuard on a router (OpenWrt)
  • OpenWrt routers and Mullvad VPN (OpenVPN)

What is a DNS Leak?

A DNS leak is a security flaw that occurs when requests are sent to an ISP’s DNS servers even when a VPN is being used to protect users. A VPN is designed to encrypt a user’s internet connection, which keeps their traffic in a private tunnel that hides all of their browsing activity. That means all the user’s internet searches and website visits are hidden from everyone except for their VPN provider.

However, a DNS leak occurs when the user’s DNS requests move outside the encrypted tunnel and become visible to their ISP. As a result, all their browsing activity, including their IP address, location, and web searches, goes through the ISP in the same way it would if they were not using a VPN.

How Can a DNS Leak Happen?

There are several situations that can result in a DNS leak occurring, including:

  1. An improperly configured VPN: A DNS leak is most likely to occur when a VPN is configured improperly and assigns a DNS server belonging to the user’s ISP. VPNs require a user to connect to their ISP before they log in to the VPN, so this is likely to occur when users regularly use multiple networks.
  2. An ineffective VPN service: A VPN service that does not have its own DNS servers will result in DNS leaks occurring and will fail to provide effective protection from DNS leaks.
  3. No Internet Protocol version 6 (IPv6) support: IP addresses were originally 32-bit Internet Protocol version 4 (IPv4) addresses with four sets of three digits. But 128-bit IPv6 addresses have been created to extend the pool of IP addresses and accommodate more devices. The internet is still transitioning, and some VPNs may not support IPv6, which may push a user’s DNS request outside of the encrypted tunnel.
  4. Transparent DNS proxies: Some ISPs have started forcing customers to use their DNS servers even when they change their settings to a third-party VPN. If the ISP detects DNS setting changes, it uses a transparent proxy that forces a DNS leak by redirecting the user’s web activity to its own DNS servers.
  5. Windows smart features: Microsoft introduced a feature known as Smart Multi-Homed Name Resolution (SMHNR) in devices using operating systems from Windows 8 onwards. The feature submits DNS requests to available servers and accepts whichever DNS server responds first. This can cause a DNS leak and leave users open to spoofing attacks.
  6. Windows Teredo: Windows operating systems include a built-in feature called Teredo that aims to ease the transition from IPv4 to IPv6. It helps the two IP systems coexist more easily but creates a huge security issue for VPN users. That is because Teredo is also a tunneling protocol that can take precedence over a user’s encrypted VPN tunnel.

Is a DNS Leak Bad?

A DNS leak can be serious because it contravenes the reasons why a user deploys a VPN service. It can result in users’ private information, such as browsing activity, IP address, and location, unknowingly being leaked to their ISP, third-party organizations, and malicious actors monitoring network activity.

Is My DNS Leaking?

Internet users can check whether their DNS is leaking by testing their VPN connection. Many VPN suppliers and vendors provide tests that show the DNS server the user is connected to and supply additional information about their browsing session.

How Does a DNS Leak Test Work?

A DNS leak test provides users with information about their VPN connection, including the active IP address and location. This can be compared against their real IP address and location for a DNS leak check. Users can also run a DNS status check, which displays whether they are using DNS servers that belong to their ISP or their VPN. The tests also provide advice on DNS leak protection as well as how to fix an issue.

Are DNS Leak Tests Safe?

Reputable VPN providers provide DNS leak tests that are safe and secure. Users should avoid DNS leak tests from untrusted providers.

How Do I Fix a DNS Leak?

A standard DNS leak can be fixed by configuring a VPN to only connect to its own DNS servers. This will force a computer to only use the VPN’s DNS servers and not connect to the user’s ISP.

In the case of the Windows SMHNR issue, this can be more tricky because it is built into the operating system. Some VPN providers enable Windows 8 and Windows 10 VPN users to install a free plugin that resolves the issue, while other users will need to contact their VPN for support.

How Can I Prevent a DNS Leak?

Understanding what is DNS leak is the first step toward ensuring it does not happen. Because a DNS leak involves your information getting leaked outside the confines of your VPN, one way to prevent it is to properly configure your VPN server. In this way, you can still use the internet anonymously without revealing your IP address. Also, make sure your VPN has features that protect you from DNS leaks.

Learn more about DNS Firewall here.

Set Up Your Own VPN in a Different Country

You can also reduce the probability of DNS leaks by setting up your own private VPN in a different country whose internet service providers are less likely to leak your information. While this does not guarantee that no leaks will occur, it can make them less frequent.

Use an Anonymous Web Browser

Using an anonymous web browser is another technique that can prevent DNS leaks. For example, you can use a browser like Tor, which does not require any DNS configuration on the operating system end. This gives you total anonymity while browsing.

Use a Firewall

Another DNS leak fix is to use a firewall. Firewalls can be set up to prevent data from leaving your computer, including information involved in DNS requests. This can be effective because a firewall can disable the DNS process, which prevents your information from exiting your computer.

Set-up a Nonexistent DNS

You may also configure your DNS server to one that does not really exist, such as 0.0.0.0 or 127.0.0.1. This can be done using a UNIX/Linux terminal or a graphical user interface (GUI), but you may have to figure out another way to resolve your domain names while using the internet. One method is to use a proxy. A proxy is positioned in front of your browser, and it handles requests on your behalf. It has its own IP address and uses this during the DNS process so your computer’s IP address stays private.

Check Here for Free DNS Leak Test Tools

Tools designed for DNS leak checks help you know whether you are susceptible to DNS leaks. They work by checking which servers are used to resolve domain names when you enter the address of a website. After the test, you see which servers are getting access to your information. If any of the servers that appear are not the ones you expect, then you have a DNS leak.

Here are some free DNS leak tools you can use:

How Fortinet Can Help

The Fortinet FortiTester solution enables users to test for DNS leaks. It checks the latency of a user’s network connection or DNS server. FortiTester enables organizations to future-proof and secure their infrastructure by assessing the people, processes, and technologies accessing their network.

FAQs

What is DNS?

The Domain Name System (DNS) is an internet protocol that translates website addresses into computer language. This helps internet users visit websites and enables devices and websites to talk to each other.

What is a DNS leak?

A DNS leak occurs when virtual private network (VPN) users’ browsing activity is exposed outside of their encrypted connection.

Is a DNS leak bad?

A DNS leak can be bad because it makes private browsing data available to internet service providers (ISPs), third-party organizations, and hackers.

Is my DNS leaking?

VPN vendors provide DNS leak tests that enable users to check the status of their connection, Internet Protocol (IP) address, and DNS server.

Is my DNS leak protection necessary?

DNS leak protection is necessary, particularly if you do not want your computer’s private information exposed online. If you are experiencing DNS leaks, someone could gain access to your browsing history and try to use it to orchestrate an attack.