Many are concerned about how data may leave their network connected devices via data theft (or data exfiltration). As such, many users will connect to a Virtual Private Network (VPN) to prevent unwanted actors from seeing the traffic communications taking place on their device. What most people don’t understand is that even while connected to VPN, some communications may still take place on the network to which the device is connected. In this article, I’d like to explain a specific type of communication, DNS, and how you can prevent DNS leaks.

What is a DNS Leak?

When connected to a VPN or other anonymity/privacy service, it is extremely important that all the traffic originating from your device is routed through the VPN. If any of the traffic “leaks” outside of the secure connection, any bad actor monitoring your traffic will be able to log your activity. Under certain conditions, even when you are connected to the VPN, the operating system will continue to use the default DNS servers instead of the DNS servers assigned to your computer by the VPN. As such, DNS leaks are a serious privacy threat since the VPN may be providing a false sense of security while the data leak is taking place.

This visual from dnsleaktest.com explains how a DNS leak takes place. When this takes place, all the DNS communication will be accessible to anyone monitoring your network traffic, and, while dns data leakthe bad actor won’t be able to see the exact traffic taking place, they will know which sites you’ve visited based on the DNS queries you’ve done.

One thing to be aware of is that if your ISP is using a transparent DNS proxy, all of your DNS traffic could be rerouted to the ISPs DNS servers instead. In essence, the ISP will intercept any DNS request sent to another DNS server, even if you set your DNS to an ‘open’ DNS service (e.g. Google, OpenDNS, etc.).

 

How to detect DNS data leaks

The first step to preventing DNS data leaks is to determine if you currently have any DNS activity on your network outside your set DNS servers. Using a DNS probe like FlowPro Defender, you can correlate flow traffic to your DNS queries and see the responding DNS servers on your network.

detecting-dns-traffic

If you see that you have responses from DNS servers that you weren’t expecting, you know that you may be vulnerable to DNS leaks.

Preventing DNS Leaks

When connected to a proxy or VPN, be sure that whichever service you are using has the setting enabled to block outside DNS. In OpenVPN, the block-outside-dns setting needs to be added to the configuration file on the client side. For Cisco Anyconnect, confirm that the Split DNS setting is disabled. Otherwise, “[w]hen split DNS is configured in the Network (Client) Access group policy, AnyConnect tunnels specific DNS queries to the private DNS server (also configured in the group policy). All other DNS queries go to the DNS resolver on the client operating system, in the clear, for DNS resolution. If split DNS is not configured, AnyConnect tunnels all DNS queries.”

After you’ve ensured that you have blocked outside DNS in your network and VPN solution, check that you are connected only to the DNS server you expect by visiting https://hidester.com/dns-leak-test/. If you still see DNS responses from other DNS servers, it means that you are not fully blocking these requests and a bit more work needs to be done.

To learn more about DNS and how to detect DNS Data breaches, check out this article titled How to Detect DNS Data Breaches.

 

Justin

Justin Jett is Director of Audit and Compliance at Plixer with roles ranging from system administration of web services to technical product marketing for Plixer’s incident response system, Scrutinizer. Jett, a graduate of the University of Maine at Farmington, is an avid learner of all things security, with a particular interest in TLS and DNS attacks.

Related

Leave a Reply