22.214.171.124 from Cambridge, United States
What's the difference?
In early 2014 the site was upgraded in order to more comprehensively search for DNS leaks and as a result two separate tests were created.
The DNS leak test works by sending your client a series of domain names to resolve within a specific test domain. Each request is sent from your client to your configured DNS server. Even if you have configured a single DNS server, there may be many other servers that the request is passed on to in order to be resolved (normally to load balance the requests). For example if you configure Google DNS then you will often find 6-10 Google DNS servers which are fullfilling the DNS requests.
The Standard test performs 1 round of 6 queries for a total of 6 queries. This should be more than sufficient to discover if you have a DNS leak. The original test prior to the 2014 upgrade did 3 queries. The advantage of this test is that it is fast. Use this test to quickly check for dns leaks when you connect to your VPN service.
The Extended test performs 6 rounds of 6 queries for a total of 36 queries. This high number ensures that all DNS servers are discovered. However for the purposes of discovering if you have a DNS leak this is not normally neccessary and can take 10-30 seconds longer to complete. If you have strong anonymity/privacy requirements you can choose the extended test just to be certain.
What is a DNS leak and why should I care?
When using an anonymity or privacy service, it is extremely important that all traffic originating from your computer is routed through the anonymity network. If any traffic leaks outside of the secure connection to the network, any adversary monitoring your traffic will be able to log your activity.
DNS or the domain name system is used to translate domain names such as www.privacyinternational.org into numerical IP addresses e.g. 126.96.36.199, which are required to route packets of data on the Internet. Whenever your computer needs to contact a server on the Internet, such as when you enter a URL into your browser, your computer contacts a DNS server and requests the IP address. Most Internet service providers assign their customers a DNS server which they control and use for logging and recording your Internet activities.
Under certain conditions, even when connected to the anonymity network, the operating system will continue to use its default DNS servers instead of the anonymous DNS servers assigned to your computer by the anonymity network. DNS leaks are a major privacy threat since the anonymity network may be providing a false sense of security while private data is leaking.
If you are concerned about DNS leaks, you should also understand transparent DNS proxy technology to ensure that the solution you choose will stop the dns leak.
Transparent DNS proxies
Some ISP's are now using a technology called 'Transparent DNS proxy'. Using this technology, they will intercept all DNS lookup requests (TCP/UDP port 53) and transparently proxy the results. This effectively forces you to use their DNS service for all DNS lookups.
If you have changed your DNS settings to use an 'open' DNS service such as Google, Comodo or OpenDNS, expecting that your DNS traffic is no longer being sent to your ISP's DNS server, you may be surprised to find out that they are using transparent DNS proxying. You can easily test this by clicking on the DNS leak test button on the homepage.
If your ISP implements a transparent DNS proxy it is very important that you use one of the methods on the DNS leak fix page to ensure that when you are connected to the VPN, there is no chance of your requests being intercepted.
How can I fix a DNS leak?
The solution is to ensure that once connected to the anonymity network, you are using ONLY the DNS server/s provided by the anonymity service. As this problem affects predominantly Windows clients, only solutions for Windows appear here.
3 basic steps to fix the problem;
- Before connecting to the VPN, set static IP address properties if you are using DHCP
- After connecting, remove DNS settings for the primary interface
- After disconnecting, switch back to DHCP if neccessary or reapply original static DNS servers
Solution A with OpenVPN 2.3.9+
As of OpenVPN version 2.3.9 you can now prevent DNS leaks by specifying a new OpenVPN option. Simply open the .conf (or .ovpn) file for the server that you are connecting to and add the following on a new line. For more information see the OpenVPN manual.
If for any reason you are unable to use the solution above continue reading.
Solution B with OpenVPN older than 2.3.9 - Automatic
If you are using OpenVPN on Windows XP/Vista/7/10 then a fully automated solution is available.
Download dnsfixsetup.exe - (md5 checksum: f212a015a890bd2dae67bc8f8aa8bfd9)
After installation, when you connect to a VPN server, a batch file will be run executing the 3 steps above.
Three scripts are generated for each OpenVPN configuration file;
- configfilename_pre.bat - executed when you initiate the connection but before the connection is established - Calls pre.vbs - If any active DHCP adapters exist, switch to static
- configfilename_up.bat - executed when the connection is established - Calls up.vbs - Clear the DNS servers for all active adapter except the TAP32 adapter
- configfilename_down.bat - executed after the connection is disconnected - Calls down.vbs - Reconfigure adapters back to their original configuration
Solution C with OpenVPN older than 2.3.9 - Manually clearing the DNS
The solution below does not switch the adapter to static if you are using DHCP. If you do not switch to a static IP configuration and your computer renews its IP address whilst connected to the VPN, the DNS settings may be overwritten. It is highly recommended to switch to a static IP configuration.
- Open the command prompt (cmd.exe) as an administrator.
Before connecting identify the name of the connected network interface. In the case below it is "Local Area Connection"
netsh interface show interface
- Connect to the VPN. Once connected proceed to the next step.
- Flush the DNS resolver cache
Disable the DNS configuration for the Interface identified in step 1
netsh interface IPv4 set dnsserver "Local Area Connection" static 0.0.0.0 both
- Test for DNS leaks.
- After disconnecting, reconfigure the adapter to renew the previous DNS settings
netsh interface IPv4 set dnsserver "Local Area Connection" dhcp
- Once again, flush the DNS resolver cache.
- Do we collect or disclose any information to outside parties?
- The site does not collect, sell, trade, or otherwise transfer to outside parties any personally identifiable information.
- Your Consent
What do the results of this test mean?
- The servers identified above receive a request to resolve a domain name (e.g. www.eff.org) to an IP address everytime you enter a website address in your browser.
- The owners of the servers above have the ability to associate your personal IP address with the names of all the sites you connect to and store this data indefinitely. This does not mean that they do log or store it indefinitely but they may and you need to trust whatever their policy says.
- If you are connected to a VPN service and ANY of the servers listed above are not provided by the VPN service then you have a DNS leak and are choosing to trust the owners of the above servers with your private data.