IP Leaks – How to Check If Your VPN Works

You might be using the best VPN in the market thinking your real IP address and online activities remain concealed, but using a VPN does not guarantee anonymity. Because systems and servers constantly talk to each other by bouncing back and forth, there are many instances where your IP or DNS might be visible. To ensure your information and identity remain safely hidden, you need to check that your system is not vulnerable to IP or DNS leaks.

To understand DNS and IP leaks, you first need to understand how the internet works.

Every website is given an identity code, called an IP address. But because it is a lot easier to type in a domain name than a string of numbers, DNS (Domain Name Service) servers translate those user-friendly domain names to an IP address. When your web browser receives a request for a website, it goes to a DNS server, which translates the domain name into the corresponding IP address. This is called DNS name resolution.

There is a priority order via which operating system decides where to go for resolution, for example, DNS server, HOST file, Netbios, etc. The topic is very vast in itself and is a different discussion. However, what you need to know is that it is significant where your operating system goes for domain name resolution. When you use a VPN, the DNS resolution should happen via the servers configured by your VPN provider. Unfortunately, this is not always the case. If someone is able to determine the IP address from which the DNS resolution request was made, the whole point of using a VPN becomes futile. Similarly, if a third party can eavesdrop on your DNS requests (think of a man-in-the-middle attack), they can uncover your information even if you use a custom DNS server. To counter that, you should use DNSCrypt, which encrypts the traffic from your system to the DNS server. Here are other ways to prevent various types of DNS and IP leaks:

1. Leaking an IP address from the browser

This is one of the most common scenarios where WebRTC is the culprit in leaking your IP address. So what exactly is WebRTC? It is an API that allows web applications like chat and P2P file sharing to work without using any extensions or plugins. But it comes with a catch. The browsers that support WebRTC – like Chrome and Firefox – utilize a STUN server (Session Traversal Utilities for NAT) to get an external network address. A website that wants to know your real IP address can very easily set up a hidden code to make UDP requests to this STUN server, which would then route these requests to all the available network interfaces.

In this situation, both your real IP address and VPN IP address would be revealed, and it can be done with just a few lines of javascript code. To make the situation worse, since these requests are not like typical HTTP requests, the developer console cannot detect it and the browser plugins cannot reliably block this kind of leak (even if they advertise so). The proper way of fixing this vulnerability is to either:

  1. Setup proper firewall rules so that no request outside of your VPN can be made.
  2. Disable the WebRTC in the supported browsers. Firefox and Chrome have different ways of disabling this. You can refer to many available tutorials online.

2. Leaking an IP address from the VPN

Most good VPN providers have their own dedicated DNS servers. You should never rely on the DNS server provided by your ISP because your information could be at risk. It’s possible to use public DNS servers, such as the one provided by Google, but if you are paying for a VPN it should come with a dedicated DNS server.

Another way your VPN could be the culprit for a leak is when it doesn’t support IPv6. For those who do not know, IPv4 is a protocol which uses 32 bits addressing, so there could only be 2^32 devices with a unique public IP in the world. With the unprecedented growth of the internet we are close to running out of these addresses, so IPv6 was introduced. It uses 128 bits addressing so the number of available IP addresses is now 2^128 which is much bigger.

Unfortunately, the world is very slow in adopting this new protocol. Some big websites support both of these protocols and serve the appropriate channel as per the client system. The problem comes when a VPN doesn’t support IPv6 and instead of addressing the problem, it just blindly ignores it. What happens, in this case, is that for websites which only supports IPv4, the VPN works fine and all is good. However, for IPv6 enabled websites, your VPN fails to tunnel the request and hence the browser sends a naked request outside of your VPN leaving your real IP address vulnerable. Steps to fix these kinds of vulnerabilities:

  1. Use a VPN which provides a dedicated DNS server and built-in DNS leak protection.
  2. Use a VPN which supports IPv6 or at least one which does some workaround for this (like disabling it in your OS).
  3. Disable IPv6 in the OS manually yourself

3. Leaking a DNS from the operating system

Your operating system can also be a culprit when it comes to leaking IP and DNS. We will talk about the most commonly used OS – Windows. As much as people love or hate Microsoft products, the reality is that a majority of people use Windows OS. However, there are some nuances you need to be aware of while using a VPN on Windows.

Typically, DNS resolution is done in a particular order on any operating system. For example, there is a HOST file where you can specify the DNS mappings. Your OS will first try to resolve the request using this local mapping. If it’s not available, it will go to configured DNS servers, and if they also fail to resolve it, the request then goes to Netbios. Even for the DNS servers, there is a list of preferred servers which you can configure. So, if the highest priority DNS server is able to resolve the request, windows does not consult other servers. In the case of Windows 10 however, it sends requests to all the network adaptors and whichever DNS server responds first, it accepts that result. What this means is that even if you are connected to a VPN, the DNS resolution requests might still go to your ISP’s server leaving you completely vulnerable.

Another thing to consider while using Windows is the case of IPv6 addresses, which we discussed above. Windows uses Teredo tunneling in order to support IPv6 addresses for hosts which are still on the IPv4 network and do not have native IPv6 support. What this means is that you might be leaking your DNS outside of your VPN network. The following steps must be taken in order to prevent these kinds of leaks:

  1. Disable Teredo tunneling
  2. Turn off the Windows 10 optimization by disabling smart-multi homed name resolution in group policy editor. Please note that Windows 10 home basic doesn’t have an option to edit the group policy.

How to detect the leak

Now that we have talked about the various ways of leaking the DNS and IP, let’s talk about tools that can identify whether you are vulnerable to any of these issues.  There are many websites available online which can quickly check whether you are leaking your DNS or IP. For most of them, the steps are common to follow:

  1. Disconnect your VPN and go to the testing website. Write down your public IP and DNS server address.
  2. Connect your VPN and go to the website again. It should not reveal your previously noted IP or DNS server. If it does, you need to fix it using one or more described approaches.

You can check your IP leak with our IP Leak Test.

Below is the screenshot from vpnmentor.com testing WebRTC leak. Since there is nothing shown in the public IP address section, my browser is not vulnerable to WebRTC leak.

Now that you know how to protect yourself from IP and DNS leaks, you can browse the web anonymously and securely.

Was this helpful? Share it!
Share on Facebook
Tweet this
Share if you think Google does not know enough about you