By using a popular and leading VPN solution a user ensures that his IP address and online activities remain hidden.
Unfortunately, even the priciest and most difficult VPN won’t protect a user from IP leaks creating in the browser or operating system.
To verify that the information and identity are indeed safely hidden, a user will need to check that his system is not vulnerable to IP or DNS leaks, and stop IP leaks he comes across in his tests.
How Can IP Leaks Happen?
Every device on a network including the Internet has a unique identifier like its IP address. To allow servers to store more than one website and to make it easier for users to access these websites by typing in words instead of numbers. The DNS servers translate strings of text to numeric values and different folders on the server.
When a user try to access a specific website address, his browser requires a translation from the webpage URL to the numeric identifier and destination folder on the specific server. A request is then passed to the DNS server that returns a valid destination for the file the browser will then load. This process is called DNS resolution.
The DNS server is chosen for resolution as a result of prioritization within the browser and operating system including browser configuration, local DNS server, the HOSTS file, Netbios, etc. This hierarchical choice of server is important when discussing IP privacy and security.
When using a VPN to secure the connection, the DNS resolution should take place on the servers configured by a VPN provider. Unfortunately, this is not always the case.
When the DNS resolution is performed on a different server, it is possible to determine the IP address from which the DNS resolution request originated an IP address. Thus, using a VPN for online anonymity and privacy becomes futile. Similarly, if a third party can spy on a user’s DNS requests, they can capture the information even if he uses a custom DNS server. One way to prevent that is to use DNS Crypt, encrypting the traffic from the system to the DNS server. However, this does not protect your IP address from leaking.
How to Detect a Leak?
Before we discuss the causes and types of common leaks, it’s important to know how to check if the system is vulnerable.
There are many available websites and services online that can quickly test whether the system is leaking a user’s DNS traffic or IP address. If a user doesn’t already have a favorite IP leak testing tool, one can check his connection security with our IP Leak Test Tool.
However, if a user has tested the VPN connection using any IP leak detection tool and found that that VPN doesn’t quite hides web access, then it is the best VPN service to be used.
Browser IP Leaks
The most common cause for IP leaks is a browser vulnerability that uses Web RTC. Web RTC is an API that allows web applications to run without using any installed extensions or plug-in.
The browsers that support Web RTC like Chrome and Firefox utilize a STUN server (Session Traversal Utilities for NAT) to obtain an external network address. A website that wants to know a user’s real IP address can very easily cover a piece of Java script code to make UDP requests to this STUN server, which would then route these requests to all the available network interfaces.
In this situation, both the real IP address and VPN IP address can be exposed, and it’s worryingly easy to embed such a code in a supposedly innocent website. To make the situation worse, since these requests are not like typical HTTP requests, the developer console cannot detect them and so browser plug-in cannot reliably block this kind of leak.
There are two ways to prevent Web RTC from putting your privacy at risk:
- Set proper firewall rules that block requests made outside an established VPN connection.
- Disable Web RTC in the supported browsers. A user can poke around any other person’s browser privacy settings, or simply Google “how to disable Web RTC”.
- IP address Leaking from the VPN
Even with a VPN connection active, a user should never rely on the DNS server provided by his ISP because the privacy could be at risk. A user can try using public DNS servers, such as the ones provided by Google, but if a user is paying for a VPN service package; there is really no reason for it not to include secure DNS resolution on a dedicated server.
When using such an outdated VPN service, websites supporting IPv4 alone are safely accessible using the VPN. However, for IPv6 enabled websites, the VPN connection will fail to tunnel the request, so your browser will be sending a clear text request outside of your VPN. Thus, leaving your real IP address exposed.
To stop your IP address leaking through your VPN connection, make sure you do the following:
- Use a VPN that provides a dedicated DNS server and built-in DNS leak protection.
- Use a VPN that supports IPv6 or at least one that offered some kind of workaround for this like disabling IPv6 in an OS.
- Disabling IPv6 in the OS manually where a user can find multiple guides online on how to do so on various devices.
- DNS Leaking from the operating system
As much as people love or hate Microsoft products, the reality is that a majority of people use Windows as their main desktop operating system. However, there are some nuances a user need to be aware of when using a VPN on Windows.
DNS resolution is done in a particular popularity order on any operating system. The first in order is the HOST file, where a user can specify DNS mappings. If these are not available, the operating system will use the network connection configured DNS servers, and if they also fail to resolve the requested URL, the request will then be sent to Netbios. So if the highest priority DNS server is able to resolve the request, Windows does not consult other servers.
Another thing to consider when using VPN on Windows is the issue with IPv6 addresses, which is discussed above. Windows uses Teredo tunneling in order to support IPv6 addresses for hosts still on the IPv4 network and do not have native IPv6 support. What this means is that you might be leaking your DNS outside of the VPN network. To prevent this type of leak, take the following steps:
- Disable Teredo tunneling
- Turn off the Windows optimization by disabling smart-multi homed name resolution in group policy editor. Please note that Windows home basic doesn’t have an option to edit the group policy.
To ensure this the IP address, the DNS traffic are truly private and secure, only VPNs are a great solution. However, they are not without flaws, and it is important to check their effectiveness regularly, rather than blindly rely on VPN service vendors.