We've spoken about the merits of having a VPN (virtual private network) to protect your privacy and secure your connections when online. If you have a VPN service running on your local device, all of the data (so long as you're routing all of the data through the VPN) is encrypted from your device to the VPN server. Depending on the VPN provider, your data afterwards can be anonymized, since anyone "listening" to the traffic coming in and out of the VPN server would see a din of data with the origin and destination being the IP of the VPN server. Not your true IP.
What is DNS?
DNS stands for Domain Name Service. The nutshell explanation is that it performs the translation from human-friendly URL names (like www.imore.com) to internet service computer destinations called IP (internet protocol) addresses. Think of it like your phone contacts. When you enter contact information for Sally, you add her name, address, and phone number. You needn't memorize the number any longer. You can now tell Siri to phone Sally, and Siri will know the proper phone number to call. Although simplified vastly, DNS in effect works the same way. You don't need to know imore.com's IP address when you visit. You just need to type in the name and off you go.
DNS could be leaking your information
Even though you may be using a VPN service, there are some caveats that may affect how truly private your internet access is.
Local VPN client DNS leaking
If you've been proactive, you may have already purchased a VPN from a service provider. You might figure that if you are running your VPN client software, you're safe from prying eyes. Not necessarily true. If your Mac or iOS device is like most home networked computers, it's method of connecting to the internet uses an automatic IP configuration called DHCP (dynamic host configuration protocol). This gives your computer an IP address to allow for data communications, a gateway address to tell your computer where to go to connect to computers outside your local network, and a DNS server IP (typically, it's the same IP as your gateway since its likely the same computer or router).
The problem here is that although your VPN client will capture your internet bound data and encrypt it on it's way to the VPN provider, the domain names to which you'd like to connect are being sent to your internal network DNS. The internal network DNS is not sending it's name requests through your VPN. It will send requests "in the clear" despite your own computer running VPN client software. This means that although your data may be encrypted by the VPN, the places you're visiting, the connections you make, are still accessible via the DNS request information.
Network-based VPN DNS leaking
Not everyone runs a local (on your device) VPN client but instead uses a network accessible gateway that provides VPN accessibility to multiple network clients. The issue with this configuration is that since most home networks have a local DNS server; the queries from your computer to the DNS server may not travel over the VPN but directly through to the internet, unencrypted, if your DNS is not also configured to make requests over the VPN. Like the DNS issue with using a local VPN client software, your domain name requests could be traveling out an unencrypted connection even though your data is encrypted. All domain name requests (where you go on the internet) can still be captured.
Things you can do to stop DNS leaking
There are somethings you can do to make certain you're not leaking private information via your DNS.
Local VPN Client
When using a local device VPN client, change your DNS server IPs to a service that exists on the internet (something such as Google's DNS servers 220.127.116.11 and 18.104.22.168). This forces your DNS requests to travel over your VPN encrypted connection and make external requests. There are two problems with this method however. First your DNS requests may take a little longer to resolve. It takes longer to ask your neighbor Fred who lives 5 houses down to give you Sally's number than it would for your to simply look it up in your contacts. Second, local network computers that require DNS translation will not work since Google's DNS servers know nothing of the computers that exist on your network.
To change your DNS information macOS High Sierra:
- Launch System Preferences.
- Select Network.
- Select DNS.
Highlight the current DNS IP and Delete it.
- Add and new DNS IP such as Google's 22.214.171.124.
- Verify that your information isn't being leaked on www.ipleak.net.
Network VPN Client
If you use a router/gateway-based VPN connection, make certain that your local DNS is also using the VPN as a gateway. This avoids the problems with not having a local DNS service to translate names for local network computer name translation.
Check if you're leaking anything
Check if you're leaking DNS information by going to www.ipleak.net. It will let you know if you've configured everything correctly and it also can determine if other private data is being transmitted.
Some final thoughts
The inspiration for this article is the news that DNS over TLS is coming to Android. TLS stands for transport layer security. In essence, it works similarly to an HTTPS connection that you make when connecting to your bank. It will encrypt the DNS requests made to a DNS server. I'm happy for this sort of addition but I worry that people may confuse this with providing privacy. The issue with DNS over TLS is that you're simply changing where someone can view the DNS requests you make. So instead of your ISP seeing your DNS queries, it will be the TLS enabled DNS server you connect to. A much better way to ensure that your data is a private as possible, is to make certain your DNS data is traveling out of your VPN connection.
Have you checked your DNS queries at ipleak.net? Were you leaking data? Let us know in the comments!