Pango Platform
HomeConsole
  • What is Pango Developer Platform
  • Getting started
    • Sign up on the Management Console
    • Create a new project
    • Switch projects
    • Change console settings
    • Edit your profile
    • Try out the demo app
    • Keep exploring
    • Deprecation and Sunset
  • Console details
    • Dashboard
      • General
      • Location loading
    • Users
      • User page
    • Active sessions
    • Network
      • Countries
      • Locations
      • Pools
        • Optimal location
        • Location rules
    • Settings
      • General
        • Project config description (JSON format)
          • Server selector (JSON format)
          • Request selector (JSON format)
      • Authentication methods
        • Auth Plugin requirements
      • VPN
        • General
        • VPN Bypass list
        • Client Networks
      • Member
    • Export Data
    • Log
  • SDK
    • Unified VPN SDK for Android
      • Setup
        • Application Setup
        • Proguard Rules, Notification, and Analytics Configurations
        • Backend URL Configuration
      • Usage
        • Initialization
        • VPN Interface
        • Backend interface
      • Features
        • Hydra Protocol
          • Location profile (Hydra only)
        • Custom sdk dependencies
        • Deferred VPN Service Initialization
        • Authentication
        • Client Network List (CNL)
        • OpenVPN transport
        • Wireguard Transport
        • Reconnection strategy
        • Single Protocol SDK
        • Killswitch
        • Domain route via VPN
        • Process route via VPN
        • Process Bypass
        • Domain Bypass
        • Traffic rules
        • VPN Node DNS Configuration
        • Multihop
          • Optimal Location
      • Exceptions
      • Version migration
      • Changelog
    • Unified VPN SDK for Apple
      • Setup
        • Application Setup
        • Network Extension Setup
          • Network Extension Setup for tvOS
        • Backend URL Configuration
      • Usage
        • Single Protocol SDK
        • Unified SDK
        • Logging
        • Decoding Encoded VPN SDK Logs
      • Features
        • Deferred VPN Service Initialization
        • Authentication
        • Wireguard Transport
        • Reconnection strategy
        • Killswitch
        • Domain Bypass
        • Multihop
          • Optimal Location
        • Client Network List (CNL)
        • Domain route via VPN
      • Changelog
      • API Reference
    • IPSEC VPN SDK for Apple
    • Unified VPN SDK for Windows
      • Setup
        • Backend URL Configuration
        • Service command line arguments
        • ARM Platform Support
      • Usage
        • CoreAPI
        • Events
        • Generating a Unique Device Identifier
        • Error processing
        • Pipe Messaging
      • Features
        • Traffic protection
          • Killswitch
          • Prevent IP Leaks
          • Block Local Networks
        • Other
          • Firewall
            • DNS Monitor
            • Process Bypass
            • Domain Bypass
            • Process route via VPN
            • Domain route via VPN
          • Throttling
          • Optimal Location
          • Common issues
        • Hydra Protocol
          • CustomDNS, UserDNS, MultiHop, VpnProfiles
        • OpenVPN Protocol
        • Wireguard Protocol
        • IPSec Protocol
      • Collecting Debug Logs
      • Changelog
    • Unified VPN SDK for Routers
      • SDK. Shared library.
      • Configuration Interface (CI)
        • Unix Domain Sockets CI
        • REST API CI
    • Unified VPN SDK Feature Comparison By Platform
    • Unified VPN SDK
      • Features
        • Personal Bridge
    • Tunnel Vision and Tunnel Crack Prevention
  • REST API
    • Partner API
  • Sample applications
    • Unified VPN SDK demo for Windows
    • Hydra VPN SDK demo for iOS
    • IPSEC VPN SDK demo for iOS
    • Unified VPN SDK demo for Android
    • Hydra VPN SDK demo for OpenWRT
    • OpenVPN configuration file
  • Resources
    • Use cases
      • Public VPN
      • Business VPN
        • Creating a Business VPN Project
        • Wi-Fi Security for Business
      • Application anti-blocking
    • How-to
      • Create a Firebase project for User Authentication
      • AWS CloudFront Distribution of the Platform URL
      • How can I get Shared Secret key from iTunes Connect for In-App Purchase
  • FAQ
    • General
      • VPN Platform Flow
      • What data is collected by the Platform?
      • What analytic data is collected by your SDK?
      • How the Platform restricts access to our data?
      • Why DNS Leak tests often indicate positive result?
      • Do we need to perform endpoint health checks?
      • How is the VPN exit node found?
      • How are streams re-marked if VPN is enabled/disabled on an active flow?
      • Is there a maximum number of supported devices?
      • Are both IPv4 and IPv6 supported?
      • What is the MTU of the tunnel?
      • Are any redundancy measures in terms of reliability provided?
      • Is there any load balancing?
      • Do you block broadcast and multicast to/from the VPN?
    • List of Open Source libs
Powered by GitBook
On this page
  • Overview
  • Understanding DNS Leak Test Results
  • Why DNS Leak Tests May Show "False Positives"
  • Our VPN's DNS Security Architecture
  • Frequently Asked Questions
  • Why do DNS leak tests show positive results with our VPN?
  • Isn't using Google DNS a privacy concern?
  • Confirming Your Protection

Was this helpful?

  1. FAQ
  2. General

Why DNS Leak tests often indicate positive result?

PreviousHow the Platform restricts access to our data?NextDo we need to perform endpoint health checks?

Last updated 29 days ago

Was this helpful?

Overview

A DNS (Domain Name System) leak occurs when DNS queries from your device bypass the VPN tunnel and are sent directly to your default DNS servers (typically provided by your ISP). This exposes your browsing activity to your ISP and potentially other third parties, defeating a key privacy benefit of using a VPN.

Understanding DNS Leak Test Results

Why DNS Leak Tests May Show "False Positives"

Many DNS leak detection websites flag our configuration as "leaking" because they use a simplistic detection method: they compare your apparent IP address with the IP address of the DNS resolver handling your queries. When these differ (e.g., your traffic comes from our VPN IP but DNS queries appear to come from Google DNS), the test incorrectly flags this as a leak.

This is NOT an actual security vulnerability but rather a limitation in how these tests work.

Our VPN's DNS Security Architecture

Our service maintains complete protection against actual DNS leaks at all times:

  1. Full Tunnel Protection: All DNS requests from your device are fully encrypted and routed through our secure VPN tunnel, preventing exposure to your ISP or local network observers.

  2. Strategic Use of Third-Party DNS: We intentionally use Google DNS and Cloudflare DNS as recursive resolvers on our VPN servers for several important security and performance reasons:

    1. Enhanced Privacy Through Anonymization: When our VPN servers forward DNS requests to Google or Cloudflare, these requests are anonymized and cannot be associated with specific VPN clients. The requests appear to come from our VPN servers, not from you.

    2. Additional Security Layer: This architecture creates an additional caching layer that mixes anonymized DNS requests from our customers with other Google/Cloudflare users worldwide, further enhancing privacy.

    3. Performance Benefits: These global DNS providers offer superior reliability, speed, and protection against DNS poisoning compared to running our own DNS infrastructure.

  1. In a vulnerable configuration (a true DNS leak):

  • DNS queries bypass the VPN tunnel completely

  • Your ISP can see all domain names you're accessing

  • Your real IP address is exposed to DNS providers

  1. In our secure configuration:

  • All DNS traffic is encrypted inside the VPN tunnel

  • Queries leave our VPN servers anonymized

  • Your ISP sees only encrypted VPN traffic

  • Your real IP address is never exposed

Frequently Asked Questions

Why do DNS leak tests show positive results with our VPN?

Most DNS leak detection services simply check whether the address of the recursive resolver matches your apparent IP address. When they detect a public DNS resolver (like Google or Cloudflare) being used, they report a "leak" even though:

  1. Your DNS queries are fully encrypted inside the VPN tunnel

  2. Your ISP cannot see or intercept these queries

  3. The DNS provider only sees requests coming from our VPN servers, not from you personally

Isn't using Google DNS a privacy concern?

No, because:

  1. Google DNS never sees your real IP address, only our VPN server addresses

  2. DNS queries from our servers are mixed with millions of other queries, providing "strength in numbers" privacy

  3. Your browsing activity cannot be linked back to you personally

Confirming Your Protection

If you want to verify that your connection is secure against actual DNS leaks (rather than relying on potentially misleading leak test websites), you can:

  1. Check that all network traffic (including DNS) passes through our VPN interface

  2. Verify that no DNS requests are being sent unencrypted to your ISP's DNS servers

  3. Confirm that DNS requests are properly encrypted within the VPN tunnel

The presence of Google or Cloudflare DNS in leak test results is by design and does not indicate a vulnerability in our service.