Why DNS Leak tests often indicate positive result?

Overview

A DNS (Domain Name System) leak occurs when DNS queries from your device bypass the VPN tunnel and are sent directly to your default DNS servers (typically provided by your ISP). This exposes your browsing activity to your ISP and potentially other third parties, defeating a key privacy benefit of using a VPN.

Understanding DNS Leak Test Results

Why DNS Leak Tests May Show "False Positives"

Many DNS leak detection websites flag our configuration as "leaking" because they use a simplistic detection method: they compare your apparent IP address with the IP address of the DNS resolver handling your queries. When these differ (e.g., your traffic comes from our VPN IP but DNS queries appear to come from Google DNS), the test incorrectly flags this as a leak.

This is NOT an actual security vulnerability but rather a limitation in how these tests work.

Our VPN's DNS Security Architecture

Our service maintains complete protection against actual DNS leaks at all times:

  1. Full Tunnel Protection: All DNS requests from your device are fully encrypted and routed through our secure VPN tunnel, preventing exposure to your ISP or local network observers.

  2. Strategic Use of Third-Party DNS: We intentionally use Google DNS and Cloudflare DNS as recursive resolvers on our VPN servers for several important security and performance reasons:

    1. Enhanced Privacy Through Anonymization: When our VPN servers forward DNS requests to Google or Cloudflare, these requests are anonymized and cannot be associated with specific VPN clients. The requests appear to come from our VPN servers, not from you.

    2. Additional Security Layer: This architecture creates an additional caching layer that mixes anonymized DNS requests from our customers with other Google/Cloudflare users worldwide, further enhancing privacy.

    3. Performance Benefits: These global DNS providers offer superior reliability, speed, and protection against DNS poisoning compared to running our own DNS infrastructure.

  1. In a vulnerable configuration (a true DNS leak):

  • DNS queries bypass the VPN tunnel completely

  • Your ISP can see all domain names you're accessing

  • Your real IP address is exposed to DNS providers

  1. In our secure configuration:

  • All DNS traffic is encrypted inside the VPN tunnel

  • Queries leave our VPN servers anonymized

  • Your ISP sees only encrypted VPN traffic

  • Your real IP address is never exposed

Frequently Asked Questions

Why do DNS leak tests show positive results with our VPN?

Most DNS leak detection services simply check whether the address of the recursive resolver matches your apparent IP address. When they detect a public DNS resolver (like Google or Cloudflare) being used, they report a "leak" even though:

  1. Your DNS queries are fully encrypted inside the VPN tunnel

  2. Your ISP cannot see or intercept these queries

  3. The DNS provider only sees requests coming from our VPN servers, not from you personally

Isn't using Google DNS a privacy concern?

No, because:

  1. Google DNS never sees your real IP address, only our VPN server addresses

  2. DNS queries from our servers are mixed with millions of other queries, providing "strength in numbers" privacy

  3. Your browsing activity cannot be linked back to you personally

Confirming Your Protection

If you want to verify that your connection is secure against actual DNS leaks (rather than relying on potentially misleading leak test websites), you can:

  1. Check that all network traffic (including DNS) passes through our VPN interface

  2. Verify that no DNS requests are being sent unencrypted to your ISP's DNS servers

  3. Confirm that DNS requests are properly encrypted within the VPN tunnel

The presence of Google or Cloudflare DNS in leak test results is by design and does not indicate a vulnerability in our service.

Last updated

Was this helpful?