Wednesday, March 16, 2016
Starting yesterday, we implemented a feature globally that will force all DNS queries sent to other than our DNS resolvers while connected to the VPN to be forwarded through our private DNS resolvers.
It is no longer possible to experience DNS leaks (if used correctly, see requirements). This comes handy with devices and connection methods that require scripts to correctly assign our resolvers when connected, such as routers (with DD-WRT, OpenWRT ROMs etc.) and connections made from Linux terminal. It is no longer needed to use a script on routers or Linux terminal to force assigning of the DNS resolvers when connected.
Provides protection to users who might be running services vulnerable to recent glibc vulnerability, as our resolvers mitigated the vulnerability since day one following the public release.
Makes built-in/hardcoded DNS servers in some devices/apps (e.g. Chromecast using 220.127.116.11) ineffective.
The feature solves lots of problems for many users, but on the other hand it might cause very few, isolated problems:
You will not be able to use public DNS servers while connected to the VPN. Note that it doesn't really make sense to use a 3rd party DNS service while connected to our service, as it provides a lower level of privacy and DNS queries will be sent in clear-text from the VPN gateway, while all the DNS queries with our resolvers are encrypted between user->VPN gateway->DNS resolvers.
If you, however, prefer to use DNSCrypt for some reason, you can still use it but on other ports than 53 (e.g. 443).
For this feature to work as intended, it is mandatory for the device/computer connecting to the VPN to use a public DNS service. You must either set the public DNS on that computer/device or assign it through DHCP by setting it on your router. But DO NOT use the router or other LAN server as the DNS resolver.
Starting with the next version on Windows, Mac and Linux(beta), we will add a checkbox to disable DNS assignment when the VPN connects. On Windows, the feature handling DNS assignment is very solid as it is, but on Mac there might be problems and this change will come handy. SecureProxy extension will always use our DNS resolvers so there is nothing changed.
We recommend the following DNS services:
For more public DNS services, also more privacy-focused, please check the Wikileaks list.
Please note that we are very close to launching our own public resolvers with zero-logging. We will add an update when they will be available.
Our DNS private resolvers that you should see in DNS leak tests: privatedns-XX.twistednetworks.net where "XX" can be NL, DE, LU, CA, SG and JP.