VPN.ac Homepage
Important OpenVPN / Apps update

Improvement of DNS security and privacy

Wednesday, March 16, 2016

Starting yesterday, we implemented a feature globally that will force all DNS queries sent to other than our DNS resolvers while connected to the VPN to be forwarded through our private DNS resolvers.

What does it mean, exactly?

  • It is no longer possible to experience DNS leaks (if used correctly, see requirements). This comes handy with devices and connection methods that require scripts to correctly assign our resolvers when connected, such as routers (with DD-WRT, OpenWRT ROMs etc.) and connections made from Linux terminal. It is no longer needed to use a script on routers or Linux terminal to force assigning of the DNS resolvers when connected.

  • Provides protection to users who might be running services vulnerable to recent glibc vulnerability, as our resolvers mitigated the vulnerability since day one following the public release.

  • Makes built-in/hardcoded DNS servers in some devices/apps (e.g. Chromecast using 8.8.8.8) ineffective.

Are there any drawbacks?

The feature solves lots of problems for many users, but on the other hand it might cause very few, isolated problems:

  • You will not be able to use public DNS servers while connected to the VPN. Note that it doesn't really make sense to use a 3rd party DNS service while connected to our service, as it provides a lower level of privacy and DNS queries will be sent in clear-text from the VPN gateway, while all the DNS queries with our resolvers are encrypted between user->VPN gateway->DNS resolvers.

  • If you, however, prefer to use DNSCrypt for some reason, you can still use it but on other ports than 53 (e.g. 443).

Requirements

For this feature to work as intended, it is mandatory for the device/computer connecting to the VPN to use a public DNS service. You must either set the public DNS on that computer/device or assign it through DHCP by setting it on your router. But DO NOT use the router or other LAN server as the DNS resolver. 

Examples:

  • if you connect to the VPN on DD-WRT, add public DNS server(s) in Network Setup.
  • if you connect on a Linux terminal, add public DNS servers in /etc/resolv.conf or in network adapter's properties, in Network Manager. 
Please check our article on why it is never a good idea to use your ISP DNS. 

Our software

Starting with the next version on Windows, Mac and Linux(beta), we will add a checkbox to disable DNS assignment when the VPN connects. On Windows, the feature handling DNS assignment is very solid as it is, but on Mac there might be problems and this change will come handy. SecureProxy extension will always use our DNS resolvers so there is nothing changed.

Public DNS services to use

We recommend the following DNS services:

  • OpenDNS: 208.67.222.222 and 208.67.220.220
  • Google: 8.8.8.8 and 8.8.4.4
  • Level 3: 4.2.2.1 and 4.2.2.2
  • in China: 114.114.114.114 and 8.8.8.8

For more public DNS services, also more privacy-focused, please check the Wikileaks list.

Please note that we are very close to launching our own public resolvers with zero-logging. We will add an update when they will be available. 

Our DNS private resolvers that you should see in DNS leak tests: privatedns-XX.twistednetworks.net where "XX" can be NL, DE, LU, CA, SG and JP. 

« Back