Preventing DNS leaks: tunneling domain name resolution traffic

Preventing DNS leaks: tunneling domain name resolution traffic

While a VPN service can effectively increase the level of security and privacy in the cyberspace, it is good to remember, that there barely are no shortcuts to the anonymity online. Much of the level a VPN service can deliver depends on how it has been configured, and some services offer more than others. VPNMundo offers world-class virtual private networking services for a good price, and what is more, also a handy tool (link here to the upcoming DNS leak checking tool) to check if your network configuration is secure and set up properly also what comes to the domain name resolution traffic. Network level encryption (like VPN) can increase the level of security as such if configured improperly, nasty things like DNS leaks can compromise much of users online activity. This can happen with a VPN service which is not set up tight enough to route also domain name resolution traffic through the secure tunnel.

The traffic on the Internet flows, not as a single form and shape, but within a multitude of protocols and “streams”. This thing, called DNS leaks, refers loosely to one specific form of traffic: name resolution queries. These are tiny packets traveling across the cyberspace containing questions like “what is the network address for this and that website?”, or answers like “emails for this domain may only originate from these and these servers” and much, much more. This internal protocol to distribute information on which internet name maps to which network address started as a tiny thing but has grown up during the years to include hundreds of features, records and particularly lately: security enhancements. What is the fuzz here then — how could this type of traffic “leak” somewhere? The thing is, that some VPN providers and services might only route part of the traffic through its tunnel and leave other forms, like domain name queries, completely unprotected. If this is the case, then, for example, a local surveillance authority, could make relevant conclusions on users activities just by surveying their name resolution traffic (DNS queries and responses). Without “DNS leaks protection” one’s privacy on the internet could be radically undermined.

Let us consider some important aspects as one of the world top VPN provider, VPNMundo, when it comes to protection of this important and critical part of the internet traffic.

DNS – World’s global phonebook

Think about the global cyberspace and vast network of networks. Countless devices communicating with each other, and in order to find themselves by name, some sort of directory mechanism is required to keep track on low-level network addresses. It is like zip-codes when sending traditional mail. Now, consider the sheer scale of the network and the size of such directly. Millions of devices and servers, that would constitute a phonebook in size and scale that one barely could carry around. That is the main purpose of the domain name system and the name resolution protocol. And, this is the core of understanding the dangers of DNS leaks and how to protect against that.

The solution to the problem of size for the worlds Internet Directory, so to speak, was a hierarchical architecture. Having every device to know every address was, of course, impractical, slow and barely even possible. Thus, a system of hierarchies was invented back centuries ago. This is also the origin of the structure of Internet-names you see today, like, for example or ours This name indicates a hierarchy, where top-level domain (here RU or COM) manages only the domains that reside under it. This will effectively cut the problem of manage in half, at least to manageable levels.

Furthermore, a name hierarchy system is “hierarchical” in time, in the sense, that once some device queries for the address of any specific server, the protocol will traverse up in the hierarchy until it finds an answer that is still valid in time. This means, that when the same name is queried again within that timespan, a cached version of the name is available in the closest name server and thus, there was a need for a “full query” only after the specified timeout has been exceeded (could be minutes, days or even weeks). This also limits the amount of traffic needed. And what is more, as the reader must have already realized, domain names could typically “leak” only from time to time, not every time the user “opens up some web-page”, for example.

What leaking DNS traffic could be used for?

Given the nature of the domain name system described above, it is obvious, that when unprotected, DNS traffic leaks could be used to constitute a comprehensive list of target domains that the user has been trying to access. This, of course, says nothing of what the user has been doing with the network addresses they did a query for, but having that small piece of information may be interesting. And, for that matter, it is so interesting that many corporate or governmental “blocking” firewalls are based simply on a DNS traffic interception mechanism.

DNS leaks are properly secured when using a VPN service (like MundoVPN, Tor or other) which will route all name server queries also through the encrypted tunnel. This way, the “closest” name server resides at the other end of the tunnel and any local (for example corporate or government) name resolution services were not used and thus these could not be used to gather statistics or intelligence on that what domain names the users are using (or to block access to some of them).

It is good to know, that modern-day domain name resolution protocol includes and transmits much more information than just network addresses. While all of this information is “public” by definition, the fact that someone has queried for that information may be sensitive and thus worthy of protection.  This is the essence of DNS protection and VPNMundo offers worlds-top class VPN services that make sure, for sure, that all the settings are configured just as they should for each customer and according to their preferences and needs.

Leave a Reply

Your email address will not be published.