ProPrivacy is reader supported and sometimes receives a commission when you make purchases using links on this site.

WARNING! Windows 10 VPN Users at Big Risk of DNS Leak

A new “feature” in Windows 10 means that DNS requests are directed not just through your VPN tunnel, but also through your ISP and local network interface. This is because by default Windows 10 attempts to improve web performance by sending DNS requests in parallel to all available resources at once, and (at least in theory) using the fastest one.

This is a major issue for VPN users. It means that your ISP (and anyone listening in on your local network) will know through your DNS requests which websites and services you have visited on the internet. It also opens the way for hackers to hijack your DNS requests (DNS spoofing.) In addition to this, there are reports of Windows 10 users suffering slow page loading and timeouts due to this issue.

The problem has led the United States Computer Readiness Team (US-CERT), an official department of the US Department of Homeland Security, to issue an alert.

Smart Multi-Homed Name Resolution

DNS refers to the Dynamic Name System used to translate domain names (proprivacy.com) into numerical IP addresses (216.172.189.144). This translation service is usually performed by your ISP, using its DNS servers. But when you use a VPN service, the DNS request should instead be routed through the VPN tunnel to your VPN provider’s DNS servers, rather than those of your ISP.

Under Windows 7, all DNS requests were made in a simple order of DNS server preference. But this changed in Windows 8 when Microsoft added “‘Smart Multi-Homed Name Resolution” by default. This sent out DNS requests to all available interfaces, but only used non-preferred servers if the main DNS server failed to respond.

This makes Windows 8.x systems liable to DNS leaks, but at least makes it unlikely that DNS requests will be hijacked. Windows 10, on the other hand, simply chooses whichever DNS request responds quickest, which presents a major security risk.

VPN clients that feature “DNS leak protection” should disable Smart Multi-Homed Name Resolution in earlier versions of Windows, but this may not work in Windows 10 (and may vary by individual client). Users of clients without this feature (including the generic open-source OpenVPN client,) will almost certainly be liable to DNS leaks under Windows 10.

Fixes for Smart Multi-Homed Name Resolution DNS leak

  1. There is now an OpenVPN plugin by ValdikSS that fixes this problem. It should work with all versions of Windows, and should also work with most custom OpenVPN clients that use a standard .ovpn configuration file (i.e. most of them). This is the recommended solution.
  2. In theory, it is possible for users of some* versions of Windows 8, Windows 8.1, (and especially!) Windows 10 to disable Smart Multi-Homed Name Resolution using the Local Group Policy Editor. Avast has published some instructionson how to do this.


    Disable Smart Multi-Homed Name Resolution DNS leak fix

    *The ‘Turn off smart multi-homed name resolution’ option is not available to users of Windows Home Editions.

As reader Arthur T. has noted, however, if you look carefully at Microsoft's description of the “Turn off smart multi-homed name resolution” setting in the Group Policy Editor, Windows will still fall back to using Smart Multi-Homed Name Resolution when other DNS queries fail, even when the setting is enabled.

This means that this "solution" is a partial one at best.

smhnr-setting

Luckily, the OpenVPN plugin mentioned above should fix the problem (for most people) anyway. Whew!

Written by: Douglas Crawford

Has worked for almost six years as senior staff writer and resident tech and VPN industry expert at ProPrivacy.com. Widely quoted on issues relating cybersecurity and digital privacy in the UK national press (The Independent & Daily Mail Online) and international technology publications such as Ars Technica.

43 Comments

CHenty
on November 5, 2018
Has this been done intentionally or is it some kind of a deeper issue? I use Surfshark VPN. I have checked my connections to confirm that there were no DNS leaks several times but if this is a serious issue could DNS leak without even being able to see it on the tests that you can find online? I mean, my VPN speeds are great and it's stable 90% of the time so I don't really suspect anything and only check once in a while. Also, I didn't get any letters from ISP even though I torrent almost all the time. I would think that I'm safe.
https://cdn.proprivacy.com/storage/images/proprivacy/02/member-dougjpg-avatar-image-default-1png-avatar-image-default-minpng-avatar_image-small_webp.webp
douglas replied to CHenty
on November 5, 2018
Hi Charles, Well, Smart Multi-Homed Name Resolution is a deliberate feature designed to speed up DNS resolution. it just seems that the Microsoft team didn't take VPN users into account when designing it. If you have checked for DNS leaks and haven;lt found any then you should be good.
Larry Asiodora
on September 19, 2017
Is it "normal" to see loads of LLMNR packets on the tun0 interface, immediately after being connected to a PureVPN server through OpenVPN? What are name resolution requests doing within a "private" tunnel?
https://cdn.proprivacy.com/storage/images/proprivacy/02/member-dougjpg-avatar-image-default-1png-avatar-image-default-minpng-avatar_image-small_webp.webp
Douglas Crawford replied to Larry Asiodora
on September 19, 2017
Hi Larry, Well... as long as all the DNS resolution requests are going through the tunnel (tun0 interface) to be handled by PureVPN, then there isn't a problem. If they are also going outside the tunnel then you have a problem.
Greg
on August 30, 2017
Thanks scary stuff and problem if you cant use OpenVPN solutions You might be interested in this link that gives Windows 10 Home users an easy way to install Group Policy Editor https://www.itechtics.com/easily-enable-group-policy-editor-gpedit-msc-in-windows-10-home-edition/
https://cdn.proprivacy.com/storage/images/proprivacy/02/member-dougjpg-avatar-image-default-1png-avatar-image-default-minpng-avatar_image-small_webp.webp
Douglas Crawford replied to Greg
on August 30, 2017
Hi Greg, Thanks! That's a great link.
Carl
on July 17, 2017
in my point of view the best VPN for windows as i m using is https://www.onevpn.com/windows-vpn/ .its great and reliable in price.

Write Your Own Comment

Your comment has been sent to the queue. It will appear shortly.

Your comment has been sent to the queue. It will appear shortly.

Your comment has been sent to the queue. It will appear shortly.

  Your comment has been sent to the queue. It will appear shortly.

We recommend you check out one of these alternatives:

The fastest VPN we test, unblocks everything, with amazing service all round

A large brand offering great value at a cheap price

One of the largest VPNs, voted best VPN by Reddit

One of the cheapest VPNs out there, but an incredibly good service