Your VPN is probably leaking information without you knowing. From the domain names you visit to your real identity, if you use a VPN for privacy, you’re going to want to read this one.
Many people rely on VPNs for privacy, but most are unaware they often leak your DNS requests and don’t protect you from identification. Your browser is outside the control of your VPN, and it has a unique fingerprint. When cross-referenced with your login sessions, trackers profile your real identity across the web. That’s not to mention a tiny snippet of JavaScript on any website can unmask your real IP address. I’ll explain how and what you can do about it.
DNS leaks
DNS traffic that does not go through the VPN tunnel
The Domain Name System (DNS) is what we all rely on behind the scenes to map domain names (e.g., example.com) to IP addresses. A DNS leak is when your system makes DNS requests outside the VPN’s encrypted tunnel. Since DNS is often unencrypted, any network snooper can profile your traffic.
A routing table determines where your computer sends traffic. VPN apps change them as best they can to push most of it through the VPN. However, they must allow traffic to your router, local devices, and the VPN service itself, which is often a source of problems. Your OS can also override these rules.
Common causes of DNS leaks (but keep in mind a decent VPN app should address these):
- Router DNS proxy: Setting your nameserver to your router (aka gateway) can confuse your OS, and it may route DNS traffic outside the tunnel.
- Teredo: (Disabled since Windows 10 v1803) May route IPv6-based DNS requests through third-party relays if your VPN doesn’t support IPv6.
- No VPN-provided DNS service: causing your system to use the default, which could be your gateway.
- DNS hijacking: Some security software (e.g., Avast) hijacks DNS and routes the traffic to custom DNS services, which may not go through the tunnel.
- Smart Multi-Homed Name Resolution (SMHNR): On Windows, this sends every name-resolution protocol (including DNS) to all configured resolvers over every network interface, which includes the VPN and physical (normal) interfaces.
A network interface is how your computer connects to the outside world. A physical interface represents your real connection, and a virtual one represents the VPN.
Before reaching for solutions, test for DNS leaks. Ensure your DNS server is something you expect. You can also use an advanced tool like Wireshark to see if traffic on port 53 goes through the VPN interface.
Remember that a decent VPN app should address most of these problems.
The solutions:
- Disable Teredo: It’s no longer needed.
- Use the correct nameserver: If your VPN app doesn’t provide and configure one automatically, consider other options.
- Disable SMHNR: You don’t need it.
- Disable DNS hijacking features: Evaluate your security apps and look around their application settings.
- Use a dedicated VPN gateway: A dedicated, separate system designed solely to route traffic through a VPN service. It should use an external firewall to restrict egress (outbound) packets to that service only. I use virtual machines on Qubes OS to achieve this, but it’s very technical.
I use and recommend Proton VPN, which has a decent app.
8/10
- Logging policy
-
No-Logs Policy
- Mobile app
-
Android and iOS
- Number Of Servers
-
13,000+
- Free Trial
-
Free version with limited features
IPv6 leak
If unsupported by the VPN service, IPv6 traffic may route elsewhere
IPv6 leaks are similar to DNS leaks—if your VPN doesn’t handle such connections, your operating system takes over and routes your traffic through the physical interface, exposing it.
There are a few solutions:
- Prioritize IPv6 support: Use a VPN that explicitly supports IPv6 traffic and test it.
- Disable IPv6: Disable it entirely on your system.
- Firewall IPv6 traffic.
WebRTC leaks
Websites can stealthily unmask your identity
WebRTC can expose your real IP address, even if you’re behind a VPN. Any website can execute a small JS snippet to unmask you.
WebRTC is a group of technologies to enable peer-to-peer data transfers. PeerTube is one famous example.
To connect two peers, WebRTC enumerates every local interface—physical and virtual—and reads their IP addresses directly from the OS. It also sends packets to special servers (STUN servers) that reply with the public IP they see. The website hosting the script collects these and can easily identify you.
The solutions:
- Disable WebRTC: You can do so in both Firefox and Chrome (via an extension).
- Use a VPN gateway: Yes, it even catches WebRTC silliness.
Connection drops
Your system may continue to send unprotected packets
If your VPN connection drops, your packets may default to the physical interface, which exposes your traffic.
The solutions:
- Kill switch: VPN apps provide this feature to cut all network traffic if the VPN connection drops.
- Firewall rules: Block all traffic on your physical interface that isn’t destined for your VPN service or local network.
Browser fingerprinting
Same identity across multiple IP addresses
A fingerprint is a measurement of your browser’s attributes, uniquely identifying you. It’s mathematically derived and highly effective.
They’re most often used in tracking scripts from Facebook, Google, etc., and they blanket the entire web. When you change your IP, Google knows it’s the same person, not just when you visit Google but also every website you visit.
The solutions:
- Fingerprint randomization: Use a strong, privacy-focused browser that changes your fingerprint frequently. Brave is the only one that does it at present.
- Block trackers: Browsers like Firefox and Brave have built-in tracker blockers; use them.
- Different browsers: Separate your real-life login sessions from your everyday browsing. Companies like Facebook and Google link that fingerprint to who you are.
Authenticated sessions
Ties your real name to a fingerprint
Using a browser to log in to Facebook, TikTok, Google, etc., from multiple public IP addresses associates your fingerprint with your real identity. These companies track you across the web, and your cookies maintain a persistent identity on these domains. Essentially, they’ve got your fingerprint and real name.
The solutions:
- Use dedicated VPN gateways: one for regular traffic, another for your real identity sessions.
- Use network namespaces: On Linux, users can create an entirely separate network stack to isolate identities. Use different browsers, too.
- Use incognito mode: As a last resort, run real-identity sessions in a private window, and before changing your public IP address, destroy the session by closing it. If you use Brave, it will change your fingerprint too.
Accidentally using clear text
Sending private information without a VPN correlates your identities
Restoring a browser session with the VPN turned off, even if logged out of real-identity accounts, means signaling to trackers your fingerprint and real IP address. Trackers can then correlate that data with the browsing habits they’ve previously collected from you.
The solutions:
- Vary tool use: Use different search engines and LLMs across real and virtual connections—that will prevent mistakes.
- Use a VPN gateway or kill switch: Prevent traffic from occurring unless it’s through a VPN.
- Be careful.
DNS profiling
The what, when, and how often you visit certain websites paint a unique picture
Your daily habits include the websites you visit, at what time, and frequency. Network operators—like ISPs—across the entire web can infer a unique pattern of behavior and use it to profile and track you across different public IP addresses.
The solutions:
- Use the VPN-provided DNS server: This is the best solution, and it cloaks DNS requests entirely, but your VPN provider can (and some do) profile you.
- Use DNS over HTTPS: Nobody can read your DNS requests except you and the DNS service (with a caveat below.)
- Use DNSCrypt: This is my favorite because it provides anonymous DNS relays.
DNS traffic does not stop at the DNS service. These systems make further “upstream” requests, which are unencrypted and another potential source of tracking. DNSCrypt relays address this problem best by anonymizing the origin (you).
Your DNS server knows every website you visit—here’s why Google’s 8.8.8.8 is different
8.8.8.8 offers more than just a simple alternative—there are potentially privacy benefits, too.
There are so many ways an OS can betray your privacy; the only sensible defense against leaks is a locked-down VPN gateway. I use one with an external firewall, which limits egress (outbound) packets to my VPN service, ensuring only VPN traffic leaves my system. Because the VPN gateway sits outside the host, no problematic internal factors will affect it. However, it’s not for everyone, and being careful is the next best thing.
- Logging policy
-
No-Logs Policy
- Mobile app
-
Android and iOS
- Free Trial
-
No
- Supported platforms
-
Windows, macOS, Linux, iOS, Android, Firefox
You want complete privacy? You can send Mullvad an envelope with cash and your payment token to pay for your account, so they’ll never have your personal information.
Stephan is the sports journalist for the Maple Grove Report.
