Secure your VPN
Extra measures
See what VPNs don’t and can’t protect against, and bolster your privacy with a layered approach.
W
hen you connect to a VPN, as well as proxying your traffic and setting the corresponding updates to your routing table, it may also provide you with different DNS settings.
On paper this was a reasonable idea. Traditional DNS requests (for example, where
linuxformat.com is resolved to 172.31.5.172) are transmitted in the clear, so even if the operator of a DNS server (typically ones ISP) doesn’t know the web page a client is looking at, they at least are aware of the server it’s on. This is known as DNS leakage. You may use another DNS server (such as Cloudflare’s easy-to-remember 1.1.1.1 public offering), but again this is only viable if you trust that operator more than your ISP.
ISPs may also block certain domains at the DNS level (the UK has a long list of piracy-related sites), so for a time using someone else’s DNS server was seen (by nefarious pirates whose activities we do not condone) as a free and easy way around this. Many ISPs are aware of this, and many have taken the rather heavy-handed measure of performing DNS interception. Remember we said DNS went over in the clear? Well that makes it woefully easy for your ISP to just reroute those port 53 requests back to their DNS.
So VPNs now market themselves as providing DNS-leak resistant technology. Indeed, some offer an even more budget friendly “DNS-only” option. The mechanics of this are straightforward: just tunnel DNS requests as well as (or instead of) other traffic. Again, this is just moving the problem of trusting the ISP upstream, to trusting the VPN operator.