Even when using a or , if DNS handling is overlooked, clues about the domain names you tried to connect to may go out through a different route.
This is called a DNS leak.
A DNS leak is a little different from a problem where the communication content itself is read. The issue is the clue it gives about which site someone tried to visit.
For example, even if you think you have changed the communication route with a VPN, if only DNS queries are sent to the DNS resolver of your usual ISP, the ISP side may be able to see the queried domain names.
This article organizes what is visible in a DNS leak, how it relates to VPNs and Tor, and what to look at when checking.
DNS is the mechanism for looking up the destination
DNS is the mechanism that maps domain names to IP addresses.
When opening a website in a browser, humans use domain names. However, to actually communicate on the network, the destination IP address is needed.
For that reason, the device or browser asks a DNS resolver and looks up the IP address corresponding to the domain name.
Stage
What happens
Anonymity point to check
1
The browser uses a domain name
The name of the site to connect to is created
2
It queries a DNS resolver
Which resolver was queried becomes important
3
An IP address is returned
Communication to that IP address becomes possible
4
It connects to the website
With HTTPS, the body is protected by encryption
A DNS query is not the page content or form content itself. However, "which domain name was looked up" becomes a strong clue for inferring the access destination.
What is the problem with a DNS leak?
The problem with a DNS leak is that even though you think the communication route has changed, only DNS queries go out through a different route.
For example, suppose the purpose of using a VPN is "making the destination harder for the ISP to see directly." In that situation, even if web communication is going to the VPN server, if only DNS queries go to the ISP side, the ISP may be able to see the queried domain names.
In other words, even if the destination website content is hard to read because of HTTPS, the DNS stage may still leave behind "which domain someone tried to view."
State
How web communication appears
How DNS appears
Normal connection
ISP can see destination IP and similar information
Often uses ISP-side DNS
VPN working correctly
ISP sees the VPN connection
Flows to VPN-side or specified DNS
DNS leak present
Web communication goes through the VPN
Only DNS goes to the ISP side
Using Tor Browser
Name resolution inside Tor Browser is handled through Tor
Think separately from normal browsers and other apps
A DNS leak is easy to miss if you assume, "because I am using a VPN, the destination is not visible."
For anonymity, the web communication route and the DNS query route need to be checked separately.
It often needs attention when using a VPN
DNS leaks are especially considered when using a VPN.
A VPN creates a communication path from the device to the VPN server, then communicates outward through that server. To the destination website, the user appears to come from the VPN server's IP address, not the home IP address.
However, if DNS query settings have not changed to match the VPN, only DNS may go out through the usual network.
In that state, even if the IP visible to the destination website is the VPN server, the queried domain names remain on the DNS resolver side.
Cause
What happens
What to check
VPN DNS setting problem
Only DNS goes out through the usual network connection
DNS server during VPN connection
Fixed OS-side DNS
OS settings take priority over the VPN
Network settings
Browser-specific DNS
The browser uses a different DNS
Browser DNS settings
Leak when VPN disconnects
Returns to the usual network connection after disconnection
Kill switch and reconnection settings
If you use a VPN, check DNS as well as the IP address. "The IP visible to the destination changed" alone does not prove that there is no DNS leak.
Relationship with Tor
When using Tor Browser, the way to think about this differs from ordinary web browsing.
Tor Browser is designed to handle communication through the Tor network. For that reason, name resolution for websites accessed inside Tor Browser needs to be considered separately from an ordinary browser.
However, if apps other than Tor Browser or your usual browser communicate over the usual network connection, their DNS queries remain a separate issue.
In other words, even if you use Tor, not all communication from the whole device automatically goes through Tor. You need to check which app is sending the communication you want to anonymize.
Information visible and not visible in a DNS leak
To understand DNS leaks correctly, separate what is visible from what is not visible.
Information
Visible in a DNS leak?
Explanation
Domain name
May be visible
Becomes a clue to which site was looked up
Query time
May be visible
Becomes an axis for comparison with other logs
Page body
Not visible from DNS alone
Separate issue from HTTPS content
URL path and query
Usually not visible in DNS
DNS mainly handles domain names
Form input content
Not visible in DNS
Treated as HTTP communication content
A DNS leak is not a problem where all page contents leak. However, for anonymity, "which domain someone tried to visit" alone can be an important clue.
In particular, when combined with time, IP address, VPN connection logs, posting time, and account behavior, it becomes material for correlation.
What to check
When checking for DNS leaks, compare the information visible before and after VPN connection.
If you use an external DNS leak test site, look at whether the displayed DNS server is the usual ISP side, the VPN side, or browser-specific DNS.
However, do not judge that you are completely safe from the results of a test site alone. Results change depending on the test scope, browser, OS settings, VPN app, and connection timing.
Check item
Reason to look
DNS server during VPN connection
Check whether ISP-side DNS is visible
Browser DNS settings
Check whether browser-specific DNS is intentional
VPN disconnection behavior
See whether it returns to the usual network connection on disconnection
IPv6 handling
Check whether only IPv6 uses a different route
Multiple browsers
See whether results mix between anonymous and usual browsers
DNSLeakTest is a verification site that can check DNS resolver information as seen from outside. Comparing displayed results before and after VPN connection makes it easier to check whether DNS queries are going through the intended route.
For high-risk anonymous activity, do not feel reassured by a DNS leak check alone. Check cookies, login state, browser fingerprinting, post content, and file metadata separately too.
Summary
A DNS leak means that even though you think the communication route has changed, DNS queries go out through an unintended route.
DNS is not a mechanism that handles page bodies. However, queried domain names become clues to which site someone tried to connect to.
Even when using a VPN, if only DNS goes to the ISP side, material for inferring the destination remains. When using Tor Browser too, communication from apps outside Tor Browser or from a normal browser needs to be considered separately.
For anonymity, check not only the IP address, but DNS, cookies, login state, browser, and post content together. DNS leak countermeasures are important, but they do not make anonymity complete by themselves.
Related tools
Public IP Check
WhatIsMyIP
An external resource related to this article. Open it only when it fits your situation and threat model.
Why it is listed: It can help with the article topic, but it is outside Anonymity Sense and should be checked before use.