Skip to main content

Browser leak > DNS leak

· 9 min read
Gregory Komissarov
Gregory Komissarov
Engineering Enthusiast

Digital identity leak principals and DNS leak mechanics with possible fixes will be covered here.

I'm glad that we finally got to such topics as I see that people often look for answers to questions like: nordvpn dns leak, surfshark dns leak, expressvpn dns leak test, and the idea if DNS leak is pretty simple and beautiful. Let's find out how it works and why it matters for VPN and Proxy users.

What is digital fingerprinting and identity leaks?

The closest analogy to the real world would be the following. Imagine that a store was attacked by robbers and a camera was working in it. The attackers tried to hide their identities and wore masks. But many details became available to the police, based on the camera images: height and approximate weight, shoe size, right-handedness or left-handedness. Fingerprints and sweat stains can be taken from the handles. This data helps to find the perpetrator, establish identity, and prove involvement. The same approach can be used to identify and track you even though you have done nothing dangerous.

In the digital world, especially in cases where online service visitors or users want to hide their identity the IP address, GEO, Hardware, application settings, network settings and latency might be used by target online services to identify the client.

Why does this matter?

Online services said that they are using this data to protect themself from malicious behavior and attacks. And that's true, but that's not the whole truth. This way they also limit users in their ability to get the data from the services, and interact with the service even if they want to work with their own data. Nowadays we can follow interesting discussions of Bright data and Meta regarding this gray zone. Big online service created their terms of service yearly days and want to force to obey everybody who has visited their site. Of cause, they protect their business interests and ethical issues are far from being the first priority. Laws and legal practice are always late in the modern and rapidly developing areas of our society. These and consensus are being formed now and we can see that it does not always happen simply and smoothly.

Speaking about clients of services, there is a great variety of cases, from the impossibility of finding out the final price of your product on popular sites, to outright fraud with payment systems and sales. I sincerely hope that you, the reader, use my blog and spend your cognitive efforts on learning and creating, but not on criminal activity. Unfortunately, there are many talented people in this field who end up in prison.

How our data is leaking in the Digital World?

The main point is that when we are using a WEB browser to access online services we are not just doing HTTP requests, modern WEB browser engines are big and complicated programs. The chromium repository authors file contains ~1700 names and tens of millions of lines of code like modern operation systems. So to be compatible with big amount of different servers, networks, and protocols browser does a lot of work under the hood, not visible to the end user. Doing this job is not on purpose sharing different details about itself, network, protocols, addresses, GEO, client OS, Hardware, etc. This information can be used by target online services to find out that client is faking the IP by using a VPN or Proxy or trying to change the identity to bypass request frequency limitation.

Recursive DNS lookup

I don't plan to give you knowledge comparable to online courses or university, so I'll be brief. Computers are machines to store conduct and process data. They use numbers to represent data cause that's easier(whether the cell is magnetized or not, whether the signal is above the threshold or not). IP address is just a number of 32 or 128 bit size, but we are using text and human words to name and remember WEB site addresses. It can be concluded that there must be a solution to convert one into another. And it's already exists, it's DNS aka "phonebook of the Internet" or hierarchical and distributed name service.

To understand how DNS leak works it's enough to cover recursive DNS lookup queries. When the client app(WEB browser) needs to resolve a human-readable domain name like www.example.com into a public IP address it will send DNS lookup queries to the DNS servers of different types:

  • Recursive DNS resolver:  Handle client requests, do the rest for recursive requests, and cache the responses. The first point of contact.
  • Root name server: One of the 13 root servers that process recursive queries and route clients to the TLD server based on the domain ending: .org, .com. edu, etc
  • TLD name server: Hold records for generic and country code top-level domains. Point to the authoritative server in response to a recursive request.
  • Authoritative name server: Holds the most up-to-date information regarding the exact DNS zone. Will respond with the IP address for the name the client was resolving. The last point of contact.

In the modern world, everything or almost everything home ISP providers share with you their recursive DNS servers because it is beneficial for them from an economic point of view. ISP providers pay for the traffic their clients conduct through the upper-level providers. So they are happy to set up Netflix or Google caching box to make service for the client work faster and reduce external traffic at the same time. The same logic for the DNS, putting a recursive server inside helps the user to resolve the names faster and to minimize the external traffic.

dns leak recursive lookup sheme Let's take a look at how recursive lookup works:

  1. The WEB page initiates requests to a URL with the new unique domain name. WEB browser sends a DNS lookup request to the DNS server configured in the OS.
  2. If the address is missing in the cache, the recursor(recursive dns server) sends a request to the root nameserver.
  3. Root nameserver responded with the address of the TLD server for the ".tech." name ending.
  4. Recursor sends a request to the TLD server.
  5. TLD server responded with the address of the Authoritative server.
  6. The recursor asked the Authoritative server.
  7. The authoritative server responded with the IP or "nothing found".
  8. The precursor responded to the WEB browser and cached the reply if found.

DNS leak mechanics

DNS leaks aim to get the IP addresses of you and your recursive DNS server than GEO of these two can be compared if they are distant from each other - this will be a threat as suspicious behavior.

The algorithm is next.

  1. The target service provider creates a WEB page you are reaching via HTTP protocol. At this point, the target gets your IP address.
  2. Target service generates unique domain names dedicated to your WEB browser session and tries to make new HTTP requests from the JS in your WEB browser using them.
  3. Your WEB browser performs DNS lookup using the DNS server configured in your OS.
  4. Target services log the IP address of the DNS client which asks about the DNS name dedicated to your browser session.
  5. DNS server log(DNS client IP) joined with your original IP used for the first HTTP request by unique domain name value. At this point target service can match both IPs GEO location.

VPN specific

When you are using a VPN client there are multiple options. The majority of VPN clients use advanced permissions and can update routes and DNS settings. But these actions have to be configured on the VPN client side. If everything is good the default route will be set up using a VPN virtual device and DNS will be taken relevant to the exit nodes' GEO location(or some global providers like Google, CloudFlare, etc). But if you want to bypass Google or CloudFlare's antibot solution, they might use their DNS server's data + some target resources don't like usage of such DNS services. If your DNS server settings remain untouched after the DNS client connects - this is a bad sign, check your DNS IPs with the DNS leak detection service, with high probability they will be far from you public IP.

Proxy specific

If your client app is an instrument and you configured it to use a proxy, then pay attention to the settings, it should delegate name resolution to the proxy service. For the ISP, DC, and dedicated mobile the proxy server should do it. This articles Connect header and Connect and SSL will help you to remember that the proxy client tells which domain it wants to connect to via the HTTP CONNECT method, but the IP of this domain has to be determined by the proxy service. The rotating residential proxies are exception here because the proxy server forward traffic to a resi device which plays the role of the exit node. So, the resi device have to make a DNS lookup to demonstate reliable behavior.

If you are using proxyficators and your network client application knows nothing about a proxy - you have to configure your OS DNS yourself like in the VPN case and choose one close to the exit nodes GEO or global(Google, CF). Doublecheck that DNS traffic is allowed by you proxy provider, some Rotating Resi vendors disable it be default and open by request.

How to test my App and OS config?

Using a WEB browser

Open this Browser leaks test in your WEB browser and compare your HTTP IP GEO address and DNS leak IP addresses. They should have the same Country, City, and ASN. If not, you have a problem.

Using a command line

# 1. Ask API to generate a unique domain for the test
$ curl -s -X POST https://api.datascrape.tech/latest/dns-leak | jq
{
  "domains": [
    "0d016aaf-22a4-4e63-a0f1-85abeb0c94dc.lab.datascrape.tech"
  ],
  "reason": "",
  "status": true
}

# 2. Make a DNS lookup for this domain using your favorite tools: host, dig or nslookup
$ host 0d016aaf-22a4-4e63-a0f1-85abeb0c94dc.lab.datascrape.tech
Host 0d016aaf-22a4-4e63-a0f1-85abeb0c94dc.lab.datascrape.tech not found: 3(NXDOMAIN)

# 3. Ask the API for the IPs of the DNS client(recursor) who was asking for this domain
$ curl -s https://api.datascrape.tech/latest/dns-leak/0d016aaf-22a4-4e63-a0f1-85abeb0c94dc.lab.datascrape.tech | jq
{
  "client_ips": [
    "172.71.181.64"
  ],
  "reason": "",
  "status": true
}

# 4. Compare the DNS recursor IP address returned by API with your publicly visible IP. Use any IP checker for that like this one:
$ curl https://api.datascrape.tech/latest/ip
31.44.0.109