Manually preventing VPN DNS leakage in Windows

A core mission of cryptostorm is ensuring consistent, reliable network security with minimal fuss & drama. From DNS-based services like our DeepDNS in-browser native .onion/.i2p site access, through grounbreaking research on IP6 leakblocking, & to firewall-based structures to enable "fail-closed" security, this is where we discuss & develop cryptostorm-style leakblock tech.
User avatar
Posts: 612
Joined: Sun Dec 16, 2012 6:34 am

Manually preventing VPN DNS leakage in Windows

Post by Pattern_Juggled » Fri Jan 11, 2013 8:22 am

VPN & DNS Leakage

PCs have two problems with the use of VPN’s:
  1. If the VPN drops out and the normal internet connection will continue, after which information and activities can be found. It usually takes a while for u know that ur VPN is stopped and u are using ur own ip that can recognize u (It will only happen during a PenTest lol).
  2. U also have the problem of “DNS Leakage” Domain nameservers are like phone-books, the name (www address) that you type into your browser, is translated into a number that the server can be reached. Well actually VPN’s encrypt ur connection but in some cases it happens that the DNS lookup STILL goes via ur regular internet connection is. This is called a “Dns leak” and means that ur ISP can look at what sites you go, etc. Nowadays it is common that ur ISP neatly store’s that information by storage obligation this is not what u want. This problem is common when routers and computers are set to dhcp with automatic setting.

The DNS testing leaks:
  • Connect to ur VPN, go to this site: or
  • Click Test, and ignore messages as “good, great” and everything except dns resolver addresses.
  • In the latter address click initiate bottom of the page, ignore ‘spoof ability’, everything except addresses listed as ‘nameserver’ and ‘server name’.
  • Check each IP address mentioned in that list, use infosniper or use Robtex. Make sure none of those IP addresses is ur IP or indicates that the IP is from ur ISP.
If the latter is the case, you have a DNS leak, if none of the IP’s appears not from ur ISP then you are safe.

To fix a DNS leak:
  1. let the computer specified dhcp settings instead of using Auto-dhcp settings (for that you are going to use VPN, only required if you are running XP.)
  2. After you are connected to your vpn put your dns nameserver of your regular internet connection to ‘none’ this particular forcing dns lookups via vpn only.
  3. Put everything back after you disconnect ur VPN.
  4. has a batch file that’ll auto execute when running OpenVPN that’ll do the DNS work automatically. via @AnonyActivist
From How can I fix a DNS leak?

The solution is to ensure that once connected to the anonymity network, you are using ONLY the DNS server/s provided by the anonymity service. As this problem affects predominantly windows clients, only solutions for Windows appear here.

3 basic steps to fix the problem:
  1. Before connecting to the VPN, set static IP address properties if you are using DHCP
  2. After connecting, remove DNS settings for the primary interface
  3. After disconnecting, switch back to DHCP if neccessary or reapply original static DNS servers

Solution A – Automatic

If you are using OpenVPN on Windows XP/Vista/7 then a fully automated solution is available.

Download dnsfixsetup.exe – (md5 checksum: f212a015a890bd2dae67bc8f8aa8bfd9)

After installation, when you connect to a VPN server, a batch file will be run executing the 3 steps above.

Three scripts are generated for each OpenVPN configuration file:
  1. configfilename_pre.bat – executed before the connection is established – Calls pre.vbs – If any active DHCP adapters exist, switch to static
  2. configfilename_up.bat – executed when the connection is established – Calls up.vbs – Clear the DNS servers for all active adapter except the TAP32 adapter
  3. configfilename_down.bat – executed after the connection is disconnected – Calls down.vbs – Reconfigure adapters back to their original configuration
If you have any problems or suggestions, please contact

Solution B – Manually clearing the DNS

The solution below does not switch the adapter to static if you are using DHCP. If you do not switch to a static IP configuration and your computer renews its IP address whilst connected to the VPN, the DNS settings may be overwritten. It is highly recommended to switch to a static IP configuration.

1. Open the command prompt (cmd.exe) as an administrator.

2. Before connecting identify the name of the connected network interface. In the case below it is “Local Area Connection”

Code: Select all

netsh interface show interface

3. Connect to the VPN. Once connected proceed to the next step.

4. Flush the DNS resolver cache

Code: Select all

ipconfig /flushdns
5. Disable the DNS configuration for the Interface identified in step 1

Code: Select all

netsh interface IPv4 set dnsserver "Local Area Connection" static both
6. Test for DNS leaks.

7. After disconnecting, reconfigure the adapter to renew the previous DNS settings

Code: Select all

netsh interface IPv4 set dnsserver "Local Area Connection" dhcp
8. Once again, flush the DNS resolver cache.

Code: Select all

ipconfig /flushdns
...just a scatterbrained network topologist & crypto systems architect……… ҉҉҉

[list]✨ ✨ ✨[/list]
pj@ðëëþ.bekeybase pgpmit pgpðørkßöt-on-consolegit 'er github