In 2015, a report titled “A Glance through the VPN Looking Glass: IPv6 Leakage and DNS Hijacking in Commercial VPN clients” pointed out that many VPN providers were not preventing DNS leakage effectively as IPv6 DNS requests were not being routed through the VPN. This raised security concerns, but in order to understand why, let’s start by taking a look at DNS.
Dynamic Name System – DNS
DNS is essentially used to translate web addresses to their numerical IP addresses. All internet connected devices and internet connections have a unique IP address, but these may not be always the same. Not long ago, internet used the Internet Protocol version 4 (IPv4) standard to determine these IP address values. However, since the internet use gas increased dramatically over the last years, IPv4 addresses are now scarce since IPv4 can only support up to 32-bit internet address, which would be about 4.29 billion.
Although many measures have been implemented in an attempt to prolong the usability of IPv4, these workarounds can’t compare with the actual solution, which is to opt for a new standard known as IPv6. IPv6 uses 128-bit web addresses, which increases the maximum of web addresses that can be supported. The standard offers enough IP addresses to keep web addresses supported for quite a while. The main issue is that IPv6 hasn’t been adopted as fast as it should be, due to multiple reasons that range from upgrade costs to lack of a proactive approach.
While all operating systems currently in use support IPv6, most websites haven’t implemented the standard yet. As a result, many websites that use IPv6 have adopted a dual-tiered system. If they connect from an address that is still only supporting IPv4, the websites will serve up an IPv4 address, but when they are connected from an address that uses IPv6, they will have an IPv6. This is the root of the problem with how many VPN providers handle DNS requests.
The problem with DNS Requests
To be able to hide a users’ actual IP address, VPN providers handle the DNS translation process on their own or they use a third-party service like Google DNS or OpenDNS. The third-party solution doesn’t compromise the user’s privacy because all the requests are made through the VPN provider and not via the user. What should happen is that all DNS requests are then routed through the VPN and then handled by the VPN provider or the third-party they use. If this is not the case and the request is handled by the user’s ISP, a DNS leakage is taking place.
The report previously mentioned established that while the majority of providers route IPv4 requests through the VPN tunnel, they were not able to route IPv6 requests in the same way. This has serious consequences for users’ privacy because if they visit a website that supports IPv6, they would experience a DNS leak that could expose their actual IP address, location and ISP.
According to the report, while websites supporting IPv6 are still not very popular, there is a large percentage of websites that contain third-party IPv6 objects in the form of ads from well-known websites like Facebook, Google and Yahoo, who are already using the new standard. It is important to keep in mind that most VPN providers mentioned in the report, have disputed the claims or have indicated that the test results mentioned in the document are outdated.
How to solve the issue
A VPN client should be in theory, have the ability to route all IPv6 requests through the VPN provider. However, the vast majority of clients that offer DNS leak protection have opted for disabling IPv6. Although at the moment, that solution works fine, it will stop being effective once IPv4 addresses are over. One way to establish if your VPN leaks is to go to test-ipv6.com.
If your provider doesn’t offer DNS leak protection through its VPN software, you should still be able to disable IPv6. There are instructions on how to do this for Mac OS X, Windows and Linux. It is worth mentioning that the report suggests that all Android devices are likely to be affected by the IPv6 leakage, while iOS is immune to the issue. However, tests carried out on an Android device using a VPN and visiting test-ipv6.com showed that the report may be inaccurate as no DNS leaks were detected.
Apart from the IPv6 leakage, the report refers to other issues such as the use of weak protocols such as PPTP. However, in most cases, providers clearly advise customers that while PPTP may be an option for certain devices, OpenVPN should be always preferred when available. The report goes on to criticize many VPN providers for offering limited options when it comes to server locations.
The risk is that if a user doesn’t have a wide selection of VPN exit points available, their connection habits become easier to identify, which would make them more vulnerable to an end-to-end timing attack. While this could indeed cause problems, the truth is that it is not likely to happen as it would require a very specific case and high technology.
The report also refers to threats like man in the middle attacks, which can affect OpenVPN and PPTP/IPSec routing tables if the internet access point (the public WiFi router for instance) is controlled by whoever intends to launch such attack. While this type of attack requires specific knowledge and advanced technology, the document highlights that a VPN is meant to secure users’ online traffic when they are using public hotspots and failure to do so could be devastating, particularly in countries where freedom of speech is not protected.
At this point, it is worth keeping in mind that activists, whistleblowers and other people who may face serious consequences if their online activities and identity are revealed, should opt for Tor instead of VPN. In fact, many providers are transparent about the fact that while a VPN is an ideal privacy tool for the general user, it is not intended as a solution for cases in which full anonymity is crucial. While Tor could also be compromised, it is generally considered as a safer option for those who want complete anonymity.
Is the report reliable?
Overall, the report can be seen as an interesting point of discussion and as an opportunity for VPN providers to enhance their technology and address any possible issues. However, it can be seen as an accurate portrait of the weaknesses of VPN providers since many of the facts included are out of date and don’t reflect the quality of some of the providers mentioned in the document.