A DNS leak refers to a security flaw that allows the true IP address of a connection to be revealed to websites, despite the use of a VPN service to conceal it. The flaw was first documented by Daniel Roesler, a developer based in San Francisco.
Contents
Process
The vulnerability allows remote websites to determine the user's true IP address using WebRTC, which is built into most web browsers. According to Roesler, determining the true IP is possible since WebRTC allows requests to ISPs' STUN servers to return the user's public and local IP addresses, noting that it is possible to do so using JavaScript.
Furthermore, the STUN requests aren't made using the regular XMLHttpRequest procedure, so can't be viewed in browsers' developer consoles or be blocked by popular privacy plugins (such as Ghostery or AdBlockPlus).
Determining the true IP address also allows the website to determine the approximate location of the connection, allowing for geo-blocking of content.
Prevention
Several websites exist to allow testing to determine whether a DNS leak is occurring, including Roesler's demo tool. DNS leaking can be prevented in a number of ways: