If you are like most home broadband users, your machine is either connected directly to a broadband modem, or connected to a router that is connected to a broadband modem, Your machine gets all of its addressing information over DHCP from the modem or router, and all is well. If you’re using a router, chances are that your router is getting its DNS settings over DHCP, from your ISP. This means that your computer is using DNS servers that are linked to your ISP in your area.
If you start up a VPN session, ideally you receive a new set of DNS servers from the VPN endpoint, however, that is not always the case. What can end up happening is that your machine sends a DNS query through the encrypted pipe, to your local ISP controlled DNS server. Why is this bad? Because, when an ISP gets a DNS request from a known VPN provider, they can simply look for a user sending traffic to that VPN’s IP address, in their local area. Once they find that, they potentially have a one to one mapping between user and data requested.
So, how do I fix it? If you’re lucky, your VPN provides you with DNS servers. Use them for ALL traffic, not just encrypted VPN use. If you aren’t so lucky, you can mitigate the issue by using a large scale DNS server that doesn’t serve a specific area, such as Google’s DNS servers (22.214.171.124 and 126.96.36.199). These will log data, but through the VPN, they have no reasonable way of identifying you through the data.
Special Case: Proxy to VPN
If you are using my AnonyBox, or another proxy solution to connect to your VPN, your browser may be sending your DNS queries directly through your connection to your ISP, unencrypted. This is VERY BAD.
Chrome is the only browser that handles the situation correctly by default. As long as you are using a SOCKS v5 proxy or HTTP proxy, all DNS queries are made proxy-side. However, if you are using a SOCKS v4 proxy, you are not safe.
In Firefox, you will need to change a setting. Type “about:config” into the address bar, and find the line that reads “network.proxy.socks_remote_dns”. Set it to true and restart Firefox. For Firefox, you will want to ensure that you are using a SOCKS v5 proxy, and not an HTTP proxy.
As always, stay safe and have fun.