After several months of examining hidden vulnerabilities in stealth DNS servers, ExpressVPN has published a report on what it calls a second type of DNS leak that was previously unknown to VPN providers. ExpressVPN said on its blog in April that the “Type 2” DNS leak could pose as serious a risk to VPN users’ privacy as the original Type 1.
ExpressVPN conducted the analysis after receiving a tip from a staff writer at CNET, the online technology publication. The writer reported finding “unexpected DNS request behavior” when he was using ExpressVPN’s split-tunneling feature with his Windows device.
The VPN provider says it has since fixed the specific bug involved with split-tunneling, but in doing so, it discovered a potentially bigger problem. That’s when it brought in cybersecurity firm Nettitude to conduct a wider audit in March and April 2024.
In working with Nettitude, ExpressVPN said it found that a DNS leak can occur inside the VPN tunnel when a user’s DNS requests are processed by DNS servers not explicitly chosen by the user, such as by a service like Cloudflare. Many of these servers are “stealth DNS servers,” which remain hidden to the VPN and the user’s ISP.
When a DNS request is resolved by a stealth server, it reaches back to the connection source and records the user’s genuine IP address. And the leak doesn’t appear in a traditional DNS leak test, according to ExpressVPN’s report.
This could give VPN users a false sense of security when no DNS leaks show up in a traditional leak test, ExpressVPN said.
Hidden DNS leaks (Type 2 leaks) should be of great concern to any user counting on a VPN to remain completely anonymous. Public Wi-Fi, especially the kind found in schools, coffee shops, and hotels, is especially vulnerable to hackers and malicious actors determined to discover the real location of journalists and dissidents, for example.
Cybersecurity company GuidePoint reported in 2023 that hackers had already discovered a way to exploit vulnerabilities in Cloudflare, the service designed to make cloud computing faster and more secure. The hackers were able to use Cloudflare tunnels to infiltrate victims’ computer systems and siphon their data.
ExpressVPN is urging the entire VPN industry to address the Type 2 DNS leaks. The provider says the most straightforward way to prevent these leaks is to block all DNS traffic that is not resolved within the VPN’s network. This prevents traffic resolved on stealth DNS servers from reaching back to the user’s source connection and learning their true IP address.
Another method is to use a transparent DNS proxy, which intercepts all DNS requests, regardless of their intended destination and reroutes them to a DNS server approved and trusted by the VPN provider.