Last week, ExpressVPN turned off the split tunneling feature on its Windows app to address a problem where DNS requests weren’t being correctly routed to its servers. ExpressVPN explained that the bug, which was found in versions 12.23.1–12.72.0, led to DNS requests being left unprotected.
Under normal conditions, a user’s DNS requests are routed through ExpressVPN’s servers when connected to its service. However, because of the glitch, these requests were redirected to a third party, usually the user’s Internet Service Provider (ISP), unless set up differently. This situation allowed the ISP to identify the domains accessed by the user, although not the specific pages or activities.
“All contents of the user’s traffic remain encrypted by the VPN and unviewable by the ISP or any other third party,” ExpressVPN explains.
The bug only affected ExpressVPN’s Windows app when the split-tunneling feature was on and the user chose the “Only allow selected apps to use the VPN” mode.
“We could not reproduce it when split tunneling was not activated or when the other split-tunneling mode, ‘Do not allow selected apps to use the VPN,’ was chosen,” ExpressVPN explained.
The split tunneling feature allows users to choose which apps use the VPN tunnel and which apps use the user’s regular internet connection. The affected split-tunneling mode lets users choose which apps are routed through the VPN tunnel.
“All other aspects of VPN protection (e.g., encryption) were not impacted,” ExpressVPN’s blog reads.
ExpressVPN stated that the bug affected fewer than 1% of its Windows users. Last week, ExpressVPN released version 12.73.0 for Windows, which completely deactivates the split tunneling feature. Users are recommended to update their software immediately.
According to ExpressVPN, split tunneling will stay disabled until they find and fix the root cause of the problem. Users who want to continue to use the split tunneling features can downgrade to version 10 of ExpressVPN for Windows, as the feature works correctly in that version.