Many of the VPN solutions that we discussed earlier have one thing in common. They are based on open source code that makes it easy to find possible security issues and vulnerabilities. In reality, however, there are many other problems besides the source code.
The most obvious problem is the periodic disconnection of the VPN service, which is bad news for the end user. It directs unencrypted traffic through the general home or public network.
This situation often occurs when the user is connected to a public Wi-Fi network or other mobile network. In the worst-case scenario, the user may not be notified of this, and the VPN connection will not be automatically restored.
Connecting to the network when using a VPN
On Windows 7 and higher, Microsoft introduced the VPN Reconnect feature. If you are using an alternate platform, you must use the connection setup option or the “kill switch” function, which monitors the state of the VPN connection.
If the connection is broken, all network traffic gets blocked, all running applications are terminated, and the system tries to reconnect to the VPN. Some commercial VPN services offer similar functionality.
The second problem associated with a VPN, which is less obvious and less common, is the use of IPv6. All major operating systems have it turned on by default, while VPNs still often use IPv4. So, what can happen here?
If IPv6 is used on a public network, and the user connects to a resource running the same protocol version, network traffic can be routed through the public IPv6 network. The simplest remedy would be to completely disable IPv6 support at the operating system level.
Of course, you can send all traffic to the VPN, but this requires the server side support and certain advanced settings on the client side. Research conducted in 2015 gave food for thought to VPN solution providers, who began to look for suitable solutions for their customers.
In the ideal case, when a user connects to a VPN, no DNS query\request should go beyond the VPN — all requests must be processed by the appropriate DNS servers.
If this is not the case, you should take care to add other reliable DNS to the network settings, for example, Google Public DNS or OpenDNS. You can also use VPN solutions bundled with things such as DNSCrypt. The latter option is used to encrypt and authenticate requests/responses of DNS servers, which can be useful in many other situations.
In real life, these recommendations are rarely followed, and people use DNS servers on the public network. Of course, the responses received from these servers can be incorrect and even false, which is an excellent opportunity for cyber-criminals who use holes in DNS servers to redirect traffic to a completely different server and infect users with computer viruses like this.
Other vulnerabilities in Windows
Another big problem caused by a DNS leak is a violation of user privacy. A person from outside can find the addresses of DNS servers. Therefore, he can find out the ISP and the exact location of the user.
People who use Windows systems are in great danger. Windows 7 will try to check all DNS servers one by one but Windows 8 / 8.1 will quickly cope with this situation. It will simultaneously send queries to all known DNS servers using all known connections.
If the desired server does not return a response within one minute, the other server’s response will be used. However, in the case of a VPN, waiting for a response from the DNS server may take much longer. Fortunately, you can manually disable this option. Unfortunately, this is also bad news – as it will require carrying out painstaking manipulations of the system registry.
Windows 10 is even worse. This operating system also sends DNS queries everywhere and uses the response that was returned earlier than others. Unfortunately, in this case, this “extremely useful option” cannot be disabled even at the system level.
There are also several vulnerabilities in WebRTC. This technology was originally designed to provide a direct connection between two network nodes. It is currently used mainly for broadcasting audio and video.
A leak here is likely because WebRTC refers all available network connections and uses the one that will respond first. The same lack of control is existent in other useful things like Java or Adobe Flash, and in other programs. This represents a serious threat to user privacy.