A test conducted by cybersecurity researcher and ethical hacker John Mason of the Best of VPN found 10 of 15 Chrome VPNs leaked queries from domain name servers (DNS), or the protocol used to translate a normal domain name (like www.dailydot.com) to an IP address so a browser can load it.
The issue stems from a Chrome feature called DNS prefetching, which is designed to reduce latency by guessing what website you’re about to visit and pre-loading its IP address. For example, if you hover over a link, Chrome will make a DNS request, so the site loads faster once you press on it.
Obviously, VPNs should not be leaking data to an observer and potentially giving them the tools to track your browsing habits. The point of a VPN is to securely access a private network and remotely tunnel encrypted data to it. By leaking DNS requests, the VPN undermines its entire purpose.
“VPN extensions shouldn’t leak DNS data as it’s similar to IPs, can be used to see where a user is and one major use of VPNs is anonymity,” Mason wrote in an email to the Daily Dot. “They should block all kinds of outgoing DNS queries while they are running or route it through them.”
Without getting too technical, DNS data is leaked because DNS prefetching continues to operate when one of two VPN extension modes is in use. This allows bad actors to create web pages that force visitors to leak DNS requests and gives ISPs the ability to collect the URL of a user’s favorite websites.
Mason posted a list of the 10 VPN extensions he tested that leaked DNS requests.
- Hola VPN
- HotSpot Shield
- VPN Unlimited
- ZenMate VPN
- Ivacy VPN
“Since A LOT and I mean A LOT of users use the web extensions to browse anonymously, this is a severe hole in it,” Mason said. “For example, HolaVPN has over 8 million users, Tunnelbear more than 700k. Both of them leak DNS. This only happens with web extensions though, if you use a VPN app, this won’t affect you.”
He also outlined steps for users to determine whether their VPN leaks DNS. They are as follows:
- Activate the Chrome plugin of your VPN.
- Go to chrome://net-internals/#dns.
- Click on “clear host cache.”
- Go to any website to confirm this vulnerability.
If your VPN is leaking requests, you can navigate to your Chrome settings, type “predict” in “search settings” and disable “Use a prediction service to help complete searches and URLs typed in the address bar” and “Use a prediction service to load pages more quickly.”
If you want to use a VPN, we suggest downloading a full app, which won’t be affected by this strange vulnerability. Here is a list of the five best VPN apps.
We have reached out to Google and will update this article if we learn more.