Windows 10 Users Beware of This New Security Risk – We recently read Windows 10 described as “an improved version of Windows 7.” Really? That’s kind of sad. I remember an old TV show named Seaquest DSV that an episode where a future newspaper headline read ‘Apple Buys Microsoft’. Maybe that will come to pass.
However, until then, we feel compelled to report about new “features” in Windows 10 that should cause concern for privacy seekers everywhere. Especially is that true for Q Wealth Report readers and subscribers.
A recent article outlined how Windows 10 VPN users are at risk of a DNS leak. That means that someone would be able to know which websites and services you visited while on the Internet.
Here is the article:
Update 29 September 2015: The solution published by Avast does not work for Windows Home users. We have added a partial workaround for this to the end of the article.
A new “feature” in Windows 10 means that DNS requests are directed not just through your VPN tunnel, but also through your ISP and local network interface. This is because by default Windows 10 attempts to improve web performance by sending DNS requests in parallel to all available resources at once, and (at least in theory) using the fastest one.
This is a major issue for VPN users as it means that your ISP (and anyone listening in on your local network) will know through your DNS requests which websites and services you have visited on the internet, and opens the way for hackers to hijack your DNS requests (DNS spoofing.) There are also reports of Windows 10 users suffering slow page loading and timeouts due to this issue.
The problem has led the United States Computer Readiness Team (US-CERT), an official department of the US Department of Homeland Security, to issue an alert.
DNS refers to the Dynamic Name System used to translate domain names (www.bestvpn.com) into numerical IP addresses (184.108.40.206). This translation service is usually performed by your ISP, using its DNS servers, but when you use a VPN service, the DNS request should instead be routed through the VPN tunnel to your VPN provider’s DNS servers (rather than those of your ISP).
Under Windows 7 all DNS requests were made in simple order of DNS server preference, but this changed in Windows 8 when Microsoft added “‘Smart Multi-Homed Name Resolution” by default. This sent out DNS requests to all available interfaces, but only used non-preferred servers if the main DNS server failed to respond.
This makes Windows 8.x systems liable to DNS leaks, but at least makes it unlikely that DNS requests will be hijacked. Windows 10, on the other hand, simply chooses whichever DNS request responds quickest, which presents a major security risk.
VPN clients that feature “DNS leak protection” should disable Smart Multi-Homed Name Resolution in earlier versions of Windows, but this may not work in Windows 10 (and may vary by individual client). Users of clients without this feature (including the generic open source OpenVPN client,) will almost certainly be liable to DNS leaks under Windows 10.
We therefore strongly advise all Windows 8, Windows 8.1, and especially Windows 10 users to disable Smart Multi-Homed Name Resolution. Avast has published some great instructions on how to do this.
We also recommend disabling “Obtain DNS server address automatically” in your network interface, and setting your preferred DNS server to a third party provider (see 4 ways to prevent a DNS leak when using VPN).
Windows Home edition users
It has come to our attention that the solution published by Avast only works for Professional versions of Windows, as the ‘Turn off smart multi-homed name resolution’ option is not available for users of Windows Home Editions. Below is a partial workaround for Home users:
1. Go to Control Panel -> Network and Sharing Center -> Change adapter settings -> right click your internet connection -> Properties
2. Ensure that ‘Internet Protocol Version 6 (TCP/IPv6) is disabled (uncheck), then click on ‘Intenet Protocol Version 4 (TCP/IPv4) -> Properties
3. Check ‘Use the following DNS server addresses’ radio button
We here have AirVPN setup as our preferred DNS server, with Google DNS as an alternative for when we are not connected to AirVPN
4. If you can find out your VPN provider’s DNS server settings (it is worth contacting them over this), set these as your Primary DNS server, and then use a third-party DNS provider, such as Google DNS (220.127.116.11) or OpenNIC, as your Alternate DNS server (this is useful for connecting to the internet when the VPN is turned off.)
If you cannot find out your VPN provider’s DNS server settings, then it is still preferable to use third party DNS servers than those of your ISP. See this article for a list of third party DNS server addresses.
Hit ‘OK’ when you are done, and check that your ISP does not show up when you visit ipleak.net.
Our thanks to reader MikeL for bringing our attention to this matter, and to blogger ValdikSS for helping to shed light on the situation.
All thanks goes to Douglas Crawford
If you like this kind of reporting then please remember that you will still find many practical and useful tips in The Complete Guide to Computer Security… for Mere Mortals. The security and privacy of your personal information is within your control. Read the report and start to protect yourself now.
Here is a video from Frederick D. our Computer Security Expert… See what he has to say here about Computer Security Solutions.
We’d like to thank our friends at BGR for enlightening us on the merits of using DuckDuckGo as a viable alternative to Google for a search engine. The full text of the article above is available here.