It’s been discovered that Windows 10, in Microsoft’s infinite wisdom, changes DNS behaviour to poll all available DNS sources at the same time and pick the quickest one automatically, going against decades of good security practice. This means a few things – your DNS lookups get broadcast everywhere, even if you use a VPN or manually coded DNS servers, you become vulnerable to DNS cache poisoning and DNS leaks, especially so on public networks. US-CERT has issued a warning, and I’ve updated my Windows 10 checklist with this information.
“Everything changed when it comes to Windows 10. Now OS not only just sends DNS requests to all interfaces, it even uses the fastest one response to receive. This allows your ISP or a hacker to hijack your DNS really easy and reliable. Moreover, you can’t disable ‘Smart Multi-Homed Name Resolution’ in Windows 10, registry key which worked for Windows 8.1 doesn’t work now.
The only acceptable (but not fully reliable) way to workaround this issue is to explicitly set DNS on your network interface somewhere out of your local segment, like well-known 220.127.116.11 but it won’t help for OpenVPN. The only way to avoid DNS leaks in OpenVPN is to use scripts which temporary disable all DNS on external interfaces.”