Beware of Windows 10 DNS resolver and DNS Leaks

It’s been discovered that Windows 10, in Microsoft’s infinite wisdom, changes DNS behaviour to poll all available DNS sources at the same time and pick the quickest one automatically, going against decades of good security practice. This means a few things – your DNS lookups get broadcast everywhere, even if you use a VPN or manually coded DNS servers,  you become vulnerable to DNS cache poisoning and DNS leaks, especially so on public networks. US-CERT has issued a warning, and I’ve updated my Windows 10 checklist with this information.

“Everything changed when it comes to Windows 10. Now OS not only just sends DNS requests to all interfaces, it even uses the fastest one response to receive. This allows your ISP or a hacker to hijack your DNS really easy and reliable. Moreover, you can’t disable ‘Smart Multi-Homed Name Resolution’ in Windows 10, registry key which worked for Windows 8.1 doesn’t work now.

The only acceptable (but not fully reliable) way to workaround this issue is to explicitly set DNS on your network interface somewhere out of your local segment, like well-known 8.8.8.8 but it won’t help for OpenVPN. The only way to avoid DNS leaks in OpenVPN is to use scripts which temporary disable all DNS on external interfaces.”

Read More

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s