Browser VPN extensions for Google Chrome may be leaking DNS queries to external observers thanks to a Chrome feature called DNS prefetching.
DNS prefetching works when Chrome makes DNS requests before the user clicks on a link.
For example, Chrome will make a DNS request for a domain when the user hovers a link, and will also run DNS queries for the domains that populate the Chrome address bar's drop-down autofill.
The purpose of DNS prefetching is very obvious, as it helps Chrome shave off a few milliseconds from a page's loading time. Due to these benefits, Google Chrome browsers come with DNS prefetching enabled by default in their standard configurations.
Under normal circumstances, a VPN client would use custom DNS settings to hide the user's DNS queries. But John Mason of TheBestVPN.com says that some Chrome VPN extensions fail to mask queries made via Chrome's DNS prefetching system.
The source of this problem is how VPN extensions funnel DNS queries from Chrome to the VPN client. Certain configurations create the leak.
"The issue is that DNS Prefetching continues to function when pac_script mode is used. Since HTTPS proxy does not support proxying DNS requests and Chrome does not support DNS over SOCKS protocol, all prefetched DNS requests will go through the system DNS. This essentially introduces DNS leak," Mason said today in a blog post describing the issues in more technical depth.
A survey carried out by Mason discovered that 10 out of 15 popular Chrome VPN extensions are leaking details about the user's potential browsing patterns thanks to DNS prefetching queries. According to Mason, the following Chrome VPN extensions leak DNS queries made by Chrome's DNS prefetching mechanism:
Mason also tested WindScribe, NordVPN, CyberGhost, Private Internet Access, and Avira Phantom VPN, and found they weren't leaking DNS queries from Chrome's prefetching behavior.
How to test for leaks in DNS prefetching
The researcher has published a simple procedure that users can follow and test for DNS leaks in other Chrome VPN extensions to which he didn't have access.
Speaking to Bleeping Computer, Mason says that the problem appears to be browser extensions.
"They are supposed to route all web traffic, including DNS encrypted traffic, through their network, but a lot of them don't," the researcher told us. "This is not a problem when a person connects through the actual [VPN] application the provider made for their OS."
So the simplest way to avoid DNS prefetching leaks is to turn on the VPN client app itself, instead of relying just on the Chrome VPN extensions alone.
Furthermore, users can also stop DNS prefetching leaks at the cause, by turning off DNS prefetching in Chrome.
While there's no good reason for non-VPN users to disable a speed optimization feature, VPN users can turn off DNS prefetching by unchecking these two Chrome settings:
"VPN extensions shouldn't leak DNS data as its, similar to IPs. In my book, this is a severe issue. Hopefully, when this [issue/research] gets passed around, a lot of them will fix it," Mason told us.
Update 4/4/18: According to a representative from Hotspot Shield, this leak was fixed by them.