ExpressVPN publishes new third-party audit report and research paper on DNS leaks

At ExpressVPN, we believe in earning user trust through transparency rather than just asking customers to take our word for it. One way we do so is by regularly publishing audits by trusted third parties, providing independent verification of the privacy and security commitments we make to users.

Earlier this year, Attila Tomaschek, a VPN expert and staff writer at the tech publication CNET, notified ExpressVPN that he had observed unexpected DNS request behavior when using split tunneling on his Windows machine. We have since deployed a fix, and both our in-house team and the original bug reporter from CNET have confirmed through independent testing that the issue was fixed.

But, we wanted to go the extra mile to confirm that our Windows apps were safe and secure for our users. So we recently invited a third-party cybersecurity firm, Nettitude, to conduct a penetration test on our Windows apps. The primary objective of the assessment was to ensure that the DNS issue related to the split-tunneling feature was remediated and the app was bug-free. The audit took place in March and April 2024.

We are pleased with the results, which highlight the overall robust security level of the ExpressVPN app for Windows. Nettitude found just one issue, which it rated as medium severity. That issue has since been remedied, as confirmed by Nettitude as part of its re-testing and reporting process. Read the full audit report by Nettitude.

Rethinking DNS leaks in VPNs

This initial case identified by the CNET expert prompted us to delve deeply into Windows DNS over the past few months, and we wanted to share some of our discoveries publicly. What initially started as a due diligence process to record and verify the unexpected behavior turned out to have been much more illuminating than expected. 

As our team started digging into the particular circumstances surrounding this case, we discovered what looks like a much bigger issue—one that could potentially affect the entire VPN industry. In essence, we believe we have found a serious flaw in the way DNS leaks are tested for and what is currently considered best practice. We found this issue in at least one other VPN provider, which has since implemented our recommended solution. However, we believe it’s likely that many more providers could be affected.

This is why we are publishing a technical paper on our findings, so that others in the industry can investigate and improve their own apps. We hope that by transparently sharing our research, we can help raise the bar for the entire industry, and therefore better safeguard the privacy and security of all VPN users—not just our own customers.

During this process, it became increasingly clear to us that our traditional frameworks for assessing online security are inadequate. Traditionally, DNS leaks were often limited to scenarios where a user’s public IP address is inadvertently exposed to a DNS server. However, our research indicates that this view is overly simplistic and there’s more to the story. 

We categorize DNS leaks into two types:

• Type 1 DNS leaks occur when DNS requests bypass the VPN tunnel due to configuration errors or lack of protective measures. This exposes the user’s IP address directly to DNS servers, compromising their anonymity and privacy.
• Type 2 DNS leaks present a subtler yet equally significant risk. It occurs when DNS requests are directed to DNS servers not deliberately chosen by the user. For instance, if a user intentionally sets their system to use a specific DNS provider like Cloudflare, this action is deemed a matter of personal preference rather than a leak.

Type 1 DNS leaks, with their glaring visibility, have long been the focus of our scrutiny. Yet, it is the subtler machinations of Type 2 DNS leaks that merit additional scrutiny and attention. We also uncovered how  Stealth DNS servers, by remaining hidden from traditional DNS leak detection tools, contribute to a false sense of security, particularly with Type 2 leaks. 

We’ve published the paper in engrXiv (Engineering Archive), and we strongly encourage you to read it in full to get a comprehensive understanding of the leaks, threat scenarios, and mitigation strategies. 

We thank everyone who has worked with us on this progress so far. As we move forward, it is imperative that we continue to refine our detection methodologies, enhance the security measures of VPN services, and foster an environment of transparency and cooperation within the cybersecurity community.