A study by a team of security researchers from Sapienza University of Rome and Queen Mary University of London exposed an IPv6 leakage and DNS hijacking threat recently.
The information presented here is outdated. Since the time it was reported, PureVPN has made several security and privacy enhancements to its VPN network. PureVPN currently offers 500+ servers in 100+ countries worldwide. Additionally, we had already migrated from OpenDNS and Google DNS to private DNS a long time ago.
We hereby confirm that all our users remained 100% safe and secure from the DNS hijacking attacks. To reassure our users – customer security is our priority and it is something we take very seriously.
PureVPN is Safe From DNS Hijacking
A little word first on the DNS hijacking; Briefly, an attacker within users network can imitate to be the "Legitimate" DNS/DHCP server impersonating as the VPN providers' DNS/DHCP server. Pursuing our quest and commitment for an always-improvising security and privacy service we have long moved our entire network to our own DNS servers. Now since PureVPN uses IPs for the DNS server from the same IP pools that it dynamically assigns to it's users this makes attack impossible on PPTP/L2TP/SSTP/IKEv2 tunnels. For OpenVPN which we officially support on Windows was already unaffected. Both these assertions are also confirmed by the Study.
Furthermore, PureVPN uses a different DNS server on each VPN server, this further eliminates the attack vector as highlighted and confirmed by the Study.
PureVPN And The IPV6 Leakage
So what is IPv6 Leakage and how does it cause DNS hijacking?
Briefly, the root cause of the problem is the gradual (actually, too sluggish) transition of the Internet from IPv4 (the IP as we know it e.g 184.108.40.206) to IPv6. The IPv4 IP space has now fully exhausted and can no longer answer Internet's growing population, the world must transition to IPv6. However there have been numerous challenges and road blocks which are the core reason of this vulnerability.
Now there have been numerous websites, even some torrent applications and trackers, that operate on dual stack i-e make themselves available for both IPv4 and IPv6 networks simultaneously. Most of today's VPN networks run only IPv4 thus leaving our IPv6 traffic to take the regular, non-encrypted, ISP path and that's where the problem is. A third party or a malicious attacker can trace any user’s requests by enticing them to browse particular web pages, downloading an image, advertisement or css file from an IPv6 URL. PureVPN however has been disabling IPv6 since Q3 2014 protecting it's users to quite an extent. Today we've released an updated version for our Windows client with additional security measures packed, and the Mac update will be released shortly as well. Users are advised to upgrade their Windows clients and use the additional IPv6 leak protection features from the Settings pane.
Words of advice for PureVPN manual users,
- Windows manual users are requested to disable IPv6 manually on their system to prevent DNS Hijacking. Here is the tutorial on how to disable IPV6 on Windows.
- iOS App and manual users are already protected. No leakage identified while investigating the issue.
- For Android we are still working on the issues and will update as soon as we come to a conclusion
PureVPN clearly stood out and provided greater security to it's users than most of our competitors. But it doesn't end here as we've planned further advancements for the coming weeks. We are currently testing support for IPv6 tunneling as the world get's ready to embrace IPv6 especially now when the last major IPv4 resource holder, ARIN, is not officially out of IPv4 space. We'll keep our users posted further.
Security For All Platforms And Devices
In addition to securing users from IPV6 leaks and DNS hijacking, PureVPN does not maintain any logs of users’ activities. This means that users remain secure and anonymous at all times.