Features of the DNS resolver in Windows 10 and DNS Leak

TL; DR: The DNS resolver in Windows 10 sends requests to all DNS server addresses known to the system in parallel, linking the request to the interface, and uses the response that came faster. In case you use a DNS server from a local segment, this behavior allows your provider or an attacker with a Wi-Fi point to replace the DNS records, even if you use VPN.

Modern versions of Windows add headaches to active VPN users. A DNS resolver to Windows 7 inclusively had predictable behavior, making requests to DNS servers in turn and priority of DNS servers, in general, like all other operating systems. This created the so-called DNS Leak (DNS request leak through the external interface with a VPN connected) only if the DNS server inside the VPN tunnel did not respond on time, or responded with an error, and, in general, was not such a glaring problem. .
')

Windows 8

With the release of Windows 8, Microsoft added a very interesting feature to the DNS resolver, which, as I can tell from Google, went completely unnoticed: Smart Multi-Homed Name Resolution. If this feature is enabled (and it is enabled by default), the OS sends requests to all known DNS servers on all network interfaces in parallel, tying the request to the interface. This was done, probably, in order to reduce the waiting time for a response from the preferred DNS server in case it is unable for some reason to respond to the timeout allotted to it (1 second by default), and immediately after the timeout expires, give the answer from the next priority server. Thus, in Windows 8 and 8.1, all your DNS queries “flow away” through the Internet interface, allowing your provider or the owner of a Wi-Fi point to view which sites you visit, provided that your routing table allows DNS requests -server through the Internet interface. Most often, this situation arises if you use a DNS server inside the local segment, such DNS raise 99% of home routers.

This functionality can be disabled by adding to the registry branch:
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\DNSClient
The DWORD parameter with the name:
DisableSmartNameResolution
and any value other than zero, which returns the old resolver behavior.

Windows 10

Although Windows 8 and 8.1 sent all your requests without your knowledge through the public interface, it was difficult for an attacker to spoof a DNS response in such a way as to redirect you to a fake website. The OS would use a spoofed response only if it was not possible to get the correct answer from the preferred DNS server, which is the server inside the encrypted tunnel.
Everything changed with the arrival of Windows 10. Now the OS not only sends a request through all interfaces, but also uses the answer that came faster, which almost always allows your provider to redirect you to a stub about a banned site or an attacker to a fake site. Moreover, the way to disable Smart Multi-Homed Name Resolution, which worked in Windows 8.1, does not work on the new version.
The only acceptable (though not the most reliable) way to solve the problem is to set DNS on the Internet interface outside the local segment, for example, the well-known 8.8.8.8, however, it will not help in the case of OpenVPN. For OpenVPN, the only (and ugly) solution is to temporarily disable DNS on the Internet interface with scripts .

UPD: Earlier in the article it was recommended to use the redirect-gateway parameter without def1 for OpenVPN. It turns out that Windows returns the default route from the DHCP server each time the IP address is updated, and after a while all of your traffic would start to bypass the VPN. At the moment, there is no beautiful solution.

UPD2: I wrote a plugin .

UPD3: Windows 10, starting with Creators Update, now sends DNS requests to all known DNS server addresses in order, rather than in parallel, starting with a random interface. To increase the priority of a specific DNS, you need to reduce the interface metric. I made a patch for OpenVPN, I hope it will be included in 2.4.2: https://sourceforge.net/p/openvpn/mailman/message/35822231/

UPD4: Update is included in OpenVPN 2.4.2.