Security News > 2024 > February > ExpressVPN bug has been leaking some DNS requests for years
ExpressVPN has removed the split tunneling feature from the latest version of its software after finding that a bug exposed the domains users were visiting to configured DNS servers.
A bug in this feature caused DNS requests of users not to be directed to ExpressVPN's infrastructure, as they should, but to the user's internet service provider.
Usually, all DNS requests are done through ExpressVPN's logless DNS server to prevent ISPs and other organizations from tracking the domains a user visits.
This bug caused some DNS queries to be sent to the DNS server configured on the computer, usually a server at the user's ISP, allowing the server to track a user's browsing habits.
Having a DNS request leak like the one disclosed by ExpressVPN means that Windows users with active split tunneling potentially expose their browsing history to third parties, breaking a core promise of VPN products.
"When a user is connected to ExpressVPN, their DNS requests are supposed to be sent to an ExpressVPN server," explains the vendor's announcement.