Authentic8 uses DynDNS and Google for domain queries. When a user, within Toolbox, visits a site, the site sees the HTTP/S request come from the regional egress node selected by the user. DNS queries are always carried from the Toolbox execution location through to the egress node via an ipsec tunnel before they are passed to a DNS server. 

All DNS queries are issued from the egress node to a local DynDNS/Google server; the target site will see DNS queries originating from a DynDNS or Google server located close to (or in the) egress region in use.

DNS Server Geolocation

It can appear that regional egresses are using US-located DNS servers because large DNS providers (e.g., DynDNS) put all of their regional servers in a single net block which is registered in the US. These servers are then accessible by a single IP (IP anycast) which automatically routes traffic to the closest server.

The DNS server used by the Toolbox session will tend to be an in-region DNS server regardless of the fact that the observed IP address is US-owned. A traceroute from an in-region machine to the DNS server obtained by resolving the anycast address will show that the server is reasonably local (e.g., an Australian egress will use a DNS server address registered to a US DNS provider, but the actual server contacted for DNS resolution will be in Australia).

DNS Leak?

The classic "DNS leak" scenario is one in which DNS queries do not go over a VPN and thus reveal the location of the machine requesting content. This is absolutely not the case for the Authentic8 egress system. 

There are several VPN vendors who have free tests which claim to accurately identify DNS leaks by comparing the source IPs for the HTTP/S and DNS requests. When these IPs are not the same, the test results identify that as a DNS leak. In addition, the tests may fail if the HTTP/S and DNS source IPs are not registered in the same country.

However, It is perfectly normal for DNS requests and HTTP/S requests to come from different IP addresses. This happens in all cases where the user is not using a DNS resolver located behind the user's NAT point (or on the user's actual machine if not using NAT).

It is also normal for DNS queries to come through a US-based DNS provider, even from non-US locations. The top ten DNS services are all US-based (e.g., Google, DynDNS, OpenDNS, etc). These services offer performance, reliability, and accuracy which are often in excess of that provided by local services, and do not hold the level of uncertainty around data mishandling that regional DNS servers may have.


While it is true that DNS queries when using Toolbox, no matter what the egress location, are processed through DynDNS and/or Google, this is also true of enough global internet traffic that it does not stand out as unusual; these DNS services are common, popular, high-performance choices worldwide.

Additional Notes  

Please contact Support if you have any additional questions and/or require further information.