Description of the problem

In your company you have an internal URL for a server, for instance: It means you have an entry for in your DNS server

You also want to expose publicly this URL to customers in order they test your application/service. Then you have a DNS entry for in a public DNS like

Now some of your IT employees connect via ssh to, but when they use their VPN they can’t. After having a quick look (nslookup), you see that when they use their VPN it’s not that is used to resolve the server IP but a public DNS.

DNS leak and transparent proxy

Two reasons:

  • DNS leak
  • Transparent proxy

In your VPN configuration you should have specified which DNS servers you want expose to your users. For instance:

  • 1/
  • 2/ (google DNS)

It means firstly your DNS server, and if no corresponding DNS entry found, then Google DNS servers. That’s all.

DNS leak

Now do a DNS leak test for example with which an online DNS leak tester.

DNS leank detected
DNS leak detected

Here you can see a DNS leak, it means you DNS lookups use DNS servers that are not provided by your VPN. And here these DNS are the ISP DNS servers (it is often like this, the ISP intercept all your DNS queries and it means your browsing with your VPN is not so private).

OK this just offend your privacy.

Transparent DNS proxy

But it you execute an nslookup command for an internal URL/server of your company and the result is “unknown host” instead of, it means that your ISP has proxy the result of your DNS query and has forced you to use their DNS servers without your knowledge. That is transparent DNS proxy.

It means that instead of serving you the result of your DNS query with your company DNS they used first their DNS server, find a result then sent you the result.
If they hadn’t find a DNS result with their DNS server they would have queried your dns server and it would have been fine for you.

It is important to note that not all ISP will do transparent proxying it really depends of the ISP. That also explain why for some of your IT collegues using the VPN there is no problem, and for others there is.

Solution: block outside traffic with your VPN

In the case of OpenVPN you simply have to add the following two lines to ensure there is no more DNS leaks, and it also means no more transparent proxy:

ignore-unknown-option block-outside-dns

You should put these two lines just before the <ca> tag:

remote-cert-tls server
ignore-unknown-option block-outside-dns

Now verify that you don’t have anymore DNS leak (and then no more transparent proxy):

No more DNS leak

As you can see, now only Google DNS servers are used to resolve external URL.