ExpressVPN has resolved a long-standing DNS bug in the Version 12 app for Windows, which was leaking some DNS requests.

The bug was introduced in ExpressVPN Windows versions 12.23.1 – 12.72.0, published between May 19, 2022, and Feb. 7, 2024, and only affected those using the split tunneling feature.

We were only able to replicate the issue when using the specific split tunneling mode “Only allow selected apps to use the VPN,” and even then, we found that it only occurred in some cases. In our testing, users who had not activated split tunneling at all, or who had chosen the other mode, “Do not allow selected apps to use the VPN,” had their DNS requests handled properly. No other VPN protections, such as encryption, were affected. 

Buy Me A Coffee
ExpressVPN said in a blog post

A bug in this feature caused DNS requests of users not to be directed to ExpressVPN’s infrastructure, as they should, but to the user’s internet service provider (ISP). Usually, all DNS requests are done through ExpressVPN’s logless DNS server to prevent ISPs and other organizations from tracking the domains a user visits.

However, this bug caused some DNS queries to be sent to the DNS server configured on the computer, usually a server at the user’s ISP, allowing the server to track a user’s browsing habits.

Users of ExpressVPN versions 12.23.1 to 12.72.0 on Windows should upgrade their client to the latest version,

CERT-In Finds Multiple Vulnerabilities in Android, Advises Users to Update