ExpressVPN’s engineers have quickly deployed a fix to our Version 12 app for Windows, thanks to a tip from a reviewer that something might be amiss with how the app handles DNS requests for users who have split tunneling activated.
Attila Tomaschek, a VPN expert and staff writer at the tech publication CNET, notified ExpressVPN that he had observed DNS requests on his Windows machine weren’t being directed to ExpressVPN’s dedicated servers, as expected. This occurred when he had activated split tunneling, which limits which apps send their traffic through the VPN.
Although the issue is believed to involve less than 1% of users on a single app platform, Version 12 for Windows, ExpressVPN rolled out an update that disabled split tunneling on that platform entirely, to minimize the potential ongoing risk to customers. The feature will remain deactivated while engineers investigate and fix the problem.
We were only able to replicate the issue when using the specific split tunneling mode “Only allow selected apps to use the VPN,” and even then, we found that it only occurred in some cases. In our testing, users who had not activated split tunneling at all, or who had chosen the other mode, “Do not allow selected apps to use the VPN,” had their DNS requests handled properly. No other VPN protections, such as encryption, were affected.
What should happen
When a user is connected to ExpressVPN, their DNS requests are supposed to be sent to an ExpressVPN server. But the bug allowed some of those requests to go instead to a third-party server, which in most cases would be the user’s internet service provider, or ISP. This lets the ISP see what domains are being visited by that user, such as google.com, although the ISP still can’t see any individual webpages, searches, or other online behavior. All contents of the user’s online traffic remain encrypted and unviewable by the ISP or any other third party.
If you’re a user of the Version 12 app for Windows, you should upgrade to the latest app if your app has not already updated automatically. Users of the Version 10 app for Windows, as well as our apps for all other devices and platforms, do not need to take any action.
Split tunneling will return to Version 12 as soon as engineers are confident that the DNS issue has been resolved. It remains available in Version 10 of the Windows app and is functioning normally.
For more details on our response to this incident, please consult our FAQ in the Support Center.
A word of thanks
ExpressVPN is extremely grateful to our extensive community of customers, beta testers, and experts who take the time to notify us of potential issues or to suggest improvements in our products. We invite anyone interested to join our beta testing program, and we offer a generous bug bounty to security researchers who report problems, no matter how small, that allow us to make our apps safer and better for all our users around the world.