/ ANNOUNCEMENT — APR 8, 2026

We’re shipping DNS anomaly detection.

A resolver you didn’t choose is one of the clearest fingerprints of redirection. The catch was flagging it without flagging our own VPN.

Our fifth detector watches the directory your device trusts to find websites: DNS anomaly detection. It flags an unexpected change to your DNS resolver — a strong tell of redirection — while carefully not tripping over the resolver change our own VPN causes. On Windows, free.

The name still looks right. The resolver answering for it changed.
/ WHY IT MATTERS

A swapped resolver, an unchanged screen

A DNS anomaly is an unexpected change to which resolver your device uses for lookups. If an attacker controls your DNS, they can quietly send you to servers they own — even for sites you type correctly — which makes a resolver change a clear fingerprint of an evil-twin or man-in-the-middle setup.

YOUR DEVICE
asks DNS
your-bank.com?
RESOLVER
1.1.1.1
→ 8.8.4.4
GOES TO
REAL BANK
trusted resolver — lookup resolves where it should
DNS REDIRECTthe same lookup, answered by whichever resolver sits in the middle
/ WHAT SHIPPED

A baseline that doesn’t flag itself

The detector reads the system’s DNS resolver and remembers a per-network baseline. A change that isn’t explained by the app’s own actions is flagged as a high-severity anomaly, once per unique value, then re-baselined. The genuinely hard part — and where naive tools fail — is that bringing a VPN up or down legitimately changes DNS, so the app suppresses the resolver change it causes itself within a short window around its own VPN transitions. Otherwise the product’s own VPN would trip its own detector.

RESOLVER CHANGED
1.1.1.1 10.0.0.9
caused by our own VPN?
yes
no
SUPPRESSED
our VPN did it
FLAGGED
high severity
SUPPRESSION GATEa resolver change we caused ourselves is not an attack
/ AND WHEN YOU’RE PROTECTED

DNS resolves in the tunnel

Detection tells you the resolver moved; Active Defense takes it out of the equation. When you connect through the encrypted tunnel, your DNS resolves inside it — out of reach of whatever was answering on the local network.

LOCAL RESOLVERattacker-controlledYOUyour deviceENCRYPTED TUNNELOUR RESOLVERout of reach
DNS ON THE TUNNELyour lookups ride the encrypted tunnel to a resolver we control — the swapped local one never sees them
/ THE PRICE

Detection is free

DNS anomaly detection ships in the free version and always will. Knowing the resolver you trust has been swapped is exactly the kind of early signal that shouldn’t be paywalled.

FREE FOREVERDNS anomaly detection is free, for Windows.

Read more: how DNS anomalies work · how to detect DNS hijacking · the homoglyph detector before it

The name looks right.
Check who’s answering for it.