We’re shipping DNS anomaly detection.
A resolver you didn’t choose is one of the clearest fingerprints of redirection. The catch was flagging it without flagging our own VPN.
Our fifth detector watches the directory your device trusts to find websites: DNS anomaly detection. It flags an unexpected change to your DNS resolver — a strong tell of redirection — while carefully not tripping over the resolver change our own VPN causes. On Windows, free.
The name still looks right. The resolver answering for it changed.
A swapped resolver, an unchanged screen
A DNS anomaly is an unexpected change to which resolver your device uses for lookups. If an attacker controls your DNS, they can quietly send you to servers they own — even for sites you type correctly — which makes a resolver change a clear fingerprint of an evil-twin or man-in-the-middle setup.
A baseline that doesn’t flag itself
The detector reads the system’s DNS resolver and remembers a per-network baseline. A change that isn’t explained by the app’s own actions is flagged as a high-severity anomaly, once per unique value, then re-baselined. The genuinely hard part — and where naive tools fail — is that bringing a VPN up or down legitimately changes DNS, so the app suppresses the resolver change it causes itself within a short window around its own VPN transitions. Otherwise the product’s own VPN would trip its own detector.
DNS resolves in the tunnel
Detection tells you the resolver moved; Active Defense takes it out of the equation. When you connect through the encrypted tunnel, your DNS resolves inside it — out of reach of whatever was answering on the local network.
Detection is free
DNS anomaly detection ships in the free version and always will. Knowing the resolver you trust has been swapped is exactly the kind of early signal that shouldn’t be paywalled.
Read more: how DNS anomalies work · how to detect DNS hijacking · the homoglyph detector before it