Why your DNS is probably leaking (and your 2FA might not be)

The moment we realised DNS leaks were invisible

When we started designing ARK's Shield tier, we knew the core security score would cover the obvious things: app permissions, device vulnerabilities, breach history. But we kept hearing from beta users about network exposure. 'I'm on a VPN,' they'd say, 'so I'm safe, right?' Not always.

A DNS leak is exactly what it sounds like. Your device asks a DNS server for the IP address of a website you want to visit. That request can leak outside your encrypted tunnel, exposing your browsing patterns even when you think you're protected. We'd see users confidently assume their Wi-Fi was secure because they'd set a strong password. No one checks what their ISP's DNS server is actually resolving behind the scenes.

That's when we decided the DNS leak test had to be dead simple. Run it once. See if your traffic is leaking. Get one-tap guidance to fix it. No technobabble.

DNS leaks and 2FA: the forgotten pair

The interesting part was realising DNS leaks almost never appear alone in our scans. Users with DNS exposure almost always had incomplete two-factor authentication as well. A customer in Manchester had set up 2FA for email. Not for banking. Not for social media. Not for work apps. She had one layer of protection, and the rest of her accounts were still wide open.

That's when we bundled DNS and 2FA into a single Shield test. Why? Because they're both about the quiet failures. A DNS leak doesn't knock on your door. Neither does realising you forgot to enable 2FA on your photo app, which contains months of private family moments.

The 2FA audit works differently than a simple checkbox. We scan each of your installed apps and cross-reference them against known services that support two-factor authentication. We show you which apps have it enabled, which support it but you haven't turned it on yet, and which ones don't offer it at all. Then we give you a one-tap link directly into each app's security settings. You can fix half a dozen accounts in three minutes.

Why we didn't hide this behind a thousand settings

Building these tests taught us something: security tools lose people the moment they demand expertise. We could have built a comprehensive DNS analysis tool that lets you change nameservers, swap protocols, toggle DNS-over-HTTPS. We could have made the 2FA audit a spreadsheet with columns and filters.

Instead, we asked ourselves what someone who's been breached actually needs. They need to know if they're leaking. They need to know which accounts are unprotected. Then they need a button that takes them directly to the fix.

The Shield tier test runs locally on your device when possible, checks your DNS resolution against our database of public DNS servers and VPN endpoints, and compares your installed apps against our list of services that support 2FA. Your actual DNS queries don't leave your phone. We don't store plaintext email addresses or usernames. Everything that identifies you gets encrypted in iOS SecureStore or Android EncryptedSharedPreferences. We don't log your results for analytics. We can't sell you insights about your own security.

The conversation that changed how we present findings

A week before Shield launched, someone on the team asked a simple question: 'What happens after the test runs?' We'd built the scan. We hadn't really thought through what a user should do with a DNS leak result.

We started pulling real support messages from our free tier. A user discovered stalkerware on their device and had no idea how to remove it. Another found a breach notification but didn't understand what it meant for them. A third asked whether their phone was 'broken' after seeing an unfamiliar app permission.

That's when we added the one-tap remediation links. A DNS leak doesn't just give you a red score. It shows you which DNS provider you're currently using, explains in plain language what's happening, and offers direct links to change it in your Wi-Fi settings or VPN app. The 2FA audit doesn't just list your apps. It takes you into each one with the exact path to enable two-factor setup.

We also built in the breaking point: if you've been in a serious breach, we flag which of your apps with access to sensitive data don't yet have 2FA enabled. That combination of information plus immediate action is what the Shield scan is built around.

What happens when a scan touches something real

The hardest part of building these tests wasn't the technology. It was deciding what to check and what not to check. We could scan your VPN configuration. We could analyse your Wi-Fi encryption standards. We could list every permission request your apps have ever made.

Instead, we focused on the two things that actually move the needle for people who've been breached or are worried about being breached: are you leaking network traffic you think is private, and are the accounts that matter most actually protected with a second factor?

Testing revealed something we didn't expect. Users who saw their DNS results and their 2FA audit together started taking other security steps unprompted. They'd check their password health. They'd run the stalkerware detector again. They'd look at their app permissions with fresh eyes. One finding unlocked three others.

That's the real value of a score and a clear scan, rather than a list of scary warnings. Clarity moves people forward. Fear keeps them paralysed.