What Is a DNS Leak?
What Is a DNS Leak?
A DNS leak occurs when your DNS queries are sent outside your VPN tunnel, exposing them to your ISP or other third parties instead of being routed through the VPN's encrypted connection. Even though your actual internet traffic may be encrypted, the DNS requests reveal which websites you are visiting.
When you connect to a VPN, all traffic - including DNS lookups - should pass through the VPN tunnel to the VPN provider's DNS servers. A DNS leak means some or all of those lookups "leak" to your ISP's DNS servers or another unintended resolver.
How DNS Leaks Happen
DNS leaks can occur for several reasons:
- OS default behavior: Windows, in particular, may send DNS queries through all available network interfaces simultaneously (a feature called "Smart Multi-Homed Name Resolution"), potentially bypassing the VPN.
- Misconfigured VPN client: If the VPN software does not properly set itself as the DNS resolver, the OS may continue using the ISP's DNS.
- IPv6 leaks: If your VPN only tunnels IPv4 traffic but your connection supports IPv6, DNS queries over IPv6 may leak outside the tunnel.
- WebRTC leaks: Browsers supporting WebRTC can make peer-to-peer connections that bypass the VPN, revealing your real IP and DNS servers.
- Manual DNS settings: If you have manually configured DNS servers (e.g.,
8.8.8.8) in your OS, the VPN may not override them. - Transparent DNS proxying: Some ISPs intercept all DNS traffic on port 53 and redirect it to their own servers, regardless of what resolver you configured.
How to Test for DNS Leaks
Testing for DNS leaks is straightforward:
- Connect to your VPN and ensure it shows as connected.
- Run a DNS leak test: Use our DNS Leak Test tool or similar services.
- Check the results: The test will show which DNS servers handled your query.
If the results show your ISP's DNS servers or servers that are not your VPN provider's, you have a DNS leak. Ideally, you should only see DNS servers belonging to your VPN provider.
| Result | DNS Servers Shown | Status |
|---|---|---|
| No leak | VPN provider's DNS servers only | Secure |
| DNS leak | ISP DNS servers visible | Privacy compromised |
| Partial leak | Mix of VPN and ISP servers | Intermittent leak - still a problem |
How to Fix DNS Leaks
There are several approaches to prevent DNS leaks:
VPN Client Settings
- Enable the VPN's DNS leak protection: Most quality VPN apps have a built-in DNS leak protection toggle - make sure it is enabled.
- Use the VPN's DNS servers: Configure your VPN client to use the provider's own DNS servers rather than third-party ones.
- Enable the kill switch: A kill switch blocks all traffic when the VPN disconnects, preventing any leaks during reconnection.
Operating System Fixes
- Windows - Disable Smart Multi-Homed Name Resolution: Open Group Policy Editor, navigate to Computer Configuration → Administrative Templates → Network → DNS Client, and enable "Turn off smart multi-homed name resolution."
- Disable IPv6: If your VPN does not support IPv6 tunneling, disable IPv6 on your network adapter to prevent IPv6 DNS leaks.
- Flush DNS cache: After connecting to the VPN, run
ipconfig /flushdns(Windows) or the equivalent for your OS.
Browser Fixes
- Disable WebRTC: In Firefox, set
media.peerconnection.enabledtofalseinabout:config. For Chrome, use an extension like "WebRTC Leak Prevent." - Use DNS over HTTPS: Enable DoH in your browser settings and point it to your VPN provider's DoH server.