What Is a DNS Leak?

by
TL;DR
  • A DNS leak sends your name lookups to your ISP instead of through the VPN tunnel.
  • The website sees the VPN’s IP, but your ISP still sees every domain you visit.
  • The usual causes are Windows settings, IPv6, and browser-level encrypted DNS.
  • Test by connecting the VPN, then checking which resolver answers your lookups.
  • Fix it with VPN DNS leak protection, a kill switch, and by disabling risky OS features.

You connect your VPN, your IP address changes, and you feel safe. But there is a quiet failure that leaves your browsing exposed while everything looks fine.

It is called a DNS leak, and it is one of the most common ways a VPN’s privacy quietly breaks. This guide explains what it is, why it happens, and how to test and fix it.

What Is a DNS Leak?

A DNS leak is when your name lookups escape the VPN tunnel. Every site you visit starts with a DNS request that turns a name into an IP. If that request reaches your internet provider instead of the VPN, your ISP still sees every domain you visit.

DNS is the internet’s address book. When you type a domain, your device asks a DNS resolver to translate it into an IP address.

With a VPN on, that lookup should travel through the encrypted tunnel to the VPN’s own resolver. A leak happens when it slips out to your ISP instead.

The result is sneaky. Websites still see the VPN’s IP, so the tunnel looks fine. But your ISP quietly logs the name of every site you request. If you are new to this, our guide on how DNS works covers the basics.

Why DNS Leaks Happen

DNS leaks happen when something sends lookups outside the tunnel. The usual culprits are a misconfigured VPN, Windows name-resolution features, leftover IPv6 traffic, and browser-level encrypted DNS. Each one routes some requests around the VPN, so your real resolver answers instead of the VPN’s.

A leak is rarely one big failure. It is usually one small setting sending a slice of traffic the wrong way. Here are the common causes.

A misconfigured or weak VPN

Some VPNs do not force DNS through their own resolver. If the app leaves your system resolver in place, lookups go to your ISP by default.

Windows Smart Multi-Homed Name Resolution

Windows has shipped this feature on by default since Windows 8. It sends DNS lookups out of every network interface at the same time.

It then uses whichever reply arrives first. While on a VPN, your ISP’s resolver can answer faster, which leaks the request. You can disable it through Group Policy on Pro and Enterprise editions.

IPv6 and Teredo

Many VPNs were built to tunnel IPv4 only. If your network uses IPv6, those lookups can travel outside the tunnel.

Teredo, an older IPv6 tunneling feature on Windows, can do the same. Our IPv4 vs. IPv6 guide explains why both versions need coverage.

Browser-level encrypted DNS (DoH)

This one surprises people. Setting DNS over HTTPS in your browser while a VPN runs can route lookups straight to a provider like Cloudflare.

That bypasses the VPN’s resolver entirely. It is still a leak, because a party other than your VPN sees your requests. Most VPN providers advise letting the VPN handle DNS instead.

ISP transparent DNS

Some internet providers intercept all DNS traffic on port 53 and force it to their own servers. This transparent proxying can pull lookups back to the ISP even when you set a different resolver.

How to Test for a DNS Leak

To test for a DNS leak, connect your VPN and run a DNS leak test. The test triggers lookups and shows which resolvers answered. If the resolver belongs to your VPN provider, you are safe. If it belongs to your ISP, your requests are leaking around the tunnel.

A leak hides under a working IP address, so a separate test is essential. Here is the order to run it.

  1. Confirm the tunnel: Check that your public IP changed using our IP address tool.
  2. Connect and test: With the VPN on, run a DNS leak test that triggers several lookups.
  3. Inspect the resolvers: Note which DNS servers answered and who owns them.
  4. Repeat per device: Test each browser and device, since name-resolution behavior varies.

You can also inspect resolution behavior directly with our DNS lookup tool. A dedicated DNS leak test is on our roadmap to make this even simpler.

How to Read Your DNS Leak Test Results

Reading the results comes down to one question: who owns the resolver? If every answering server belongs to your VPN provider, you are protected. If you see your home ISP or a resolver you did not choose, your DNS is leaking. That needs a fix.

A leak test lists the DNS servers that answered your lookups. Match each one against what you expect.

  • VPN-owned resolver: The safe result. Your DNS is staying inside the tunnel.
  • Your home ISP: A clear leak. Your provider is seeing your requests despite the VPN.
  • A public resolver you set yourself: Often a browser DoH leak, not the VPN’s resolver.
  • Your real location or city: A strong sign the answering server sits on your real network.

If the only servers shown belong to your VPN, the test passed. Anything else means a request is taking the wrong path.

How to Fix a DNS Leak

Fix a DNS leak by letting the VPN control DNS end to end. Choose a VPN with DNS leak protection and a kill switch. Disable Windows Smart Multi-Homed Name Resolution, tunnel or turn off IPv6, and avoid custom browser DNS. Then retest until only the VPN resolver answers.

Most leaks close with a short checklist. Work through it in order.

  • Pick a VPN with DNS leak protection: It forces every lookup through the VPN’s own resolver.
  • Enable the kill switch: It blocks traffic if the VPN drops, so nothing leaks during a reconnect.
  • Disable Smart Multi-Homed Name Resolution: On Windows Pro, turn it off in Group Policy under the DNS Client settings.
  • Handle IPv6: Use a VPN that tunnels IPv6, or disable IPv6 and Teredo on your device.
  • Skip custom browser DNS: Do not set DoH in your browser while on a VPN. Let the VPN manage DNS.

If lookups still escape after all of that, the cause may be transparent ISP proxying. Switching to a VPN that encrypts DNS inside the tunnel usually resolves it.

DNS Leaks vs. WebRTC and IPv6 Leaks

A DNS leak exposes the domains you visit to your ISP. A WebRTC leak exposes your real IP address through a browser feature. An IPv6 leak exposes your IPv6 address around an IPv4-only tunnel. They are separate problems, so a full test should check all three.

People often lump these together, but each leaks something different.

  • DNS leak: Reveals the names of the sites you visit to your internet provider.
  • WebRTC leak: Reveals your real IP address through a browser peer-to-peer feature.
  • IPv6 leak: Reveals your IPv6 address when the VPN only covers IPv4.

Because the causes differ, fixing one does not fix the others. Our guide on whether a VPN hides your IP address covers the WebRTC and IPv6 side in depth.

Related Tools & Resources

These free NetworkCheckr tools and guides help you test for a DNS leak and understand the concepts behind it. Use them to inspect resolution, confirm your IP, and learn how DNS and VPNs fit together across your connection.

Frequently Asked Questions

These are the questions readers ask most about DNS leaks. Each answer is short and practical. They cover what a leak is, how to test for one, and how to fix it.

What is a DNS leak in simple terms?

A DNS leak is when your name lookups escape the VPN tunnel. Every site you visit starts with a DNS request that turns a name into an IP. If that request goes to your internet provider, the VPN never sees it. Your ISP can still see every domain you visit. The website sees the VPN, but your provider sees your activity anyway.

How do I test for a DNS leak?

Connect your VPN, then run a DNS leak test. The test triggers lookups and shows which resolvers answered them. If the resolver belongs to your VPN provider, you are safe. If it belongs to your internet provider or your home ISP, you have a leak. Run the test in the same browser and device you use every day, since results can differ.

Does a VPN stop DNS leaks?

A good VPN does, because it routes your DNS requests through its own resolver inside the tunnel. But not every VPN gets this right, and some operating system settings can override it. Windows, IPv6, and browser-level encrypted DNS can all push lookups around the tunnel. So a VPN usually stops DNS leaks, but you should still test to confirm.

Why does Windows cause DNS leaks?

Windows has a feature called Smart Multi-Homed Name Resolution, on by default since Windows 8. It sends DNS lookups out of every network interface at once and uses the fastest reply. While on a VPN, that can mean your ISP’s resolver answers first, leaking the request. You can disable the feature through Group Policy on Windows Pro and Enterprise editions.

Does enabling DoH in my browser cause a DNS leak?

It can. If you set DNS over HTTPS in your browser while a VPN runs, the browser may bypass the tunnel. It can send lookups straight to a provider like Cloudflare. That is still a leak, because a party other than your VPN sees your requests. Major VPN providers recommend letting the VPN handle DNS rather than setting custom encrypted DNS in the browser.

How do I fix a DNS leak?

Use a VPN with built-in DNS leak protection and a kill switch. Let the VPN handle DNS instead of setting custom DNS in your browser. On Windows, disable Smart Multi-Homed Name Resolution. Make sure your VPN tunnels or disables IPv6 so it cannot slip around the connection. Then retest to confirm only the VPN resolver answers.

References & Further Reading

These sources back the technical claims about DNS resolution, encrypted DNS, and the Windows behavior that causes leaks. They include primary protocol specifications and independent research on name-resolution security. Each is a primary or authoritative source.

Secret Link