What is a DNS Leak? How DNS Leaks Expose Your Browsing Activity
You connect to a VPN expecting privacy — but your DNS queries might still be going to your ISP in plain text, revealing every website you visit. This is a DNS leak, and it's one of the most common ways VPN privacy fails silently.
Table of Contents
- What is a DNS Leak?
- How DNS Resolution Works (Quick Refresher)
- How a VPN Should Handle DNS
- What DNS Leaks Reveal About You
- What Causes DNS Leaks?
- How to Test for DNS Leaks
- How to Fix DNS Leaks
- Encrypted DNS — DoH, DoT, and DoQ
- IPv6 Leaks and WebRTC Leaks
- Who Can See Your DNS Queries?
- DNS Privacy Best Practices
What is a DNS Leak?
A DNS leakoccurs when your DNS queries are sent outside of your VPN tunnel — typically to your ISP's DNS servers — instead of being routed through the VPN's encrypted connection. This means your ISP (or anyone monitoring the network) can see every domain name you look up, even though the rest of your traffic is encrypted through the VPN.
What you expect (VPN working correctly):
You ──── [VPN Tunnel (encrypted)] ──── VPN Server ──── DNS Server
(VPN's own)
✓ ISP sees: encrypted blob (can't read anything)
✓ DNS queries go through the tunnel
✓ Privacy protected
What actually happens with a DNS leak:
You ──── [VPN Tunnel (encrypted)] ──── VPN Server ──── Internet
│
└──── DNS Query: "resolve netflix.com" ──── ISP's DNS Server
↑
OUTSIDE the tunnel! Sent in plain text!
✗ ISP sees: every domain you look up
✗ VPN only encrypts your actual traffic, not DNS
✗ Privacy compromised — ISP knows what you're browsingWhy This Matters
DNS queries are a complete record of every website you visit. With a DNS leak, your ISP, network administrator, or anyone monitoring your connection can build a detailed profile of your browsing — the sites you visit, when you visit them, and how often — even while you think you're protected by a VPN.
How DNS Resolution Works (Quick Refresher)
Every time you visit a website, your device needs to convert the domain name into an IP address. This is done through DNS (Domain Name System):
You type: example.com
Step 1: Your device checks its local DNS cache
→ "Do I already know the IP for example.com?" → No
Step 2: Query is sent to a DNS resolver
→ Usually your ISP's DNS server (assigned automatically via DHCP)
→ Or a public DNS like 8.8.8.8 (Google) / 1.1.1.1 (Cloudflare)
Step 3: Resolver contacts authoritative DNS servers
→ Root server → .com TLD server → example.com nameserver
→ Returns: 93.184.216.34
Step 4: Your device connects to 93.184.216.34
The privacy problem:
┌──────────────────────────────────────────────────┐
│ Traditional DNS queries are sent in PLAIN TEXT │
│ over UDP port 53 — completely unencrypted. │
│ │
│ Anyone between you and the DNS server can see: │
│ • What domain you're looking up │
│ • When you looked it up │
│ • Your IP address (who you are) │
│ │
│ This includes: your ISP, Wi-Fi operator, │
│ network admin, government surveillance systems │
└──────────────────────────────────────────────────┘How a VPN Should Handle DNS
A properly configured VPN should handle DNS in one of these ways to prevent leaks:
Method 1: VPN runs its own DNS server
You → [Encrypted VPN Tunnel] → VPN Server → VPN's DNS → Internet
✓ DNS queries never leave the VPN provider's network
✓ ISP sees nothing
Method 2: VPN routes DNS through the tunnel to a public resolver
You → [Encrypted VPN Tunnel] → VPN Server → 1.1.1.1 (Cloudflare)
✓ DNS queries are encrypted between you and VPN server
✓ ISP sees nothing (but the VPN's exit IP talks to Cloudflare)
Method 3: VPN uses DNS-over-HTTPS/TLS inside the tunnel
You → [VPN Tunnel [DoH/DoT encrypted DNS]] → VPN Server → DNS
✓ Double encryption — even the VPN provider can't easily log DNS
✓ Maximum privacy
What a properly configured VPN client does:
1. Overrides your system DNS settings to use VPN's DNS
2. Routes ALL DNS queries through the VPN tunnel
3. Blocks DNS traffic outside the tunnel (kill switch / firewall rules)
4. Handles both IPv4 and IPv6 DNS
5. Prevents OS-level "smart" DNS features from bypassing the tunnelWhat DNS Leaks Reveal About You
DNS queries are surprisingly revealing. Here's exactly what someone monitoring your leaked DNS traffic can learn:
| Information | What It Reveals |
|---|---|
| Domain names you query | Every website you visit (netflix.com, bankofamerica.com, webmd.com/symptoms/...) |
| Query timestamps | When you visit each site — daily patterns, sleep schedule, work habits |
| Query frequency | How often you visit each site — which ones you use daily vs occasionally |
| Your real IP address | The DNS query comes from your actual IP, not your VPN IP — reveals your real location |
| Services and apps you use | API endpoints, update servers, and services queried by your apps in the background |
| Your ISP identity | If the DNS request goes to your ISP's server, they know it's from their customer — tied to your account |
ISP Data Collection
In many countries, ISPs are legally allowed (or even required) to log DNS queries. In the US, ISPs can sell browsing data to advertisers. In the UK, the Investigatory Powers Act requires ISPs to store Internet Connection Records for 12 months. A DNS leak hands them this data even when you're using a VPN.
What Causes DNS Leaks?
DNS leaks happen for a variety of technical reasons. Here are the most common causes:
| Cause | Platform | Details |
|---|---|---|
| Windows Smart Multi-Homed Name Resolution | Windows 8/10/11 | Windows sends DNS queries to ALL available network adapters simultaneously — including ones outside the VPN tunnel — and uses whichever responds first. |
| IPv6 DNS queries | All platforms | Many VPNs only tunnel IPv4 traffic. If your system has IPv6 connectivity, DNS queries over IPv6 bypass the VPN entirely. |
| VPN misconfiguration | All platforms | VPN client doesn't override system DNS settings or doesn't push its own DNS servers. Manual VPN configurations are especially prone to this. |
| VPN connection drops | All platforms | VPN disconnects briefly without a kill switch → system reverts to ISP DNS for a few seconds → queries leak during the gap. |
| Transparent DNS proxy (ISP) | Network-level | Some ISPs intercept all traffic on port 53 and redirect it to their own DNS servers, regardless of what DNS server you configured. |
| Split tunneling | All platforms | If you enable split tunneling (only some apps use VPN), DNS queries from non-tunneled apps go directly to your ISP. |
| Browser-level DNS (DoH) | Firefox, Chrome | Browsers with built-in DNS-over-HTTPS may bypass the VPN's DNS and use their own resolver (e.g., Cloudflare), which could be outside the tunnel. |
Windows "Smart Multi-Homed" DNS leak in detail:
Before VPN:
Network adapters:
Ethernet → DNS: 192.168.1.1 (ISP router)
After connecting VPN:
Network adapters:
Ethernet → DNS: 192.168.1.1 (ISP router) ← still here!
VPN TAP → DNS: 10.8.0.1 (VPN's DNS) ← added
Windows behavior:
DNS query for "example.com" → sent to BOTH:
→ 192.168.1.1 (ISP) ← LEAK!
→ 10.8.0.1 (VPN) ← correct
Uses whichever responds first.
Result: Your ISP's DNS server received the query.
Even if VPN's DNS responds first, the ISP already
knows you looked up "example.com".How to Test for DNS Leaks
Testing for DNS leaks is straightforward — you check which DNS servers are actually handling your requests:
How a DNS leak test works:
1. You visit a DNS leak test tool (our tool, for example)
2. The tool generates unique, random subdomains:
→ abc123.test.leakcheck.example.com
→ def456.test.leakcheck.example.com
→ ghi789.test.leakcheck.example.com
3. Your browser tries to resolve these domains
→ DNS query goes to whatever DNS server your system uses
4. The test's authoritative nameserver logs which DNS
resolvers queried for those random domains
5. Results show you which DNS servers handled your requests:
✓ No leak:
DNS Server: 10.8.0.1 (VPN Provider, Netherlands)
→ Only the VPN's DNS server appeared
✗ DNS leak detected:
DNS Server: 192.168.1.1 → 68.105.28.11 (Comcast, US)
DNS Server: 10.8.0.1 (VPN Provider, Netherlands)
→ Your ISP's DNS server also appeared!
What to look for in results:
• DNS servers should belong to your VPN provider
• DNS server locations should match your VPN server location
• Your ISP's DNS servers should NOT appear
• Multiple DNS providers appearing = potential leakTest Multiple Times
DNS leaks can be intermittent — they might not show up on every test. Run the test several times, and test after reconnecting your VPN or switching networks. Some leaks only happen during the initial VPN connection or when the VPN briefly drops.
How to Fix DNS Leaks
Here's how to fix DNS leaks on different platforms:
1. Use Your VPN's Built-In DNS Leak Protection
Most reputable VPN clients have a "DNS leak protection" option. Enable it — it configures firewall rules to block DNS traffic outside the tunnel.
2. Enable the VPN Kill Switch
A kill switch blocks all internet traffic if the VPN drops, preventing any DNS queries from leaking during reconnection.
3. Fix Windows Smart Multi-Homed Resolution
Disable Smart Multi-Homed Name Resolution:
Option A: Group Policy Editor (Windows Pro/Enterprise)
1. Open gpedit.msc
2. Navigate to:
Computer Configuration → Administrative Templates →
Network → DNS Client
3. Enable "Turn off smart multi-homed name resolution"
Option B: Registry (Windows Home)
1. Open regedit
2. Navigate to:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\
Windows NT\DNSClient
3. Create DWORD: DisableSmartNameResolution = 1
Option C: PowerShell
Set-DnsClientGlobalSetting -UseSuffixSearchList @()
→ Prevents DNS queries from going to all adapters4. Manually Set DNS on Your Network Adapter
Set a privacy-focused DNS before connecting to VPN:
Windows:
1. Network Settings → Change adapter options
2. Right-click your connection → Properties
3. Select "Internet Protocol Version 4 (TCP/IPv4)"
4. Set DNS to: 1.1.1.1 and 1.0.0.1 (Cloudflare)
macOS:
1. System Preferences → Network → Advanced → DNS
2. Add: 1.1.1.1 and 1.0.0.1
Linux:
# Using systemd-resolved
sudo nano /etc/systemd/resolved.conf
[Resolve]
DNS=1.1.1.1 1.0.0.1
FallbackDNS=9.9.9.9
sudo systemctl restart systemd-resolved
This ensures that even if your VPN leaks,
DNS goes to a privacy-respecting resolver
instead of your ISP.5. Disable IPv6 (If VPN Doesn't Support It)
If your VPN doesn't tunnel IPv6:
Windows:
1. Network adapter Properties
2. Uncheck "Internet Protocol Version 6 (TCP/IPv6)"
macOS:
networksetup -setv6off Wi-Fi
Linux:
sudo sysctl -w net.ipv6.conf.all.disable_ipv6=1
sudo sysctl -w net.ipv6.conf.default.disable_ipv6=1
Better solution: Use a VPN that supports IPv6 tunneling.Encrypted DNS — DoH, DoT, and DoQ
Traditional DNS sends queries in plain text. Encrypted DNS protocols solve this by encrypting DNS traffic, making it unreadable to anyone monitoring your connection:
| Protocol | Port | Transport | Details |
|---|---|---|---|
| Traditional DNS | 53 | UDP (plain text) | No encryption. Anyone can read queries. Can be intercepted and modified. |
| DNS-over-HTTPS (DoH) | 443 | HTTPS (encrypted) | DNS queries sent as HTTPS requests. Blends in with normal web traffic — hard to block. Supported by Firefox, Chrome, Edge, and most major OS. |
| DNS-over-TLS (DoT) | 853 | TLS (encrypted) | Dedicated encrypted channel for DNS. Uses its own port so it's identifiable (can be blocked by firewalls). Supported by Android 9+ (Private DNS). |
| DNS-over-QUIC (DoQ) | 853 | QUIC (encrypted) | Newest protocol. Faster than DoT (fewer round trips). Lower latency. Still gaining adoption. |
Enabling encrypted DNS:
Firefox (DoH):
Settings → Privacy & Security → DNS over HTTPS
→ Select "Max Protection"
→ Provider: Cloudflare (default) or custom
Chrome (DoH):
Settings → Privacy and Security → Security
→ "Use secure DNS" → On
→ Select provider: Cloudflare, Google, etc.
Windows 11 (DoH):
Settings → Network & Internet → Ethernet/Wi-Fi → DNS
→ Set DNS to 1.1.1.1 → Encryption: "Encrypted only (DNS-over-HTTPS)"
Android 9+ (DoT):
Settings → Network & Internet → Private DNS
→ "Private DNS provider hostname"
→ Enter: one.one.one.one (Cloudflare)
or dns.google (Google)
macOS Ventura+ (DoH/DoT):
→ Requires a DNS configuration profile (.mobileconfig)
→ Or use a DNS client app (Cloudflare 1.1.1.1 app)DoH vs DoT
DoH uses port 443 (same as HTTPS), making it impossible for network operators to distinguish DNS queries from normal web traffic — it can't be selectively blocked. DoTuses a dedicated port 853, which makes it easier for enterprises and governments to block. For censorship resistance, DoH is preferred. For enterprise network management, DoT is preferred because it's identifiable.
IPv6 Leaks and WebRTC Leaks
DNS leaks aren't the only way your real identity can be exposed while using a VPN. Two other common leaks are worth knowing about:
IPv6 Leaks
The IPv6 leak problem:
Your network provides both IPv4 and IPv6 addresses:
IPv4: 73.42.115.200 (tunneled by VPN ✓)
IPv6: 2601:647:4d00::5f (NOT tunneled ✗)
When you visit a dual-stack website (supports both IPv4 + IPv6):
→ Browser may prefer IPv6
→ IPv6 traffic goes OUTSIDE the VPN tunnel
→ Website sees your real IPv6 address
→ Your real location and ISP are exposed
Fix:
1. Use a VPN that tunnels IPv6 traffic
2. Or disable IPv6 on your system
3. Or ensure VPN blocks IPv6 when not tunneling itWebRTC Leaks
WebRTC (Web Real-Time Communication):
Used for: video calls, voice chat, P2P file sharing in browsers
The problem:
WebRTC uses STUN servers to discover your public IP
→ This request can bypass the VPN tunnel
→ Websites can run JavaScript to discover your real IP
const pc = new RTCPeerConnection({
iceServers: [{ urls: "stun:stun.l.google.com:19302" }]
});
// → Returns your real IP, even behind a VPN!
Fix:
Firefox: about:config → media.peerconnection.enabled = false
Chrome: Install "WebRTC Leak Prevent" extension
Or: Use VPN with WebRTC leak protection built inWho Can See Your DNS Queries?
Without protection, multiple parties can observe your DNS traffic at different points:
| Observer | Can See DNS? | Scenario |
|---|---|---|
| Wi-Fi network operator | Yes (plain DNS) / No (VPN or DoH) | Coffee shop, hotel, airport — anyone running the Wi-Fi can log DNS queries |
| Your ISP | Yes (plain DNS, ISP DNS) / No (VPN or DoH) | ISPs see DNS queries to their own servers. They may also intercept port 53 traffic. |
| DNS resolver operator | Yes (always) | Google (8.8.8.8), Cloudflare (1.1.1.1), etc. — they handle your query, so they see it |
| VPN provider | Yes (if they run DNS) | Your VPN's DNS server handles queries — trust their no-logs policy |
| Government / law enforcement | Via ISP or court orders to DNS providers | Can compel ISPs or DNS providers to hand over query logs |
| Employer / school network admin | Yes (on their network) | Corporate/school networks often run their own DNS and log all queries |
DNS Privacy Best Practices
DNS Privacy Checklist:
VPN Users:
✓ Enable DNS leak protection in your VPN client
✓ Enable the kill switch (blocks traffic if VPN drops)
✓ Disable split tunneling (or understand the trade-offs)
✓ Test for DNS leaks regularly — don't assume it works
✓ Choose a VPN that operates its own DNS servers
✓ Disable IPv6 if your VPN doesn't tunnel it
✓ Disable WebRTC or use leak protection
Non-VPN Users:
✓ Switch from ISP DNS to a privacy-focused resolver:
1.1.1.1 (Cloudflare) — fast, no-log policy
9.9.9.9 (Quad9) — blocks malware domains
8.8.8.8 (Google) — reliable (but Google logs queries)
✓ Enable DNS-over-HTTPS (DoH) in your browser
✓ Enable Private DNS (DoT) on Android
Everyone:
✓ Use HTTPS everywhere (HTTPS encrypts the content,
even if DNS is visible)
✓ Be aware that encrypted DNS hides queries from your
local network/ISP, but NOT from the DNS resolver
itself — choose a resolver you trust
✓ Run a DNS leak test from each network you use
(home, work, mobile, public Wi-Fi)No Single Silver Bullet
Each layer of DNS privacy has trade-offs. A VPN hides DNS from your ISP but you must trust your VPN provider. DoH/DoT encrypts DNS but you must trust your resolver. Using a VPN with its own DNS servers and encrypted DNS provides the most protection — but no setup is perfect. The goal is to minimize how many parties can observe your DNS queries.
Test Your Connection for DNS Leaks
Use our free DNS Leak Test tool to check whether your DNS queries are leaking outside your VPN. See which DNS servers are handling your requests and verify your privacy is protected.
Try DNS Leak Test →References
- Hoffman, P. & McManus, P. (2018). RFC 8484 — DNS Queries over HTTPS (DoH). https://datatracker.ietf.org/doc/html/rfc8484
- Hu, Z. et al. (2016). RFC 7858 — Specification for DNS over Transport Layer Security (DoT). https://datatracker.ietf.org/doc/html/rfc7858
- Huitema, C. et al. (2022). RFC 9250 — DNS over Dedicated QUIC Connections (DoQ). https://datatracker.ietf.org/doc/html/rfc9250
- Cloudflare. What is a DNS leak?. https://www.cloudflare.com/learning/dns/dns-over-tls/
- IETF. DNS Privacy Considerations (RFC 7626). https://datatracker.ietf.org/doc/html/rfc7626