How DNS works — and why leaks matter
Every time you type a website address into your browser, your device needs to convert that human-readable name (like google.com) into a numerical IP address a router can use. That translation is called a DNS lookup, and it's handled by a DNS server — almost always one operated by your Internet Service Provider (ISP) unless you've configured otherwise.
Think of DNS as the phone book of the internet. Your ISP's DNS server receives a query for every single domain you visit. By logging these queries, your ISP builds a detailed record of your browsing activity: which news sites you read, which social platforms you use, what time you go to bed.
A DNS leak occurs when your DNS queries are sent to your ISP's servers instead of your VPN's DNS servers — even though your VPN is connected and your IP address is hidden. Your real browsing destinations are exposed to your ISP even though you believe you're protected.
Key point: A VPN that leaks DNS is hiding your IP address but not your browsing history. Your ISP can still see every domain you visit, even if they can't see the exact pages.
Why DNS leaks happen
DNS leaks are more common than most people realise. Several technical factors can cause them:
1. Operating system DNS bypass
Windows 10 and 11 have a feature called Smart Multi-Homed Name Resolution that sends DNS queries to multiple resolvers simultaneously — including your ISP's — to speed up lookups. VPNs that don't explicitly block this behaviour will leak DNS regardless of how securely the tunnel itself is configured.
2. IPv6 DNS requests
Most VPNs tunnel IPv4 traffic but leave IPv6 handling incomplete. If your ISP has assigned you an IPv6 address and your VPN doesn't route IPv6 through the tunnel, DNS lookups over IPv6 go directly to your ISP's resolver. This is sometimes called an IPv6 DNS leak.
3. Misconfigured split tunnelling
Split tunnelling lets you route some apps through the VPN and others through your regular connection. If DNS routing isn't configured correctly alongside split tunnelling, the apps using your regular connection will leak DNS to your ISP.
4. VPN connection drops
When a VPN connection drops momentarily, your device falls back to your default DNS settings — your ISP's servers — until the VPN reconnects. A VPN kill switch prevents new traffic from going out during this gap, but some implementations don't include DNS in that protection.
5. Manually configured third-party DNS
If you've set a public DNS resolver (like 8.8.8.8 or 1.1.1.1) in your operating system's network settings, some VPN clients will respect that manual override and route DNS outside the tunnel. Those queries then go directly to the configured resolver without VPN encryption.
How to run a DNS leak test
Testing for a DNS leak is straightforward and takes under 60 seconds:
- Connect your VPN and wait for it to confirm a successful connection.
- Run the DNS leak test on our homepage — it checks which DNS servers are handling your queries and whether they match your VPN provider or your ISP.
- Check the results. You should see DNS servers that belong to your VPN provider, not your home ISP. If you see your ISP's DNS servers listed, you have a leak.
- Run a second test with an extended check to catch intermittent leaks that only appear on some queries.
How to stop DNS leaks
Use a VPN with built-in DNS leak protection
The most reliable fix is using a VPN that routes all DNS queries through its own encrypted DNS servers and explicitly blocks system-level DNS bypass. NordVPN, Mullvad, and ProtonVPN all offer DNS leak protection by default — no manual configuration needed.
Disable Smart Multi-Homed Name Resolution (Windows)
On Windows, you can disable the DNS bypass feature via Group Policy:
- Press Win + R, type
gpedit.msc, press Enter - Navigate to Computer Configuration → Administrative Templates → Network → DNS Client
- Find Turn off smart multi-homed name resolution and set it to Enabled
Force your DNS to a privacy-respecting resolver
If you use a VPN that doesn't manage DNS itself, configure a trusted public resolver in your operating system's network settings. Cloudflare's 1.1.1.1 and Quad9's 9.9.9.9 both offer no-logging DNS and support DNS over HTTPS (DoH) and DNS over TLS (DoT) for encrypted queries.
Enable your VPN's kill switch
A kill switch cuts your internet connection if the VPN drops, preventing your device from falling back to unencrypted DNS. Most major VPN clients offer this in their settings — enable it and keep it on.
Disable IPv6 if your VPN doesn't tunnel it
If your VPN client doesn't explicitly handle IPv6, the safest option is to disable IPv6 on your network adapter until your VPN adds support. On Windows: Control Panel → Network Adapter Properties → uncheck Internet Protocol Version 6.
DNS resolver options compared
| Resolver | Operator | Logs queries? | Encrypted? |
|---|---|---|---|
| ISP default | Your ISP | Yes | No (plain UDP) |
| 8.8.8.8 | Limited (24h) | DoH / DoT | |
| 1.1.1.1 | Cloudflare | No (audited) | DoH / DoT |
| 9.9.9.9 | Quad9 | No | DoH / DoT |
| VPN DNS | Your VPN provider | No (no-logs VPNs) | Yes (VPN tunnel) |
Common questions
Is a DNS leak the same as a VPN leak?
Not exactly. A VPN leak is a broad term that includes any unintended exposure of your real IP address or browsing activity. A DNS leak is one type of VPN leak where DNS queries specifically escape the VPN tunnel. Other types include WebRTC leaks (which can expose your real IP via browser APIs) and IPv6 leaks.
Can a DNS leak reveal my physical location?
Not directly. A DNS leak tells your ISP which domains you're visiting — not your GPS coordinates. However, because DNS queries go through your ISP's local servers, the leak does confirm you're using that ISP, which is associated with your account and billing address. Combined with other data, this can be used to identify you.
Does using HTTPS protect me if I have a DNS leak?
Partially. HTTPS encrypts the content of your web traffic so your ISP can't read the pages you're viewing. But DNS queries happen before the HTTPS connection is established — the DNS lookup itself is plaintext by default. So even with HTTPS, a DNS leak reveals which domains you're connecting to. Only DNS over HTTPS (DoH) or a properly configured VPN prevents this.
Does a free VPN protect against DNS leaks?
Many free VPNs do not implement DNS leak protection at all, meaning your DNS queries bypass the VPN tunnel entirely. Some free VPNs route DNS through their own servers but log all queries — trading ISP surveillance for the VPN provider's surveillance. For genuine DNS privacy, a paid no-logs VPN with independently audited DNS handling is the reliable option.
Ready to fix your DNS leak?
A VPN with DNS leak protection routes all your queries through an encrypted tunnel — your ISP sees nothing.