DNS Leak Test

Check if your DNS requests escape your VPN tunnel — tested against 6 independent resolvers. 100% client-side. No data sent to our servers.

6 ResolversRandom Subdomain per TestNo Data Stored

What Is a DNS Leak?

Every time you visit a website, your device first asks a DNS server to translate the domain name into an IP address. With a VPN, that DNS query should travel through the encrypted tunnel — invisible to your ISP. A DNS leak means those queries bypass the tunnel entirely.

Without leak protection

Your ISP sees every domain you visit, even with VPN active. Ad networks can profile you by browsing history. Government agencies can monitor DNS logs.

With proper DNS protection

DNS queries travel through the VPN tunnel. Your ISP only sees encrypted traffic to the VPN server. Domain-level browsing history is hidden.

Why this matters: Even if your VPN encrypts web traffic, a DNS leak tells your ISP exactly which websites you visit. The encrypted connection becomes useless if the domain lookup reveals your intent.

Why DNS Leaks Happen

DNS leaks are surprisingly common and often caused by OS-level behavior that VPN clients fail to override.

IPv6 Bypass

Most VPNs only tunnel IPv4 traffic. If your ISP assigned you an IPv6 address, DNS queries over IPv6 bypass the tunnel entirely and go directly to your ISP.

Windows Smart Multi-Homing

Windows sends DNS queries to all available network interfaces simultaneously for speed. This means queries reach your ISP's DNS servers alongside your VPN's, leaking domains.

Split Tunneling

VPNs with split tunneling route some apps outside the tunnel. Any app excluded from tunneling also leaks its DNS queries through your regular ISP connection.

WebRTC DNS Leak

Browsers use WebRTC for peer-to-peer connections and can expose your real DNS resolver even when a VPN is active. Disable WebRTC in Firefox or use browser extensions.

VPN Kill Switch Failure

If your VPN drops momentarily (server switch, network change), traffic reverts to your ISP connection. Without a kill switch, this window leaks both DNS and web traffic.

How to Fix a DNS Leak

Fix order: VPN settings first, then OS-level changes, then manual DNS override.

Any VPN

  • Enable "DNS leak protection" in VPN settings
  • Enable kill switch to block traffic if VPN drops
  • Disable split tunneling (or audit which apps are excluded)
  • Check VPN uses its own DNS servers, not system default

Windows

  • Disable "Smart Multi-Homing" via Group Policy
  • Set DNS to only use VPN adapter in Network Settings
  • Disable IPv6 on all network adapters not in the VPN tunnel
  • Run netsh to flush DNS cache after changes

macOS / Linux

  • Set DNS servers to 1.1.1.1 or 9.9.9.9 manually
  • Disable IPv6 in Network Preferences if VPN doesn't support it
  • Use a VPN app with built-in DNS over HTTPS (DoH)
  • Verify DNS with this tool after every network change

Router-Level

  • Flash router with OpenWRT or DD-WRT
  • Configure VPN directly on router — protects all devices
  • Set router DNS to VPN provider's DNS servers
  • Block ISP DNS servers via firewall rule on the router

DNS-over-HTTPS vs DNS-over-TLS

Encrypted DNS protocols hide your queries from ISPs even without a VPN, but each has different tradeoffs.

DNS-over-HTTPS (DoH)

Port 443

+Blends with normal HTTPS traffic — hard to block

+Supported by all major browsers natively

+Works behind restrictive firewalls

DNS provider can still log queries

Harder for network admins to inspect

Slightly higher latency than plain DNS

DNS-over-TLS (DoT)

Port 853

+Dedicated port makes it easier to monitor/block

+Cleaner separation from web traffic

+Supported at OS level (Android, Linux)

Easily blocked by firewalls on port 853

Less browser-native support than DoH

Not always supported by VPN clients

Frequently Asked Questions

Yes. Without a VPN, all resolvers return IPs from your ISP's DNS servers — consistent results, but unprotected. The test confirms whether your DNS is unified across resolvers or fragmented through multiple paths.

Some public DNS resolvers block random unknown domains for security. "No answer" for our random test subdomain is normal and does not mean a leak. The key is whether the resolving IPs are consistent across all resolvers that do respond.

Not necessarily. If multiple resolvers return different IPs but all IPs belong to your VPN provider's IP range, that's normal (VPN providers use multiple DNS server IPs). A leak is when some IPs belong to your regular ISP and others to the VPN.

Mullvad, ProtonVPN, and IVPN are consistently rated highest for DNS leak protection with verified kill switches and custom DNS infrastructure. Always manually verify with a leak test after connecting to any VPN.

No. Incognito mode only prevents local history storage. DNS queries still flow through your ISP's servers the same way as a normal window. You need a VPN with DNS leak protection, not a browser mode.

Run it after first connecting to a VPN, after any system or VPN client update, after switching VPN servers, and whenever you switch networks. DNS leak protection can silently break after OS updates.

Yes. HTTPS encrypts the content of your web traffic, but the initial DNS lookup happens before the encrypted connection. Your ISP sees the domain name in the DNS query even if they can't read the page content.

A DNS leak exposes which domains you visit (via unencrypted DNS queries). A WebRTC leak exposes your real IP address (via browser peer-to-peer APIs). Both are distinct privacy failures. Test for both independently.

Also check your IP address and browser fingerprint — DNS is only one piece of the privacy puzzle.