DNS Leak Test
Check if your DNS requests escape your VPN tunnel — tested against 6 independent resolvers. 100% client-side. No data sent to our servers.
What Is a DNS Leak?
Every time you visit a website, your device first asks a DNS server to translate the domain name into an IP address. With a VPN, that DNS query should travel through the encrypted tunnel — invisible to your ISP. A DNS leak means those queries bypass the tunnel entirely.
Without leak protection
Your ISP sees every domain you visit, even with VPN active. Ad networks can profile you by browsing history. Government agencies can monitor DNS logs.
With proper DNS protection
DNS queries travel through the VPN tunnel. Your ISP only sees encrypted traffic to the VPN server. Domain-level browsing history is hidden.
Why this matters: Even if your VPN encrypts web traffic, a DNS leak tells your ISP exactly which websites you visit. The encrypted connection becomes useless if the domain lookup reveals your intent.
Why DNS Leaks Happen
DNS leaks are surprisingly common and often caused by OS-level behavior that VPN clients fail to override.
IPv6 Bypass
Most VPNs only tunnel IPv4 traffic. If your ISP assigned you an IPv6 address, DNS queries over IPv6 bypass the tunnel entirely and go directly to your ISP.
Windows Smart Multi-Homing
Windows sends DNS queries to all available network interfaces simultaneously for speed. This means queries reach your ISP's DNS servers alongside your VPN's, leaking domains.
Split Tunneling
VPNs with split tunneling route some apps outside the tunnel. Any app excluded from tunneling also leaks its DNS queries through your regular ISP connection.
WebRTC DNS Leak
Browsers use WebRTC for peer-to-peer connections and can expose your real DNS resolver even when a VPN is active. Disable WebRTC in Firefox or use browser extensions.
VPN Kill Switch Failure
If your VPN drops momentarily (server switch, network change), traffic reverts to your ISP connection. Without a kill switch, this window leaks both DNS and web traffic.
How to Fix a DNS Leak
Fix order: VPN settings first, then OS-level changes, then manual DNS override.
Any VPN
- •Enable "DNS leak protection" in VPN settings
- •Enable kill switch to block traffic if VPN drops
- •Disable split tunneling (or audit which apps are excluded)
- •Check VPN uses its own DNS servers, not system default
Windows
- •Disable "Smart Multi-Homing" via Group Policy
- •Set DNS to only use VPN adapter in Network Settings
- •Disable IPv6 on all network adapters not in the VPN tunnel
- •Run netsh to flush DNS cache after changes
macOS / Linux
- •Set DNS servers to 1.1.1.1 or 9.9.9.9 manually
- •Disable IPv6 in Network Preferences if VPN doesn't support it
- •Use a VPN app with built-in DNS over HTTPS (DoH)
- •Verify DNS with this tool after every network change
Router-Level
- •Flash router with OpenWRT or DD-WRT
- •Configure VPN directly on router — protects all devices
- •Set router DNS to VPN provider's DNS servers
- •Block ISP DNS servers via firewall rule on the router
DNS-over-HTTPS vs DNS-over-TLS
Encrypted DNS protocols hide your queries from ISPs even without a VPN, but each has different tradeoffs.
DNS-over-HTTPS (DoH)
Port 443+Blends with normal HTTPS traffic — hard to block
+Supported by all major browsers natively
+Works behind restrictive firewalls
−DNS provider can still log queries
−Harder for network admins to inspect
−Slightly higher latency than plain DNS
DNS-over-TLS (DoT)
Port 853+Dedicated port makes it easier to monitor/block
+Cleaner separation from web traffic
+Supported at OS level (Android, Linux)
−Easily blocked by firewalls on port 853
−Less browser-native support than DoH
−Not always supported by VPN clients
Frequently Asked Questions
Also check your IP address and browser fingerprint — DNS is only one piece of the privacy puzzle.