A DNS leak is a privacy vulnerability where your DNS queries (the requests that translate domain names like example.com into IP addresses) bypass the VPN tunnel and reach your ISP's DNS servers instead of the VPN's. Your ISP can then see every domain you look up, even though you thought you were protected.
Why DNS Leaks Happen
- OS DNS settings override the VPN - Windows in particular has a feature called "Smart Multi-Homed Name Resolution" that can send DNS queries to multiple servers simultaneously.
- DHCP pushes ISP DNS - Some routers push their own DNS settings that the OS uses even when VPN is active.
- split tunneling misconfiguration - If split tunneling is on, DNS queries for non-VPN apps may bypass the tunnel.
- VPN software bug - Poorly coded VPN clients may not properly redirect DNS.
What a DNS Leak Exposes
Every domain you visit (google.com, your-bank.com, news-site.com) is sent as a DNS query before your browser can connect. A DNS leak hands this list to your ISP, who can:
- Build a profile of every site you visit
- Sell this data to advertisers (in jurisdictions where this is legal)
- Comply with government requests for your browsing history
How to Fix a DNS Leak
- Use our VPN Leak Test to confirm a DNS leak exists.
- In your VPN app settings, enable "DNS leak protection" or "private DNS".
- Manually set your DNS servers to your VPN provider's DNS or a privacy-friendly public DNS like 1.1.1.1 (Cloudflare) inside the VPN tunnel.
- On Windows, disable Smart Multi-Homed Name Resolution via Group Policy.
People Also Ask
- What exactly is a DNS leak?
- It is when your DNS lookups travel outside the VPN tunnel to your ISP's servers, revealing which websites you are visiting even while the VPN is connected.
- Is DNS leak test legit?
- Yes, DNS leak testing tools like our VPN Leak Test simply check which DNS servers your device is using and compare them to what they should be when using a VPN.
Related: VPN leaks overview | WebRTC leaks | Test your VPN