DNS Leak: What It Is, How to Test and Fix
DNS Leak: What It Is, How to Test and Fix
You connected to a VPN and think you're anonymous — but DNS queries still go to your ISP. That's a DNS leak. Even with an encrypted tunnel, your provider (or any observer) can see which domains you visit. This guide shows how to detect and fix leaks on every major platform.
What a DNS leak is
With a VPN, all traffic should traverse the tunnel. If the OS or an application sends DNS queries outside the tunnel — straight to the ISP resolver — that's a leak. The contents of the query (the domain name) become visible.
Why it matters
- Your ISP sees the list of domains you visit.
- Defeats the purpose of using a VPN for privacy.
- In censored networks, DNS-level blocks still apply.
- Fingerprint: DNS leak is a tell-tale sign of VPN use in deep-packet-inspection systems.
Leak categories
- IPv6 leak
- VPN tunnels IPv4 only; IPv6 bypasses it. Very common.
- WebRTC leak
- Browser STUN requests reveal the real IP.
- OS DNS leak
- OS ignores the VPN's DNS setting and uses its own resolver.
- Smart Multi-Homed Name Resolution (Windows)
- Windows queries all network interfaces in parallel and accepts the first answer.
How to test
Online services
- dnsleaktest.com — canonical test, includes an extended test with 6 queries.
- browserleaks.com/dns — detailed breakdown.
- ipleak.net — IPv4, IPv6, DNS, WebRTC at once.
On top, use Enterno.io IP Geolocation to see your current public IP for comparison.
Via dig
# which resolver is configured on the OS
cat /etc/resolv.conf # Linux / macOS
ipconfig /all # Windows
# which IP does the authoritative see?
dig +short myip.opendns.com @208.67.222.222
dig +short whoami.akamai.netWindows diagnostics
Windows 10/11 uses Smart Multi-Homed Name Resolution, parallelising DNS queries across all interfaces. That's a common leak source.
# Disable SMHNR
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient" /v DisableSmartNameResolution /t REG_DWORD /d 1 /fmacOS diagnostics
macOS usually handles VPN DNS correctly. To force VPN resolvers:
scutil --dns
# or set manually via System Preferences, Network, DNSLinux diagnostics
resolvectl status
cat /etc/resolv.conf
sudo resolvectl dns tun0 10.8.0.1
sudo resolvectl domain tun0 "~."Fixes
1. Proper WireGuard / OpenVPN config
# OpenVPN
dhcp-option DNS 10.8.0.1
dhcp-option DOMAIN-ROUTE .
block-outside-dns
# WireGuard
[Interface]
DNS = 10.8.0.12. Disable IPv6
Many VPNs don't tunnel IPv6. Easiest: disable it until your VPN supports it.
# Linux
sudo sysctl -w net.ipv6.conf.all.disable_ipv6=1
# macOS
networksetup -setv6off Wi-Fi
# Windows — adapter, properties, uncheck IPv63. Enable Kill Switch
Quality VPNs (NordVPN, Mullvad, ProtonVPN) ship a Kill Switch that blocks all traffic when the VPN drops.
4. Disable WebRTC in the browser
Chrome: WebRTC Control extension. Firefox: about:config, media.peerconnection.enabled = false.
5. Force a DNS resolver via DoH / DoT
# Cloudflare WARP
# Firefox, Settings, Network, Enable DNS over HTTPSCommon mistakes
"I'm fine — I tested once"
Leaks can appear after network changes, Wi-Fi/Ethernet switches, VPN restarts. Test regularly and use Kill Switch.
"My VPN protects against leaks by default"
Not all do. Free VPNs and some providers have no built-in protection. Pick a provider with explicit DNS leak protection.
Custom hosts file
/etc/hosts entries override DNS and can create false leak impressions. Audit the file before testing.
FAQ
- How often should I test?
- After network changes, VPN client updates, OS updates.
- Can you have DNS leak without a VPN?
- The term only applies when using a VPN/Tor. Normal browsing doesn't "leak" in that sense.
- Does DoH protect from leaks?
- DoH hides queries from third parties but doesn't stop VPN bypass. Full protection = VPN + DoH inside the tunnel.
- Which VPNs are leak-proof?
- Mullvad, ProtonVPN, NordVPN are audited. Client configuration still matters.
Conclusion
DNS leaks are common and often invisible. Test after every config change, enable Kill Switch, block IPv6 where unsupported, and disable WebRTC. For inspecting your own DNS config, use DNS Lookup and IP Geolocation.
Check your website right now
Check now →