You've set up a VPN, your IP address shows a server in another country, and you feel protected. But there's a quieter privacy problem that many VPN users never think about — DNS leaks. A DNS leak can expose every website you visit to your internet provider even while your VPN is running, completely silently.

What is DNS?

DNS stands for Domain Name System. It's essentially the phone book of the internet. When you type a URL like example.com into your browser, your device needs to translate that human-readable name into an IP address — a numerical address that computers actually use to communicate. That translation request is called a DNS query.

By default, DNS queries are handled by your Internet Service Provider's servers. This means your ISP has a record of every domain name you look up — which is effectively a log of every website you visit, even if you're using HTTPS and the content itself is encrypted.

What is a DNS leak?

When you connect to a VPN, all of your internet traffic — including DNS queries — is supposed to pass through the VPN's encrypted tunnel and use the VPN's own DNS servers. If everything is working correctly, your ISP sees only that you're connected to a VPN, with no visibility into which websites you're visiting.

A DNS leak happens when DNS queries bypass the encrypted tunnel and travel directly to your ISP's DNS servers as if no VPN were active. Your IP address might be masked, but your ISP is still receiving a list of every domain you query. For many people using a VPN for privacy, this is a fundamental failure of the tool they're relying on.

Why this happens: Many operating systems have built-in DNS handling that can override VPN settings. Windows, in particular, has a feature called Smart Multi-Homed Name Resolution that sends DNS queries to multiple resolvers simultaneously for speed — including your ISP's resolver, bypassing the VPN entirely.

Why DNS leaks matter

At first glance, a DNS leak might seem like a minor technical detail. In practice, it can undermine the entire reason you're using a VPN. Your ISP can see every domain you visit. Depending on where you live, ISPs may be required to store this data and share it with authorities on request. In some countries, ISPs actively sell browsing data to advertisers. Even in regions with stronger protections, ISP employees and network administrators can access this data.

If you're using a VPN to keep your browsing private from your ISP, a DNS leak means your VPN is not achieving that goal, even though everything appears to be working normally.

How to test for a DNS leak

Testing for a DNS leak is straightforward. While connected to your VPN, visit a DNS leak test site such as dnsleaktest.com or ipleak.net. These sites perform DNS queries and display which DNS servers responded.

If the results show DNS servers belonging to your ISP — or servers in your actual country when your VPN is set to connect elsewhere — you have a DNS leak. The results should show only your VPN provider's DNS servers, or at least servers that match the VPN server location you've chosen.

You can also use our My IP tool to check your detected ISP. If it shows your real internet provider rather than the VPN provider, DNS may be leaking even if your IP appears changed.

How to fix a DNS leak

The right fix depends on where the leak is coming from. Start with the simplest option and work down the list.

1. Enable DNS leak protection in your VPN app. Most reputable VPN clients include a DNS leak protection setting. It's often disabled by default. Check your VPN's settings panel — look for options labelled "DNS leak protection," "private DNS," or "prevent DNS leaks." Enable it and retest.

2. Configure your VPN to use its own DNS servers. If your VPN client allows manual DNS configuration, set it to use the VPN provider's own DNS servers. This prevents your operating system from falling back to your ISP's resolvers.

3. Use a trusted third-party DNS. Setting your system or router to use Cloudflare's DNS (1.1.1.1) or Google's DNS (8.8.8.8) instead of your ISP's resolver reduces the exposure even without a VPN, and can help prevent leaks when combined with VPN use.

4. Enable DNS-over-HTTPS (DoH) in your browser. Firefox and Chrome both support DoH, which encrypts DNS queries at the browser level. This won't fully solve a VPN DNS leak, but it adds an additional layer of protection for browser traffic specifically.

5. Disable Smart Multi-Homed Name Resolution on Windows. On Windows 10 and 11, this feature can cause DNS queries to bypass VPN tunnels. You can disable it via Group Policy (Local Computer Policy → Administrative Templates → Network → DNS Client → Turn off smart multi-homed name resolution) or by using a registry edit. Some VPN clients do this automatically when DNS leak protection is enabled.

If you can't fix the leak: Consider switching to a VPN provider that handles DNS leak prevention automatically and has been independently audited for this. Some providers, including ProtonVPN and Mullvad, run their own DNS infrastructure and build leak prevention into their clients by default.

Key takeaways

A DNS leak is one of the most common ways a VPN fails quietly. Your IP address can be successfully hidden while your ISP still sees every domain you visit. Testing for DNS leaks takes less than a minute and should be part of your VPN setup routine. If you find a leak, start with your VPN's built-in settings before moving on to manual fixes. And if you're using a VPN specifically for privacy, make sure DNS leak protection is confirmed to be working — not just assumed.

Related Articles
Privacy
IPv6 Leaks: What They Are and How to Prevent Them
5 min read
VPN
What Is a VPN & How Does It Work?
8 min read

Check your IP and ISP right now

Use our free tool to see what your connection reveals — including whether your ISP matches your VPN provider.

Check My IP Address