DNS Leaks: What They Are, How to Test, and What They Reveal
A DNS leak happens when your device asks an outside resolver (usually your ISP) to translate a domain into an IP, even though a VPN is supposed to carry that lookup inside its encrypted tunnel. The leak does not expose the page content, but it does reveal every domain you visit. Common causes include IPv6 fallback, Windows split routing, and browser-level DNS-over-HTTPS. Three free tests confirm the problem in under a minute, and a handful of settings (kill switch, IPv6 off, forced VPN resolver) usually fix it for good.
A DNS leak is the quiet failure mode of a VPN. The encrypted tunnel works, your apparent IP changes, your traffic looks scrambled to an outside observer, and yet a parallel stream of name-resolution queries keeps flowing to your internet provider in plain text. Every visited domain is logged there, complete with timestamp. The protection many users assume they bought is partially undone before the first packet of real data ever leaves the machine.
What DNS actually does
Before any HTTP request, video stream, or game session, your operating system needs to convert a hostname like example.com into a numerical IP address. That job belongs to the Domain Name System, defined in RFC 1035 back in 1987 and refined many times since. The lookup is short, usually a few hundred bytes, but it precedes everything else. If that lookup is sent to your ISP, the ISP knows you went to that domain even if it never sees the page itself.
The default resolver on a fresh Windows, macOS, or Android install is whatever DHCP handed out, which on home networks is almost always the ISP. Corporate networks override this with internal resolvers. Public alternatives like Cloudflare's 1.1.1.1 or Quad9's 9.9.9.9 are opt-in. None of this is encrypted by default unless the user enables DNS-over-HTTPS or DNS-over-TLS, and even then the choice of resolver still reveals the destination to whoever runs it.
How a VPN is supposed to handle DNS
When a properly configured VPN connects, it does three things at once: it builds the encrypted tunnel to the remote server, it changes the system route table so all traffic goes through that tunnel, and it pushes a new DNS resolver address (operated by the VPN provider) to the OS. From that moment, name lookups should travel inside the tunnel to the VPN's own resolver, get answered there, and come back encrypted. Your ISP sees only encrypted bytes and the IP of the VPN gateway. For the mechanics of the tunnel itself, see how VPN encryption works.
How the leak happens anyway
Several real-world conditions cause the system to ignore the VPN resolver and reach out to the ISP instead. The most common cases:
- IPv6 fallback. The VPN tunnels IPv4 but the OS still has a native IPv6 address. DNS queries for AAAA records can travel outside the tunnel to the ISP's IPv6 resolver. See the IPv4 vs IPv6 differences for why this dual stack exists.
- Windows split routing. Versions of Windows 10 and 11 query all configured resolvers in parallel and accept the fastest reply, even if one of those resolvers is on the physical LAN adapter.
- Teredo and other transition tunnels. Microsoft's Teredo wraps IPv6 inside IPv4 UDP. It can route DNS queries to Microsoft-hosted relays that bypass the VPN entirely.
- Browser-level DNS-over-HTTPS. Firefox and Chrome can be configured to resolve domains via Cloudflare or NextDNS inside the browser. That DoH connection follows the system route, but if the browser is set to use a hardcoded resolver and the VPN does not intercept the HTTPS connection, the resolver still learns every domain.
- Captive-portal pre-connection lookups. Hotel and airport networks force a portal page before granting full access. The OS makes DNS queries to detect connectivity before the VPN tunnel is up.
How to test for a DNS leak
Three independent tests cover the main vectors. Run them in the browser you actually use, with the VPN active, after closing other apps:
- Visit dnsleaktest.com and run the extended test. It triggers dozens of unique subdomain lookups and reports which resolvers answered. All entries should belong to the VPN provider, not your ISP.
- Visit browserleaks.com/dns for a one-shot view that also flags WebRTC-side queries.
- Visit ipleak.net, which combines IPv4, IPv6, DNS, and WebRTC checks in a single page.
If any resolver IP traces back to your ISP, the city you actually live in, or the ASN of your home connection, the leak is real. Cross-reference the resolver IP with the geolocation reports covered in our IP geolocation accuracy guide.
Quick reference: leak source and fix
| Leak source | Operating system affected | Fix | Where to apply |
|---|---|---|---|
| IPv6 fallback | Windows, macOS, Linux | Disable IPv6 on the active interface or use a VPN that tunnels IPv6 | Network adapter settings |
| Windows split DNS | Windows 10, 11 | Set the VPN adapter metric to lowest value, or enable provider's "force DNS" option | VPN client |
| Teredo tunnel | Windows | Run netsh interface teredo set state disabled in elevated CMD | Command prompt |
| Browser DoH | All | Disable browser-level DoH or point it at the VPN's resolver | Browser network settings |
| Captive-portal pre-flight | All | Connect to portal first, then activate VPN with kill switch armed | Connection workflow |
| App-specific hardcoded resolver | All | Block outbound UDP/TCP 53 except to VPN resolver via firewall | OS firewall |
| Smart TV or console on same network | N/A | Configure VPN at router level | Router firmware |
How to fix a DNS leak for good
The single most effective setting is the VPN's kill switch, which blocks all non-tunnel traffic the moment the tunnel drops. A good kill switch also blocks DNS to anything except the VPN resolver, which closes the IPv6 and split-routing windows in one step. Pair it with these:
- Turn off IPv6 on the physical adapter if your VPN does not advertise full IPv6 support.
- Set DNS manually in the VPN client to the provider's resolver (most providers publish it).
- Disable browser-level DoH unless you have verified that it routes through the tunnel.
- On Windows, set the VPN adapter to have the lowest interface metric so it wins the DNS race.
- On routers, point the WAN DNS to a privacy-friendly resolver like
9.9.9.9or1.1.1.1as a secondary defense.
What the leak does not reveal
A DNS leak shows the domains you visit, not the URLs, not the page contents, not the form data. HTTPS continues to encrypt the actual session even if the lookup leaks. That distinction matters because some panic-grade articles imply the entire VPN is useless once a leak is found. The tunnel still protects payload confidentiality. What the leak undoes is the privacy of your browsing history. For users whose threat model is targeted advertising, ISP profiling, or jurisdictions with retention laws, that is the entire point of using a VPN in the first place. For a broader view of what your IP and DNS together expose, see what your IP says about you.
Operator and journalist considerations
For users with elevated threat models (investigative reporters, activists, security researchers), DNS leak prevention is non-negotiable but still only one layer. WebRTC, browser fingerprinting, account login correlation, and traffic-shape analysis can each unmask a session independently. The EFF's anonymity resources cover the wider picture. Pair a leak-free VPN with a hardened browser profile, and treat any failed DNS test as a stop-work condition.
One last test pattern
After applying fixes, repeat all three tests in a fresh private window with cache cleared. Then disconnect the VPN, repeat the tests, and confirm the ISP resolver shows up: this proves the test is actually detecting what you think it is. Reconnect, retest one more time, and the resolver list should flip cleanly to the VPN provider. If it does not, the configuration is half-applied and the next browsing session will leak again.
Reading about IP, VPN and privacy? Lock down yours in 5 minutes
NordVPN ranks first on AV-TEST's privacy benchmark and blocks malware, ads and trackers at the network level. 30-day money-back guarantee, audited no-logs policy.
- 6,400+ servers, 111 countries
- Audited no-logs policy
- Built-in threat protection
- 10 devices per account
Frequently asked questions
Is a DNS leak the same as an IP leak?
No. A DNS leak reveals the domains you look up to an outside resolver, usually your ISP. An IP leak reveals your real public IP to the destination server, typically through WebRTC or a misconfigured tunnel. Both are privacy failures, both happen behind a working VPN, and both should be tested separately. A test page like ipleak.net checks for them in parallel, but the fixes differ. DNS leaks are sealed at the OS or VPN client; IP leaks at the browser.
Does HTTPS protect me if my DNS leaks?
HTTPS still encrypts the contents of every page you visit, including form data, passwords, and cookies. What HTTPS cannot hide is the destination domain, because the DNS lookup happened before the encrypted session opened. So an ISP with leaked DNS knows you visited mybank.example but not what you did there. For many threat models that is still a meaningful privacy loss, especially in countries with mandatory traffic retention or aggressive advertising profiling.
Will disabling IPv6 break my internet?
On the vast majority of consumer connections, no. Most websites and apps fall back to IPv4 without any noticeable difference. The exceptions are mobile carriers that run IPv6-only cores with NAT64 translation, and some corporate networks. If you disable IPv6 and notice that specific services stop working (some video streaming, some VoIP), re-enable it and instead use a VPN that explicitly tunnels IPv6. Most major commercial VPNs added full IPv6 support between 2023 and 2025.