DNS Leak Test: How to Check and Fix a DNS Leak
A DNS leak occurs when your DNS queries (the requests that translate website names like 'google.com' into IP addresses) bypass your VPN and go through your ISP instead. Even though your traffic is encrypted, your ISP can still see which websites you're visiting from the DNS queries. This is a common VPN misconfiguration that undermines your privacy.
What is DNS and why it matters for privacy
Every time you visit a website, your device first asks a DNS server 'what's the IP address for this domain?' By default, your DNS server is your ISP's. Even with a VPN, if DNS queries leak outside the VPN tunnel, your ISP sees every domain you request — which is essentially your complete browsing history.
DNS leaks are the most common VPN privacy failure. A VPN that passes a DNS leak test is hiding your browsing from your ISP. One that fails is exposing your domains despite the VPN connection.
How to test for DNS leaks
- Connect to your VPN
- Use your VPN provider's built-in DNS leak test (most have one in their app or support docs)
- Look at the DNS servers listed: they should be your VPN provider's servers, not your ISP's
- Check for WebRTC leaks too — see our WebRTC leak guide (/learn/webrtc-leak-explained) for the full test process
- If you see your ISP's DNS servers while connected to VPN: you have a DNS leak
Common causes of DNS leaks
- VPN app misconfiguration: The VPN app isn't properly routing DNS through the tunnel
- Windows Smart Multi-Homed Name Resolution (SMHNR): Windows sends DNS to all available interfaces simultaneously — if your VPN doesn't account for this, DNS leaks on the regular interface
- IPv6 leaks: If you have IPv6 connectivity and your VPN only tunnels IPv4, IPv6 DNS queries bypass the VPN
- WebRTC: Browsers use WebRTC for video calls, which can expose your real IP even through a VPN
- Fallback DNS: If the VPN's DNS fails, some configs fall back to the system DNS (your ISP)
How to fix a DNS leak
- Update your VPN app: Newer versions usually fix DNS leak issues automatically
- Enable 'DNS leak protection' in your VPN app settings: NordVPN, ExpressVPN, Surfshark all have this toggle
- Use the VPN app's kill switch: Prevents any traffic (including DNS) from leaving outside the tunnel
- Disable IPv6 if your VPN doesn't support it: Windows: Settings → Network → Adapter Properties → uncheck IPv6
- Manually set DNS: In your VPN app, set custom DNS to the provider's servers (e.g., NordVPN: 103.86.96.100)
- Use NextDNS or Cloudflare DNS (1.1.1.1) as your fallback DNS for additional privacy
Checking for WebRTC leaks
WebRTC is a browser feature that establishes direct peer-to-peer connections. It can expose your real IP address even through a VPN. To test: open your browser while connected to a VPN and search 'WebRTC leak test' — your real IP should not appear. Fix in Firefox: about:config → media.peerconnection.enabled = false. In Chrome/Edge: install the 'WebRTC Control' extension.
Frequently asked questions
Do reputable VPNs have DNS leaks?
No — reputable VPNs route all DNS through their own servers by default. DNS leaks typically occur with poorly configured VPNs, manual VPN setups, or misconfigured router VPNs. NordVPN, ExpressVPN, Mullvad, and ProtonVPN all handle DNS correctly by default.
What DNS does a VPN use?
Most VPNs operate their own DNS servers. When you connect, the VPN routes DNS queries to their servers inside the encrypted tunnel. NordVPN uses 103.86.96.100, Mullvad uses 10.64.0.1 (within the tunnel), ProtonVPN uses their own internal DNS with optional DNS-over-HTTPS.
Is a DNS leak as bad as no VPN?
Almost. A DNS leak reveals which websites you visit to your ISP — which is the primary privacy concern most people have when using a VPN. However, your actual traffic content is still encrypted, and your IP is still hidden from the websites you visit. But for ISP-level privacy, a DNS leak defeats much of the VPN's purpose.