DNS Leak Test

What is a DNS Leak?

When you use a VPN, all your internet traffic — including DNS queries — should be routed through the VPN's encrypted tunnel. A DNS leak occurs when your DNS queries bypass the VPN and are sent directly to your ISP's or a third-party DNS server, exposing the domain names you visit.

• No leak: Only your VPN provider's DNS servers appear, matching the VPN exit location
• Possible leak: ISP DNS, public DNS (e.g., 8.8.8.8), or unidentified DNS servers appear
• Severe leak: DNS resolvers are located in your real geographic area (not the VPN exit), exposing your actual location

7 Common Causes of DNS Leaks

1. OS Smart Multi-Homed Name Resolution (most common)

Windows 8/10/11's Smart Multi-Homed Name Resolution sends DNS queries to ALL network interfaces simultaneously (VPN tunnel AND local adapter), using whichever responds first. Even with a VPN connected, your ISP's DNS may respond faster.

2. Misconfigured VPN (no DNS push)

The VPN server doesn't push its own DNS server addresses to the client via DHCP, so the client keeps using the system default DNS (usually the ISP router or manually-configured public DNS).

3. IPv6 DNS leak

Many VPNs only tunnel IPv4 traffic and don't handle IPv6. If your network supports IPv6, DNS queries may go through IPv6 directly, bypassing the VPN tunnel entirely.

4. Transparent DNS proxy (ISP hijacking)

Some ISPs deploy transparent DNS proxies that intercept ALL traffic to port 53 and replace responses with their own — even if you've manually configured a different DNS server (like 1.1.1.1).

5. WebRTC leak correlation

Browser WebRTC can leak your real local/public IP. While not a direct DNS leak, attackers can use the exposed IP to infer your ISP and DNS configuration.

6. VPN connection drops (no Kill Switch)

When the VPN connection briefly drops, without a Kill Switch (network lock), the OS immediately falls back to default routing and DNS — all DNS queries leak to the ISP during the gap.

7. Manual DNS overriding VPN

If you've manually set DNS servers on your network adapter (e.g., Google 8.8.8.8 or Cloudflare 1.1.1.1), some VPN clients may not override this setting, causing DNS queries to go directly to public DNS instead of through the VPN tunnel.

How to Completely Prevent DNS Leaks (8 Solutions)

✅ 1. Use a VPN with built-in DNS protection

Choose a VPN client with built-in DNS leak protection (e.g., NordVPN, Mullvad, ProtonVPN). These clients automatically take over system DNS settings and force all DNS through the VPN tunnel.

✅ 2. Enable VPN Kill Switch

A Kill Switch automatically blocks all network traffic when the VPN disconnects, preventing DNS leaks during connection drops. Most major VPNs have this feature — make sure it's enabled.

✅ 3. Disable Windows Smart Multi-Homed DNS

Disable via Group Policy or Registry:
Computer Config → Admin Templates → Network → DNS Client → Turn off smart multi-homed name resolution
Or Registry: HKLM\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient set DisableSmartNameResolution = 1

✅ 4. Disable IPv6 (if your VPN doesn't support it)

Uncheck "Internet Protocol Version 6 (TCP/IPv6)" in your network adapter settings, or enable IPv6 leak protection in your VPN client. Some VPNs now support IPv6 tunneling — if yours does, you don't need to disable it.

✅ 5. Use DNS-over-HTTPS (DoH) or DNS-over-TLS (DoT)

Encrypted DNS protocols send queries over HTTPS (port 443) or TLS (port 853), making them invisible to ISP transparent proxies. Recommended providers:

• Cloudflare DoH: https://cloudflare-dns.com/dns-query
• Google DoH: https://dns.google/dns-query
• Quad9 DoH: https://dns.quad9.net/dns-query

Enable "Secure DNS" / "Encrypted DNS" in your browser or system network settings.

✅ 6. Configure VPN at router level

Set up VPN on your router (not individual devices) so all traffic through that router automatically goes through the VPN tunnel — fundamentally preventing per-device DNS leaks. Works with OpenWrt, Asus Merlin, pfSense, etc.

✅ 7. Lock DNS to VPN provider's DNS servers

After VPN connects, manually set system DNS to your VPN provider's DNS addresses (found in their documentation) instead of public DNS. Some VPN clients have an "exclusive DNS" option.

✅ 8. Disable WebRTC (browser level)

Prevent WebRTC from assisting DNS correlation attacks:

• Firefox: Type about:config, search for media.peerconnection.enabled, set to false
• Chrome: Install "WebRTC Leak Prevent" extension, or use Brave browser (blocks by default)

How This Test Works

Our test works in 3 steps:

• Step 1 — Generate unique domains: The server creates random subdomains for each test (e.g., abc123.leak.example.com), ensuring no DNS cache hits.
• Step 2 — Trigger DNS lookups: Your browser requests resources from these domains (images), triggering DNS queries. Your OS sends them to whatever DNS servers it's configured to use.
• Step 3 — Record resolver IPs: Our authoritative DNS server records which DNS resolver IPs queried those domains. By geolocating these IPs, we determine whether your DNS requests went through the VPN tunnel.

If the DNS servers are located near your real geographic location (not the VPN exit), your DNS is leaking.

FAQ

Q: Is it a "leak" when I'm not using a VPN?

No. Without a VPN, DNS queries going to your configured DNS servers is normal behavior. "DNS leak" specifically refers to DNS queries bypassing the VPN tunnel while a VPN is active.

Q: Is it normal to see multiple DNS servers?

Yes. Large DNS services (Google DNS, Cloudflare) use Anycast and load balancing — a single request may be handled by multiple servers in different data centers. As long as they all belong to your VPN provider or a trusted DNS service, it's safe.

Q: What are the risks of DNS leaks?

① Privacy exposure: Your ISP can see which domains you visit; ② Location leak: DNS server locations can reveal your real geographic position; ③ Censorship risk: In censored regions, ISPs may use DNS queries for content filtering or logging; ④ MITM attacks: Unencrypted DNS queries can be tampered with to redirect you to phishing sites.

Q: Can DNS still leak with DoH/DoT?

DoH/DoT encrypts DNS query content, so your ISP can't see which domains you're querying. However, if the DoH server is outside the VPN tunnel, the ISP still knows you're communicating with a DoH server (though not the content). Best practice: VPN + DoH for dual-layer protection.