DNS Leaks (Causes & Fixes)

Browsers use the Domain Name System (DNS) to bridge the gap between internet IP addresses (numbers) and website domain names (words).

When a web name is entered, it is sent first to a DNS server where the domain name is matched to the associated IP address so that the request can be forwarded to the correct computer.

This is a huge problem for privacy since all standard internet traffic must pass through a DNS server where both the sender and destination are logged.

That DNS server usually belongs to the user’s ISP, and is under the jurisdiction of national laws. For example, in the UK, information held by ISPs must be handed to law enforcement on demand. The same applies in the USA, but with the added option for the ISP to sell the data to marketing companies.

While the content of communications between the user’s local computer and the remote website can be encrypted with SSL/TLS (it shows up as ‘https’ in the URL), the sender and recipient addresses cannot be encrypted. As a result, every destination visited will be known to whoever has legal (or criminal) access to the DNS logs – that is, under normal circumstances, a user has no privacy over where they go on the internet.

VPNs are designed to solve this problem by creating a gap between the user’s computer and the destination website. But they don’t always work perfectly. A series of issues means that in certain circumstances the DNS data can leak back to the ISP and therefore into the purview of government and marketing companies.

The problems are known as DNS leaks. For the purpose of this discussion on DNS leaks, we will largely assume that your VPN uses the most common VPN protocol, OpenVPN.

What is a DNS leak?

A VPN establishes an encrypted connection (usually called a ‘tunnel’) between your computer and the VPN server; and the VPN server sends your request on to the required website. Provided the VPN is working correctly, all your ISP will see is that you are connecting to a VPN – it cannot see where the VPN connects you. Internet snoopers (government or criminal) cannot see any content because it is encrypted.

A DNS leak occurs when something unintended happens, and the VPN server is bypassed or ignored. In this case, the DNS server operator (often your ISP) will see where you are going on the internet while you believe they cannot.

This is bad news, since it defeats the purpose of using a VPN. The content of your web traffic is still hidden (by the VPN’s encryption), but the most important parts for anonymity – your location and browsing data – are left unprotected and most likely logged by your ISP.

What Are the Dangers of DNS Leaks?

 DNS leaks are not something to be taken lightly. They are a critical security flaw that can pose a variety of threats to your online privacy. With DNS leaks:

Your ISP can track everything you do online

When DNS requests leak, your ISP can see every website you visit and log your entire browsing history. Your Netflix binges, your Google searches, your banking logins – everything can be recorded and stored by your internet provider. The ISP can then sell this data to advertisers or share it with government agencies when requested.

Governments can monitor your activity

In countries where internet use is heavily censored or restricted, DNS leaks can put you under the government’s radar. These flaws expose which sites you’re trying to access and when you’re accessing them. As such, it’s easy for authorities to track down people trying to access content that’s banned in their region.

Hackers can tailor their attacks to you

A leaking DNS can be the gateway for cybercriminals to track your online activity. Hackers can see the websites and services you use regularly to build phishing campaigns that look completely legitimate. The next time you click on what seems like a routine email from your bank, know that DNS leak could be the reason hackers knew which institution to impersonate. 

Your real location can get exposed

DNS leaks expose the IP address of the DNS server handling your requests, which typically belongs to your ISP. That means anyone monitoring your activity can see the country and city you’re browsing from. Even if you try to hide your location with a VPN, a DNS leak can still reveal your real lP. 

How to tell if my VPN has a DNS leak?

There’s good news and bad news for detecting a DNS leak. The good news is that checking whether your VPN is leaking your DNS requests is quick, easy and simple; the bad news is that without checking, you’re unlikely to ever know about the leak until it’s too late.

There are many in-browser tools to test whether your VPN has a DNS or other form of data leak, including comprehensive options such as ipleak.net, dnsleaktest.com, and browserleaks.com/dns. These sites will automatically check for a DNS leak (and, incidentally, provide a lot more information as well).

1. Enter your chosen leak test site into your browser’s address bar.
2. Once the web page loads, the test begins automatically and you will be shown an IP address.
3. If the address you see is your IP address and shows your location, and you are using a VPN, this means you have a DNS leak. If your VPN’s IP address is shown, then it’s working normally.

If possible, it’s a good idea to test with multiple online checkers, as different tools may detect different types of leaks.

Figure 1 shows ipleak.net used with a badly configured VPN. It returns the correct IP address. This is a DNS leak.

Figure 1

Figure 2 shows ipleak used with ExpressVPN configured to use a Belgian server (ExpressVPN lets you select from a range of different countries). There is no DNS leak apparent.

Figure 2

For most users, performing this check before continuing to browse other sites will be sufficient. For some users, this won’t be a perfect solution, as it requires you to connect to the internet and send DNS requests to access the checker tools.

It is possible to test for DNS and other leaks without using one of these websites, although it requires you to know your own IP address and how to use the Windows command prompt, It also requires a trusted test server for you to ‘ping’ directly; this could be a private server you know and trust, or one of the following public test servers:

• whoami.akamai.net
• resolver.dnscrypt.org
• whoami.fluffcomputing.com
• whoami.ultradns.net

To do this, open the command prompt (go to the start menu, type “cmd” and press Enter), and then enter the following text:

• ping [server name] -n 1

Replace [server name] with the address of your chosen test server (for example “ping whoami.akamai.net -n 1”), and press Enter. If any of the IP addresses found in the resulting text match your personal or local IP, it’s an indicator that a DNS leak is present; only your VPN’s IP address should be shown.

Figure 3 shows the result with ExpressVPN running. Notice that the only IP address returned is the Belgian IP as shown in Figure 2. There is no DNS leak apparent.

Figure 3

If you find that your VPN has a DNS leak, it’s time to stop browsing until you can find the cause and fix the problem. Some of the most likely causes of a DNS leak and their solutions are listed below.

 

DNS Leaks Problems and Solutions

The Problem #1: Improperly configured network

This is one of the most common causes of DNS leakage for users who connect to the internet through different networks; for example, someone who often switches between their home router, a coffee shop’s WiFi, and public hotspots. Before you connect to your VPN’s encrypted tunnel, your device must first connect to the local network.

Without the proper settings in place, you may be leaving yourself open to data leaks. When connecting to any new network, the DHCP settings (the protocol that determines your machine’s IP address within the network) can automatically assign a DNS server to handle your lookup requests – one that may belong to the ISP, or one that may not be properly secured. Even if you connect to your VPN on this network, your DNS requests will bypass the encrypted tunnel, causing a DNS leak.

The Fix:

In most cases, configuring your VPN on your computer to use the DNS server provided or preferred by your VPN will force DNS requests to go through the VPN rather than directly from the local network. Most reputable VPN providers now include built-in DNS leak protection features that automatically route all DNS traffic through their secure servers. NordVPN, ExpressVPN, and ProtonVPN are examples of providers that have robust DNS leak prevention systems in place for 2025.

If your VPN provider doesn’t have this feature, you can use an independent DNS server such as Cloudflare’s 1.1.1.1 or Google Public DNS. These secure DNS resolvers offer better security features including DNS-over-HTTPS (DoH) or DNS-over-TLS (DoT), which encrypt your DNS requests to prevent eavesdropping and manipulation.

If you have to manually configure your computer to use a chosen independent DNS server, you can find step-by-step instructions in the section ‘Change your settings to a trusted, independent DNS server’ below.

The Problem #2: IPv6

Usually, when you think of an IP address, you think of a 32-bit code consisting of 4 sets of up to 3 digits, such as 123.123.123.123 (as described above). This is IP version 4 (IPv4), currently the most common form of IP address. However, the pool of available unused IPv4 addresses is getting very small, and IPv4 is being replaced (very slowly) by IPv6.

IPv6 addresses consist of 8 sets of 4 characters, which can be letters or numbers, such as 2001:0db8:85a3:0000:0000:8a2e:0370:7334.

The internet is still in the transition phase between IPv4 and IPv6. This is creating a lot of problems, especially for VPNs. Unless a VPN explicitly has IPv6 support, any request to or from your machine sent over IPv6 – or sent using a dual-stack tunnel to convert IPv4 to IPv6 (see Teredo below) – will completely bypass the VPN tunnel, leaving your personal data unprotected. In short, IPv6 can disrupt your VPN without you being aware of it.

Most websites have both IPv6 addresses and IPv4 addresses, though a significant number are still IPv4-only. There are also a few websites which are IPv6 only. Whether your DNS requests are for IPv4 or IPv6 addresses will usually depend on your ISP, your network equipment (such as wireless router) and the specific website you’re trying to access (with implementation of IPv6 still incomplete, not all users will be able to access IPv6-only websites). The majority of DNS lookups will still be IPv4, but most users will be unaware of whether they are making IPv4 or IPv6 requests if they are able to do both.

IPv6 leakage is not strictly the same as a standard DNS leak, but it has much the same effect on privacy. It is an issue that any VPN user should be aware of.

The Fix:

As of 2025, many premium VPN providers now offer full IPv6 support, a significant improvement from the situation just a few years ago. If your VPN provider doesn’t explicitly support IPv6, look for options to block IPv6 traffic in your VPN’s settings. Most modern VPN applications now include this feature to prevent IPv6 leaks.

If your VPN doesn’t offer IPv6 blocking, you can disable IPv6 on your device. On Windows, you can do this through your network adapter properties. On macOS and Linux, you’ll need to use terminal commands to disable IPv6. This precaution ensures all traffic, including DNS requests, stays within the IPv4 protocol that your VPN can properly secure.

For maximum security, consider using a VPN provider that has actively addressed IPv6 compatibility issues. According to recent testing, services like NordVPN, ExpressVPN, CyberGhost, and Surfshark now handle IPv6 traffic securely, either through support or proper blocking mechanisms.

The Problem #3: Transparent DNS Proxies

Some ISPs have adopted a policy of forcing their own DNS server into the picture if a user changes their settings to use a third-party server. If changes to the DNS settings are detected, the ISP will use a transparent proxy – a separate server that intercepts and redirects web traffic – to make sure your DNS request is sent to their own DNS server. This is effectively the ISP ‘forcing’ a DNS leak and trying to disguise it from the user. Most DNS-leak detection tools will be able to detect a transparent DNS proxy in the same way as a standard leak.

The Fix:

Modern VPN protocols like WireGuard and upgraded versions of OpenVPN now include stronger protections against transparent DNS proxies. If you’re using OpenVPN, make sure your configuration includes the ‘block-outside-dns’ directive, which prevents DNS requests from leaving the VPN tunnel.

To add this directive, locate the .conf or .ovpn file for your server connection (usually stored in C:\Program Files\OpenVPN\config on Windows), open it in a text editor like notepad, and add the line:

• block-outside-dns

Many premium VPN providers now include built-in protection against transparent DNS proxies in their applications. Some VPNs like ProtonVPN implement custom firewall rules and platform-specific techniques to ensure all internet traffic, including DNS queries, can only pass through the VPN interface.

If your VPN offers a “kill switch” feature, make sure it’s enabled. This will block all internet traffic if the VPN connection drops, preventing your DNS queries from defaulting to your ISP’s servers.

The Problem #4: Windows 10/11’s insecure “features”

Windows operating systems from Windows 8 onward have introduced several features that, while intended to improve user experience, can compromise VPN security. One such feature is “Smart Multi-Homed Name Resolution,” designed to improve web browsing speeds by sending DNS requests to all available DNS servers simultaneously.

In Windows 10 and 11, this feature by default will accept responses from whichever DNS server responds fastest, creating a serious security vulnerability. Not only does this increase the likelihood of DNS leaks, but it also leaves users vulnerable to DNS spoofing attacks where malicious actors can intercept and manipulate DNS requests.

The Fix:

This remains one of the more challenging DNS leak issues to fix, as these features are integrated into the Windows operating system. For VPN users, there are several approaches:

1. Use your VPN’s built-in DNS leak protection: Most premium VPNs now include specific protections against Windows’ problematic DNS handling. Check your VPN’s settings for DNS leak prevention features.

2. Disable Smart Multi-Homed Name Resolution through Group Policy: If you’re using Windows Pro or Enterprise editions, you can disable this feature through the Local Group Policy Editor:
– Press Win+R, type “gpedit.msc” and press Enter
– Navigate to Computer Configuration > Administrative Templates > Network > DNS Client
– Find and double-click “Turn off smart multi-homed name resolution”
– Select “Enabled” and click OK

3. Use third-party tools: The OpenVPN protocol offers a freely available plugin designed specifically to address Windows DNS leaks, available on GitHub.

4. Consider the US-CERT guidelines: The US Computer Emergency Readiness Team has issued specific alerts about the security issues with Windows’ DNS handling features, which include additional mitigation strategies.

The Problem #5: Teredo

Teredo is Microsoft’s technology to improve compatibility between IPv4 and IPv6, and is an in-built feature of Windows operating systems. For some, it’s an essential transitional technology that allows IPv4 and IPv6 to coexist without issues, enabling v6 addresses to be sent, received and understood on v4 connections. For VPN users, it’s more importantly a glaring security hole. Since Teredo is a tunneling protocol, it can often take precedence over your VPN’s own encrypted tunnel, bypassing it and thus causing DNS leaks.

The Fix:

Fortunately, Teredo is a feature that is easily disabled from within Windows. Open the command prompt and type:

netsh interface teredo set state disabled

In 2025, many VPN providers now automatically disable Teredo when their client software is installed or running. However, it’s still good practice to verify this setting, especially if you’ve recently updated your operating system or installed new networking software.

It’s also recommended to switch off other IPv6 transition technologies in your router or network adapter’s settings to ensure that no traffic can bypass your VPN’s tunnel. Modern routers often include specific settings to disable IPv6 transition mechanisms like 6to4 and ISATAP alongside Teredo.

 

Preventing future leaks

Now that you’ve tested for a DNS leak and either come out clean or discovered and remedied a leak, it’s time to look into minimizing the chances of your VPN springing a leak in the future.

First of all, make sure that all the above fixes have been performed in advance; disable Teredo and Smart Multi-Homed Name Resolution, make sure your VPN either supports or blocks IPv6 traffic, etc.

1. Change settings to a trusted, independent DNS server

Your router or network adapter should have a way to change TCP/IP settings, where you can specify particular trusted DNS servers by their IP addresses. Many VPN providers will have their own DNS servers, and using the VPN will often automatically connect you to these; check your VPN’s support for more information.

If your VPN doesn’t have proprietary servers, consider using a secure DNS resolver like Cloudflare (1.1.1.1) or Google’s Public DNS. These resolvers offer enhanced security features including DNS-over-HTTPS (DoH) or DNS-over-TLS (DoT), which encrypt your DNS requests to protect against eavesdropping and manipulation.

To change your DNS settings in Windows 10/11:

1. Go to your control panel
2. Click “Network and Internet”
3. Click “Network and Sharing Center”
4. Click “Change Adapter Settings” on the left-hand panel.
5. Right-click on the icon for your network and select “Properties”
6. Locate “Internet Protocol Version 4” in the window that opens; click it and then click on “Properties”
7. Click “Use the following DNS server addresses”

You can now enter a preferred and alternative address for DNS servers. For Cloudflare DNS, use 1.1.1.1 as your preferred DNS server and 1.0.0.1 as your alternative. For Google Open DNS, use 8.8.8.8 and 8.8.4.4 respectively. See Figure 4 for an example using Google DNS.

Figure 4

You may also wish to change the DNS settings on your router – refer to your manual or support for your specific device for further information.

2. Use a firewall or your VPN to block non-VPN traffic

Premium VPN providers now typically include a feature called a “kill switch” that automatically blocks any internet traffic not going through the VPN. This is essential for preventing DNS leaks if your VPN connection drops unexpectedly.

You should look for VPNs that offer:
– System-wide kill switches that block all internet traffic if the VPN disconnects
– App-level kill switches that allow you to choose which applications are blocked when the VPN disconnects
– Split tunneling features that let you decide which apps use the VPN and which don’t

Alternatively, you can configure your firewall to only allow traffic in and out via your VPN. You can change your Windows Firewall settings:

1. Make sure you’re already connected to your VPN.
2. Open the Network and Sharing Center and make sure you can see both your ISP connection (which should show up as “Network”) and your VPN (which should show up as the name of the VPN). “Network” should be a Home Network, while your VPN should be a Public Network. If either of them are set to something different, you’ll need to click on them and set them to the appropriate network type in the window that opens.
3. Make sure you’re logged in as Administrator on your machine and open the Windows Firewall settings (exact steps for this vary depending on which version of Windows you’re running).
4. Click on “Advanced Settings” (see Figure 5).
5. Locate “Inbound Rules” on the left panel and click it.
6. On the right-hand panel, under Actions, you should see an option for “New Rule…”. Click this.
7. In the new window, choose “Program” and click Next.
8. Choose “All Programs” (or select an individual program you want to block non-VPN traffic for) and click Next.
9. Choose “Block the Connection” and click Next.
10. Tick “Domain” and “Private” but make sure that “Public” is not ticked. Click Next.
11. You should be back in the Advanced Settings menu for Windows Firewall; locate “Outbound Rules” and repeat steps 6 through 10.

Figure 5

3. Regularly perform DNS leak tests

As of 2025, multiple comprehensive DNS leak testing tools are available online. The most reliable options include:

– IPLeak.net: Offers comprehensive testing for IPv4, IPv6, WebRTC, and DNS leaks
– DNSLeakTest.com: Provides both standard and extended DNS leak tests
– BrowserLeaks.com/dns: Tests for DNS leaks with detailed information about the DNS servers your browser is using

It’s recommended to use multiple testing tools, as each may detect different types of leaks. Make testing a regular part of your privacy routine, especially after:
– Updating your operating system
– Installing a new VPN client or updating your existing one
– Connecting to a new or untrusted network
– Making changes to your network configuration

4. Be aware of WebRTC leaks

In addition to DNS leaks, WebRTC (Web Real-Time Communication) leaks have become a significant privacy concern. WebRTC is a technology that allows browsers to communicate directly with each other, but it can also expose your real IP address even when you’re using a VPN.

To prevent WebRTC leaks:
– In Firefox: Enter “about:config” in the address bar, search for “media.peerconnection.enabled”, and set it to “false”
– In Chrome: Install the WebRTC Network Limiter extension
– In Edge: Use similar extensions designed to block WebRTC leaks
– Check if your VPN provider includes WebRTC leak protection

5. Enable DNS-over-HTTPS (DoH) or DNS-over-TLS (DoT)

Modern browsers and operating systems now support encrypted DNS protocols that add an additional layer of protection against DNS leaks:

– DNS-over-HTTPS (DoH): Encrypts DNS requests within HTTPS traffic, making them indistinguishable from regular web browsing
– DNS-over-TLS (DoT): Creates a dedicated encrypted channel for DNS traffic

To enable DoH in Firefox:
1. Go to Settings > General > Network Settings
2. Click “Settings”
3. Scroll down to “Enable DNS over HTTPS”
4. Choose a provider (such as Cloudflare or NextDNS)

Chrome, Edge, and other Chromium-based browsers also support DoH through their settings.

6. Choose a VPN with strong DNS leak protection

The landscape of VPN providers has evolved significantly since this article was first published. In 2025, leading VPN providers with robust DNS leak protection include:

– NordVPN: Offers comprehensive protection against all types of leaks, including DNS, IPv6, and WebRTC
– ExpressVPN: Uses its own private, encrypted DNS servers for all DNS requests
– ProtonVPN: Implements DNS leak protection using firewall rules and platform-specific techniques
– Surfshark: Automatically routes all DNS requests through secure servers with leak protection
– CyberGhost: Includes built-in protection against multiple types of leaks

When evaluating VPN providers, look for those that:
– Maintain their own private DNS servers
– Have demonstrated effectiveness in independent leak tests
– Offer features like kill switches and automatic leak protection
– Provide regular updates to address new vulnerabilities

By implementing these enhanced security measures and staying vigilant about testing your connection, you can ensure your VPN provides the privacy protection you expect and prevent unwanted exposure of your browsing activity through DNS leaks.