Passwordly

What Is a DNS Leak and How to Prevent It

🌐 Network Security

What Is a DNS Leak and How to Prevent It

A DNS leak exposes your browsing activity even when using a VPN. Learn what DNS leaks are, how to test for them, and how to seal the leak permanently.

Passwordly Team
9 min read

How DNS Works

Before understanding DNS leaks, you need to understand DNS itself. The Domain Name System (DNS) is the internet's phone book — it translates human-readable domain names like "passwordly.xyz" into machine-readable IP addresses like "104.21.32.1."

Every time you visit a website, your device makes a DNS query:

  1. You type "example.com" in your browser
  2. Your device asks a DNS resolver (usually operated by your ISP): "What's the IP address for example.com?"
  3. The DNS resolver looks up the answer (checking its cache, querying authoritative servers if needed)
  4. The resolver returns the IP address to your device
  5. Your device connects to that IP address

The critical privacy implication: your DNS queries are a complete log of every website you visit. Whoever handles your DNS queries — typically your ISP — knows every domain you've visited, when you visited it, and how often.

Under normal circumstances (before any privacy tools), your ISP can see:

  • Every domain name you look up
  • The timing and frequency of your visits
  • That you visited "bank.example.com" at 9:00 AM and "healthcare.example.com" at 9:15 AM

This is true even if the websites themselves use HTTPS — HTTPS encrypts the data exchanged with the website, but by default it does NOT encrypt the DNS query that reveals which website you're visiting.

What Is a DNS Leak

A DNS leak occurs when your DNS queries are sent outside your intended secure channel — typically when DNS queries escape your VPN tunnel and go directly to your ISP's DNS resolver instead.

When you use a VPN, the expectation is:

  • All your internet traffic is routed through the encrypted VPN tunnel
  • DNS queries are handled by the VPN provider's DNS servers
  • Your ISP sees only that you're connected to a VPN — not which websites you visit

A DNS leak breaks this expectation:

  • Your web traffic goes through the VPN tunnel (encrypted) ✓
  • But your DNS queries go directly to your ISP's resolver (unencrypted) ✗
  • Your ISP can see every domain you visit — defeating a major purpose of the VPN

It's like sending a letter in a sealed envelope (VPN) but writing the recipient's address on the outside of the envelope in plain text (DNS leak). The envelope protects the contents, but anyone handling it knows where it's going.

Types of DNS leaks:

  • IPv4 DNS leak: DNS queries sent to your ISP's DNS over IPv4 instead of through the VPN
  • IPv6 DNS leak: Even if IPv4 DNS is routed through the VPN, your device may send DNS over IPv6 to your ISP
  • WebRTC leak: Browser WebRTC features can reveal your real IP and bypass VPN routing
  • Smart Multi-Homed Name Resolution (Windows): Windows may simultaneously query multiple DNS resolvers, including your ISP's, for faster results

Why DNS Leaks Matter

DNS leaks undermine your privacy in several concrete ways:

Your ISP sees your browsing activity. ISPs in many countries are legally permitted (or required) to collect and retain DNS query logs. In the US, ISPs can sell anonymized browsing data to advertisers. In other countries, ISPs may be required to provide logs to government agencies.

Your true destination is revealed. Even if your VPN encrypts your data, a DNS leak tells your ISP exactly which websites you're visiting. This defeats one of the primary privacy benefits of using a VPN.

Censorship can still be enforced. In countries that block websites via DNS, a DNS leak means the censorship filter still applies — your VPN protects the data but the blocked site can't be resolved.

Targeted surveillance is possible. If an adversary is monitoring your ISP's DNS traffic, they can identify which websites you visit despite your VPN connection.

Legal and compliance risks. Journalists, activists, researchers, and whistleblowers who rely on VPN privacy for safety could be exposed by DNS leaks, potentially with serious consequences depending on their jurisdiction.

Common Causes of DNS Leaks

Understanding the causes helps you prevent them:

1. VPN misconfiguration. The most common cause. Some VPN clients don't properly configure the operating system to route all DNS queries through the tunnel. This is especially common with manually configured VPN connections (rather than using the VPN provider's app).

2. Windows Smart Multi-Homed Name Resolution. Starting with Windows 8, Windows sends DNS queries to all available network adapters simultaneously and uses whichever responds fastest. This feature improves speed but sends DNS queries outside the VPN tunnel.

3. IPv6 leaks. Many VPN clients only tunnel IPv4 traffic. If your ISP provides IPv6 connectivity and a website supports IPv6, your device may send DNS queries and web traffic over IPv6 — completely bypassing the VPN.

4. Split tunneling misconfiguration. Split tunneling routes only some traffic through the VPN while sending the rest directly to the internet. If DNS traffic is in the "direct" category, you have a DNS leak.

5. VPN connection drops. If your VPN connection drops temporarily, your device may fall back to your ISP's DNS until the VPN reconnects. Without a kill switch, DNS queries leak during this window.

6. Network changes. Switching from WiFi to cellular (or between WiFi networks) may cause the VPN to briefly disconnect, during which DNS queries leak.

7. Operating system DNS caching. Your OS caches DNS responses. If you connect to the VPN after visiting a website, the cached DNS entry may have been resolved via your ISP. The OS uses the cached entry rather than re-querying through the VPN.

How to Test for DNS Leaks

Testing for DNS leaks is straightforward and should be done regularly:

Step 1: Connect to your VPN.

Step 2: Visit a DNS leak test site. Several reputable sites offer free DNS leak tests:

  • dnsleaktest.com — click "Extended Test" for thorough results
  • ipleak.net — shows DNS servers, IP address, and WebRTC leaks
  • browserleaks.com/dns — detailed DNS resolver analysis

Step 3: Examine the results. The test shows which DNS servers are handling your queries:

  • No leak: All DNS servers listed belong to your VPN provider (or the third-party DNS they use, like Cloudflare or Mullvad)
  • DNS leak detected: You see DNS servers belonging to your ISP (the server names or IP addresses will include your ISP's name)

Step 4: Test multiple scenarios. Run the test:

  • Immediately after connecting the VPN
  • After switching networks (WiFi to cellular)
  • After waking your device from sleep
  • After a brief internet disconnection

Automated monitoring: Some VPN clients (Mullvad, ProtonVPN) include built-in DNS leak monitoring that continuously verifies DNS queries are routed correctly.

Prevention Methods

Seal DNS leaks with these methods, from easiest to most thorough:

1. Use your VPN provider's official app. VPN provider apps (as opposed to manual VPN configuration) typically handle DNS routing correctly, including setting the DNS server, configuring the firewall, and enabling a kill switch. This fixes most DNS leaks automatically.

2. Enable the VPN kill switch. A kill switch blocks all internet traffic if the VPN connection drops. This prevents DNS queries from leaking during brief disconnections. Most quality VPN apps include this feature — make sure it's enabled.

3. Disable IPv6 (if your VPN doesn't support it). If your VPN only tunnels IPv4 traffic, disable IPv6 on your device to prevent IPv6 DNS leaks:

  • Windows: Network adapter settings → IPv6 → uncheck
  • macOS: Network settings → select interface → Advanced → TCP/IP → configure IPv6 → Off
  • Linux: sudo sysctl -w net.ipv6.conf.all.disable_ipv6=1

Better yet, choose a VPN that fully supports IPv6 tunneling.

4. Disable Windows Smart Multi-Homed Name Resolution: This prevents Windows from sending DNS queries to all available adapters:

  • Open Group Policy Editor: gpedit.msc
  • Navigate to: Computer Configuration → Administrative Templates → Network → DNS Client
  • Enable: "Turn off smart multi-homed name resolution"
  • Restart your computer

5. Set DNS servers manually. Configure your network adapter to use a trusted DNS server (like Cloudflare 1.1.1.1 or Quad9 9.9.9.9) rather than your ISP's DNS. This doesn't fix all leaks but ensures queries go to a more privacy-respecting resolver even if they escape the VPN.

6. Use encrypted DNS (DoH / DoT). This encrypts your DNS queries regardless of the network path. Even if a DNS query leaks outside the VPN, it's encrypted and your ISP can't read it. Details in the next section.

DoH, DoT, and Encrypted DNS

Encrypted DNS is the long-term solution to DNS privacy — it encrypts DNS queries so they can't be read even if they leave the VPN tunnel.

DNS over HTTPS (DoH):

  • Encrypts DNS queries inside HTTPS connections (port 443)
  • Looks like regular HTTPS traffic — difficult for network operators to block or distinguish
  • Supported by major browsers (Firefox, Chrome, Edge) and operating systems (Windows 11, macOS, iOS, Android)
  • Resolvers: Cloudflare (1.1.1.1), Google (8.8.8.8), Quad9 (9.9.9.9), Mullvad, NextDNS

DNS over TLS (DoT):

  • Encrypts DNS queries using TLS on port 853
  • Provides the same privacy as DoH but uses a dedicated port (easier to block but also easier to manage)
  • Supported by Android 9+, some routers, and DNS proxy software
  • Same resolvers as DoH

Which to choose:

  • DoH is harder to block and more widely supported in browsers — generally the better choice for end users
  • DoT is preferred in corporate environments for easier monitoring and policy enforcement
  • Either one eliminates DNS eavesdropping

Why encrypted DNS + VPN is the gold standard:

  • VPN encrypts all traffic including DNS → prevents ISP surveillance
  • Encrypted DNS encrypts queries at the application level → protects against DNS leaks that escape the VPN
  • Together, you have defense in depth — even if one layer fails, the other provides protection

Platform-Specific Configuration

Here's how to enable encrypted DNS on each major platform:

Windows 11:

  1. Settings → Network & Internet → Wi-Fi (or Ethernet) → Hardware properties
  2. DNS server assignment → Edit
  3. Enter DNS server (e.g., 1.1.1.1 for Cloudflare)
  4. Select "On (automatic template)" for DNS over HTTPS
  5. Repeat for IPv6 if applicable

macOS:

  1. System Settings → Network → Wi-Fi → Details → DNS
  2. Remove existing DNS servers and add: 1.1.1.1, 1.0.0.1
  3. For DoH: Use a DNS profile from your provider (Cloudflare, NextDNS offer downloadable profiles)

iOS / iPadOS:

  1. Settings → Wi-Fi → your network → Configure DNS → Manual
  2. Add: 1.1.1.1, 1.0.0.1
  3. Or install the Cloudflare 1.1.1.1 app (enables DoH system-wide)

Android:

  1. Settings → Network & Internet → Private DNS
  2. Select "Private DNS provider hostname"
  3. Enter: one.one.one.one (Cloudflare) or dns.google (Google)
  4. This enables DoT system-wide

Firefox (browser-level DoH):

  1. Settings → Privacy & Security → DNS over HTTPS → Enable with: Max Protection
  2. Select provider: Cloudflare (default) or custom

Chrome (browser-level secure DNS):

  1. Settings → Privacy and Security → Security → Use secure DNS
  2. Select: Cloudflare (1.1.1.1) or Google (Public DNS)

Test your configuration with https://1.1.1.1/help (Cloudflare's diagnostic page) to verify encrypted DNS is active.

For maximum security across all your accounts, combine DNS leak prevention with unique strong passwords — generate them with our password generator and verify their strength with our strength checker.

DNS leaks are the silent privacy gap that most VPN users never test for — your browsing history flowing to your ISP in plain text while you believe the VPN is protecting you. Testing takes 30 seconds, and fixing the problem permanently requires only encrypted DNS plus a properly configured VPN. Do both, test regularly, and your DNS traffic stays where it belongs — private.

Share:

Tags

DNS leakDNS securityVPNprivacynetwork security

Related Articles

Continue exploring related topics