What Is a DNS Leak?
DNS (Domain Name System) translates domain names like google.com into IP addresses. Normally, your DNS queries are handled by your ISP's servers โ which means your ISP can see every website you visit.
A DNS leak occurs when your DNS queries bypass the VPN tunnel and go directly to your ISP's DNS servers, even though you're connected to a VPN. The result:
- Your ISP can still log your browsing history
- Your VPN's privacy protection is effectively bypassed
- Your real geographic location may be inferred from your DNS server
How to Test for a DNS Leak
Use the tool.tl DNS Leak Test to check where your DNS queries are actually going:
- Go to tool.tl/dns-leak-test
- Click "Start Test"
- The tool shows which DNS servers are handling your requests
- If you see your ISP's servers instead of your VPN provider's servers, you have a leak
How to read the results: If your ISP's name or your local city appears in the results while your VPN is active, DNS queries are leaking outside the tunnel.
Common Causes of DNS Leaks
- VPN misconfiguration โ The VPN client isn't forcing all DNS requests through the tunnel
- Windows Smart Multi-Homed Name Resolution โ Windows 10/11 sends DNS queries to multiple servers simultaneously to speed up resolution, often leaking outside the VPN
- Browser-level DoH (DNS over HTTPS) โ Chrome and Firefox may use their own DNS resolvers, bypassing both system settings and VPN
- IPv6 leak โ VPN protects IPv4 traffic but leaves IPv6 DNS requests unencrypted
- Router-hardcoded DNS โ Some ISP routers override device DNS settings and force queries to ISP servers
How to Fix a DNS Leak
Fix 1: Use a VPN with Built-in DNS Leak Protection
Choose a VPN service that explicitly offers DNS leak protection (Mullvad, ProtonVPN, ExpressVPN). These route all DNS queries exclusively through their encrypted servers.
Fix 2: Set a Trusted DNS Server Manually
Change your DNS settings to a privacy-respecting public resolver:
- Cloudflare: 1.1.1.1 / 1.0.0.1 (fast, no logging)
- Google: 8.8.8.8 / 8.8.4.4
- Quad9 (privacy-focused): 9.9.9.9
Fix 3: Disable Windows Smart Multi-Homed Resolution
Open Group Policy Editor (gpedit.msc) โ Computer Configuration โ Administrative Templates โ Network โ DNS Client โ Enable "Turn off smart multi-homed name resolution".
Fix 4: Disable Browser DoH
In Chrome: Settings โ Privacy and Security โ Security โ uncheck "Use secure DNS". In Firefox: Settings โ Network Settings โ uncheck "Enable DNS over HTTPS".
DNS Leak vs. WebRTC Leak: What's the Difference?
| Leak Type | What It Exposes | Test Tool |
|---|
| DNS Leak | Sites you visit, ISP identity, rough location | DNS Leak Test |
| WebRTC Leak | Your real IP address (even through VPN) | WebRTC Leak Test |
Run both tests to ensure your VPN is fully protecting your privacy.
Frequently Asked Questions
Do I need to worry about DNS leaks without a VPN?
Without a VPN, your DNS queries already go to your ISP by design โ that's the default behavior. DNS leaks only matter when you're using a VPN and expecting privacy. Without a VPN, the concern is simply that your ISP sees your traffic (which is always the case).
Does a DNS leak expose my real IP address?
Not directly. DNS leaks expose which DNS servers you're using (revealing your ISP and approximate region). A WebRTC leak is what exposes your actual IP address. Use the WebRTC Leak Test to check for that separately.
Are free VPNs more likely to leak DNS?
Yes. Free VPNs often lack dedicated DNS leak protection. If privacy matters, use a reputable paid VPN with an explicit no-logs policy and verified DNS leak protection.