DNS Leak Test - Check If Your VPN Leaks DNS
docRun a DNS leak test to check if your VPN exposes your DNS queries. Identify leak sources, compare resolvers, and apply step-by-step fixes to reclaim privacy.
DNS Leak Test
Test whether your VPN leaks DNS requests. Identify exposed DNS servers and protect your privacy online.
What Is a DNS Leak
DNS translates domain names into IP addresses. When DNS queries bypass your VPN or proxy tunnel, the resolver can see which sites you are trying to reach even if the page content is encrypted.
A DNS leak breaks the assumption that all network traffic follows the protected path. You may appear safe on an IP test while your DNS still exposes browsing intent.
For privacy-sensitive use cases, DNS should follow the same network path and exit location as your IP traffic. Any divergence is a leak signal.
Why DNS Leaks Happen
VPN clients may fail to override system DNS settings, or routers may enforce ISP resolvers at the network level. In those cases, DNS continues to use the local path while web traffic uses the VPN.
Browser features like DNS over HTTPS can override system DNS and send queries directly to public resolvers. Split tunneling and multi-interface devices add more paths that can leak DNS unintentionally.
How the DNS Leak Test Works
The test observes which resolver IPs handle your DNS requests and compares them to your expected privacy model. If you are on a VPN, those resolvers should belong to the VPN provider or a DNS service you explicitly chose.
The test does not need to inspect your browsing history. Resolver identity alone is enough to determine whether DNS is escaping the tunnel.
Interpreting Resolver Results
Safe results usually show resolver ownership aligned with your VPN or trusted DNS provider. If you see your ISP, router, or local network in the resolver list, DNS is leaking.
Mixed results can happen when the browser uses DoH while the system uses local DNS. In that case, you may see both the DoH provider and your ISP.
How to Fix a DNS Leak
Enable VPN DNS protection, block local DNS, and turn on kill switch features where available. These settings prevent the OS from falling back to ISP resolvers when the VPN is active.
If your router enforces DNS, update it to use your VPN provider or a trusted resolver. Retest after every change to confirm that the resolver identity has changed.
If the VPN cannot enforce DNS, consider a client that supports DNS push or a system-wide firewall rule that blocks DNS traffic outside the tunnel.
DoH and DoT Considerations
DNS over HTTPS and DNS over TLS encrypt DNS queries, but they do not automatically route through your VPN. If the DoH provider is reached directly, it can still leak your DNS outside the tunnel.
If you use DoH/DoT, make sure the traffic goes through the VPN interface, or configure the VPN to push its own secure DNS.
A good check is to compare resolver ownership with and without DoH enabled. If ownership changes to a public resolver outside your VPN, you are likely leaking.
Operational Checklist
Retest after OS updates, browser updates, or VPN changes. Many leaks appear after a client update resets DNS settings.
Test on every device and network you use. Mobile networks, captive portals, and corporate Wi-Fi can behave differently and introduce unexpected resolvers.
Document your expected resolver ranges so you can quickly spot deviations during audits or incident response.
Router and Enterprise Scenarios
Some routers enforce ISP DNS for all devices regardless of local settings. If you manage the router, update its DNS servers to match your VPN or trusted provider.
In corporate environments, group policies may lock DNS settings. VPN clients might be unable to override those policies without administrator changes.
Symptoms of a DNS Leak
If you see your ISP or local network in the resolver list while the IP test shows a VPN exit, you almost certainly have a leak.
Intermittent results often mean DNS is switching between resolvers. This can happen when a VPN reconnects, a network changes, or the browser toggles DoH.
A sudden spike in region-locked content or unexpected geo matches can also indicate DNS is escaping the tunnel.
Choosing a DNS Provider
A trusted DNS provider should be transparent about logging, support encrypted DNS, and operate in regions aligned with your privacy requirements.
If your VPN provides its own resolver, prefer it for consistency. Mixing VPN traffic with third-party DNS can create a mismatch that looks like a leak.
Testing Best Practices
Run the test in a fresh browser session to avoid cached DNS results. Clear the browser DNS cache if the tool keeps showing older resolvers.
Test both with and without browser DoH enabled. Comparing the two modes helps identify whether the leak originates from the browser or the network stack.
Browser, OS, and App Differences
Different browsers may use different DNS behaviors. One browser may use DoH by default while another relies on the OS resolver, which can produce inconsistent results across tools.
Mobile apps and desktop clients can also behave differently. If you rely on privacy or compliance, test the same network path in each environment you actually use.
If you manage multiple profiles, verify each profile separately. Extensions or enterprise policies can override DNS behavior without visible UI changes.
Frequently Asked Questions
What is a DNS leak and why does it matter?
A DNS leak occurs when DNS queries bypass your VPN or proxy tunnel and are sent to your ISP's or local network's DNS resolvers instead of the encrypted resolver you intended. This matters because DNS queries reveal which domains you are trying to visit, even when page content itself is encrypted. Your ISP, network operator, or anyone monitoring your traffic can see your browsing intent even without seeing the actual pages you visit.
How do I perform a DNS leak test?
To perform a DNS leak test, visit a DNS leak test tool page while connected to your VPN or proxy. The tool queries which DNS resolvers are handling your requests and displays the results. Compare the resolver ownership shown against your expected VPN or DNS provider. If you see your ISP, router, or local network in the results while your IP shows a VPN exit, you have a DNS leak. Run the test in a fresh browser session for the most accurate results.
How do I fix a DNS leak?
To fix a DNS leak: enable VPN DNS protection or a DNS leak kill switch in your VPN client; configure your system to use your VPN provider's DNS servers; disable any browser DNS-over-HTTPS (DoH) settings that override system DNS; update your router's DNS settings if it enforces ISP resolvers; and retest after each change. If the VPN client cannot enforce DNS, use a system-wide firewall rule that blocks all DNS traffic outside the VPN tunnel.
Does DNS over HTTPS prevent DNS leaks?
No. DNS over HTTPS (DoH) and DNS over TLS (DoT) encrypt your DNS queries, but they do not automatically route that traffic through your VPN tunnel. If the DoH or DoT resolver is reached directly rather than through the VPN interface, your DNS queries still bypass the VPN path. Always verify that your DoH/DoT traffic goes through the VPN interface, not your default network path. Compare resolver ownership with and without DoH enabled to confirm the actual DNS path.
Related Docs
- DNS Integrity Check Explained — understand DNS proxy and resolver consistency
- Browser Fingerprint — understand how DNS leaks can correlate with fingerprint data
- What Is My IP — validate network context alongside DNS leak results