What Is DNS Leak?
A DNS leak is a flaw where your device's DNS queries — the lookups that translate website names like example.com into IP addresses — travel outside the encrypted VPN tunnel to your ISP's DNS servers instead of the VPN's. The result: even with the VPN connected and your IP address hidden, your ISP (or anyone watching) can still see every website you request, defeating much of the VPN's privacy benefit.
Why DNS leaks happen
Every website visit starts with a DNS lookup. A properly working VPN routes these lookups through its own encrypted DNS resolvers inside the tunnel. A DNS leak occurs when, through a configuration flaw or OS behavior, those lookups instead go to the DNS server your device used before the VPN connected — usually your ISP's.
Common causes: operating systems (especially Windows) that send DNS queries to multiple resolvers at once for speed, IPv6 traffic leaking when a VPN only routes IPv4, manually configured DNS settings that override the VPN, and 'Smart Multi-Homed Name Resolution' on Windows. Transparent DNS proxying by some ISPs can also force leaks.
How to test for a DNS leak
Connect your VPN, then visit a DNS-leak test site (such as dnsleaktest.com or the test pages most VPN providers host). Run the extended test. If the DNS servers shown belong to your VPN provider or its DNS partner, you're protected. If any belong to your ISP or are located in your real country, you have a leak.
Test after reconnecting, after switching networks, and after waking from sleep — leaks often appear only in these transition moments rather than during a steady connection.
How a good VPN prevents DNS leaks
Quality VPNs run their own DNS resolvers and force all queries through the tunnel, include full IPv6 leak protection (or block IPv6 entirely), and pair DNS protection with a kill switch so that if the tunnel drops, no queries escape. ExpressVPN, NordVPN, and Surfshark all passed our DNS, IPv6, and WebRTC leak tests across platforms.
If you find a leak: enable your VPN's built-in leak protection and kill switch, disable IPv6 at the OS level if the VPN doesn't handle it, and switch to the VPN's own DNS rather than a custom one. If leaks persist across servers, the provider's leak protection is inadequate — switch providers.
Frequently Asked Questions
Does a DNS leak reveal my browsing history?
It reveals the domains you look up — effectively the websites you visit — to whichever DNS server received the query, typically your ISP. It doesn't expose the full page contents (those are still encrypted by HTTPS), but the list of sites is exactly what most people use a VPN to hide, so a DNS leak undermines the core privacy purpose.
How do I know if my VPN has a DNS leak?
Connect the VPN and run an extended test at a DNS-leak test site. If the listed DNS servers belong to your VPN provider, you're fine; if any belong to your ISP or sit in your real country, you have a leak. Re-test after reconnecting and after switching networks, since leaks often appear only at those moments.
Which VPNs prevent DNS leaks?
Providers that run their own DNS, force queries through the tunnel, and include IPv6 leak protection plus a kill switch. ExpressVPN, NordVPN, and Surfshark all passed our DNS, IPv6, and WebRTC leak tests. Many free and low-quality VPNs fail these tests.
Can a kill switch stop DNS leaks?
A kill switch stops leaks that happen when the tunnel drops, by blocking all traffic until it reconnects. But DNS can leak even while the tunnel is up if the VPN doesn't force DNS through it — so a kill switch is necessary but not sufficient. You need both proper DNS handling and a kill switch.