What Is DNS?

Every time you type a website address into your browser, your device sends a query to a Domain Name System (DNS) server to translate that human-readable address (like example.com) into a numerical IP address your computer can connect to. Think of DNS as the internet's phone book.

By default, your DNS queries are handled by your Internet Service Provider (ISP). This means your ISP can see every website you visit — even if the page itself is encrypted with HTTPS.

What Is a DNS Leak?

When you use a VPN, your DNS queries should be routed through the VPN tunnel to the VPN provider's DNS servers, keeping your browsing activity hidden from your ISP. A DNS leak occurs when those queries bypass the VPN tunnel entirely and go directly to your ISP's DNS servers instead.

The result? Your VPN hides your IP address, but your ISP — and anyone monitoring the DNS traffic — can still see exactly which websites you're visiting. This silently undermines the privacy a VPN is supposed to provide.

Common Causes of DNS Leaks

  • Operating system DNS caching: Windows, in particular, has a feature called "Smart Multi-Homed Name Resolution" that can send DNS queries to multiple servers simultaneously, including your ISP's.
  • VPN misconfiguration: A VPN that doesn't explicitly push DNS server settings may leave your OS using its default DNS.
  • IPv6 leaks: If your VPN only tunnels IPv4 traffic, IPv6 DNS queries may still leave unprotected.
  • WebRTC leaks: Browsers can use WebRTC (used for video/audio calls) to discover your real IP, sometimes bypassing VPN DNS settings.

How to Test for DNS Leaks

Testing is simple and free. While connected to your VPN:

  1. Visit a DNS leak test site (search for "DNS leak test" — several reputable free tools exist).
  2. Run the standard or extended test.
  3. Review the DNS server results. If you see your ISP's servers listed, you have a DNS leak. If only your VPN provider's servers appear, you're protected.

How to Fix a DNS Leak

Fix 1: Use a VPN With Built-In DNS Leak Protection

The simplest solution is to use a VPN client that automatically routes DNS queries through the VPN tunnel. Most reputable paid VPN applications include DNS leak protection as a built-in feature — check your VPN's settings to confirm it's enabled.

Fix 2: Manually Configure DNS Servers

You can manually set your DNS servers to a privacy-respecting public resolver. Do this at the operating system or router level. Look for DNS providers that offer encrypted DNS (DNS-over-HTTPS or DNS-over-TLS) for an additional layer of protection.

Fix 3: Disable Smart Multi-Homed Name Resolution on Windows

On Windows, open the Group Policy Editor (gpedit.msc) and navigate to:

Computer Configuration → Administrative Templates → Network → DNS Client

Set "Turn off smart multi-homed name resolution" to Enabled. This prevents Windows from sending DNS queries outside the VPN tunnel.

Fix 4: Disable IPv6 If Not Needed

If your VPN doesn't support IPv6, disable IPv6 on your network adapter to prevent IPv6 DNS queries from leaking. This can be done through your network adapter settings in the operating system's control panel.

Fix 5: Use a Firewall to Block Non-VPN DNS

Advanced users can configure a local firewall to block all DNS traffic that doesn't pass through the VPN interface. This is the most robust solution but requires careful configuration to avoid breaking connectivity.

Key Takeaway

A VPN without DNS leak protection is like locking your front door but leaving your windows open. Always test for leaks after setting up a new VPN, and retest periodically — especially after system updates, which can reset network configurations. DNS leak prevention is a fundamental part of any serious privacy setup.