What Is a DNS Leak
A DNS leak happens when your device sends DNS queries to a resolver you did not intend to use. Instead of reaching the DNS server you configured, the queries are intercepted by another party, typically your internet service provider. That party can then log which domains you visit, when you visit them, and how often.
When you type a domain name into your browser, your device needs to convert it into an IP address. This conversion is a DNS lookup. If you have configured a privacy-focused resolver like Cloudflare 1.1.1.1 or Quad9, you expect those queries to go there. A leak means the query goes somewhere else entirely, often your ISP's DNS server, without your knowledge.
DNS leaks do not break your connection. Everything still works. The problem is invisible. Websites load normally, downloads finish on time, and streaming does not stutter. But behind the scenes, someone else is reading your traffic. Every domain name you query is a data point about your behavior, and DNS leaks hand those data points to whoever controls the resolver handling them.
This is not a theoretical problem. Research published by the Internet Society and independent security researchers has consistently found that a significant percentage of VPN users experience DNS leaks at some point. If you rely on a VPN for privacy, a DNS leak undermines the entire point of using one.
Why DNS Leaks Happen
DNS leaks occur for several reasons, and most of them are configuration issues rather than software bugs. Understanding the root cause is the first step toward fixing them.
The most common scenario is a misconfigured VPN. A VPN encrypts your internet traffic and routes it through a remote server. But if the VPN does not capture DNS queries, those queries bypass the encrypted tunnel and go directly to your ISP's resolver. You might be connected to a VPN thinking your traffic is private, while every DNS lookup is visible to your ISP.
Another frequent cause is forced DNS settings at the network level. Some ISPs and network administrators use techniques like transparent DNS proxies that redirect DNS traffic on port 53 to their own resolvers, regardless of what you have configured on your device. Even if you set your system DNS to a third-party resolver, the ISP intercepts the queries before they leave the network.
Operating systems can also override your DNS settings. Windows, macOS, Android, and iOS all have mechanisms that can bypass user-configured DNS. Windows has a feature called Smart Multi-Homed Name Resolution that sends DNS queries to every available network interface simultaneously, which can leak queries to your ISP even when you have set a different resolver. Android uses a system called Private DNS that enforces DNS-over-TLS and can conflict with third-party DNS configurations.
Router-level DNS settings are another common culprit. If your router is configured to use your ISP's DNS server and you only change the DNS on your device, the router may still intercept and redirect queries. This is especially common in corporate networks and some home router configurations where the ISP has pre-configured the DNS settings.
How to Test for DNS Leaks
Testing for DNS leaks involves sending DNS queries and observing which resolver answers them. If the responding resolver does not match the one you configured, you have a leak.
Our tool works by performing DNS-over-HTTPS queries from your browser and comparing the results against your configured resolver. It sends queries to multiple DNS servers simultaneously and measures which ones respond. If a resolver you did not configure is answering your queries, that indicates a leak.
Here is what to look for in the results:
Resolver identity: The test shows which DNS resolver responded to your queries. Compare this against the DNS server you have configured. If your device is set to use Cloudflare 1.1.1.1 but the test shows responses from your ISP's resolver, you have a DNS leak.
Multiple resolvers: If queries are being answered by different resolvers, it suggests your DNS traffic is being split across multiple paths. This can happen with Smart Multi-Homed Name Resolution on Windows or when your network has both IPv4 and IPv6 DNS configurations that point to different servers.
Consistency: Run the test multiple times. A one-time mismatch could be a transient routing issue. If the same non-configured resolver answers consistently, the leak is persistent and needs to be addressed.
Location data: Some DNS leak tests show the geographic location of the resolver. If the resolver is in a different country than expected, or if it appears to be your ISP's resolver, that confirms the leak.
For the most accurate results, disconnect from any VPN first, run the test, then connect to your VPN and run it again. The difference between the two results shows whether your VPN is properly routing DNS traffic.
Common Causes of DNS Leaks
VPN Not Properly Configured
Many VPN clients have a setting called "DNS leak protection" or "kill switch for DNS" that is disabled by default. Without this setting enabled, DNS queries can bypass the VPN tunnel even when the VPN is connected. Some VPN clients do not capture DNS traffic at all, relying instead on the operating system's DNS settings. If the VPN drops briefly, DNS queries go to whatever resolver the OS has configured, which is usually the ISP.
Cheap or free VPN services are especially prone to this problem. They often do not provide custom DNS servers, do not support DNS-over-HTTPS, and do not include DNS leak protection. Using a free VPN and assuming your DNS is private is a mistake.
ISP Forcing DNS
Some internet service providers use transparent DNS proxies that intercept DNS traffic on port 53 and redirect it to their own resolvers. This means that even if you configure your device to use a different DNS server, the ISP intercepts the query before it reaches the resolver you specified. This is common with ISPs in certain regions and is sometimes done for content filtering, parental controls, or logging purposes.
Transparent DNS proxies can be difficult to detect because they do not block your connection. Your DNS queries appear to work normally, but they are being answered by a server you did not choose.
Router Using ISP DNS
Most home routers are configured by default to use the DNS servers provided by the ISP. If you change the DNS settings on your device but not on your router, DNS queries may still be routed through the ISP at the network level. This is especially true for devices that use DHCP, which automatically receives DNS settings from the router.
Even if you manually set a DNS server on your laptop, other devices on your network, such as smart TVs, phones, and tablets, will continue to use the router's DNS settings unless you configure each one individually.
Operating System DNS Overrides
Windows has several features that can override your DNS settings. Smart Multi-Homed Name Resolution sends DNS queries to all available network interfaces, including the one connected to your ISP, even if you have set a custom DNS on your primary interface. DNS Client Service caches DNS results and can serve stale or incorrect entries. Windows 10 and 11 also use DNS over HTTPS by default through the DNS Client Service, which can conflict with manually configured resolvers.
On macOS, the system uses mDNSResponder, which can prioritize certain DNS servers over others based on network conditions. On Android, Private DNS enforces DNS-over-TLS at the system level, and if the configured resolver does not support it, the device may fall back to the ISP's DNS. On iOS, the system automatically selects DNS resolvers based on network conditions and can bypass user-configured settings.
IPv6 DNS Mismatch
If your network supports IPv6, your device may be sending DNS queries over both IPv4 and IPv6. If you have configured a custom DNS server only for IPv4, the IPv6 queries go to whatever resolver the network advertises, which is usually the ISP's DNS. This creates a partial DNS leak where some queries are private and others are not.
How to Fix DNS Leaks
Configure DNS Manually on Your Device
The most direct fix is to set your DNS resolver at the device level. On Windows, go to Network Settings, select your connection, open Properties, and set IPv4 DNS to your preferred resolver. Do the same for IPv6 if your network supports it. On macOS, go to System Preferences, Network, select your connection, click Advanced, and add DNS servers under the DNS tab. On Android, go to Settings, Network, Private DNS, and set your resolver hostname. On iOS, go to Settings, Wi-Fi, tap the info icon on your network, and configure DNS manually.
Use a trusted resolver like Cloudflare 1.1.1.1, Quad9 9.9.9.9, or Google DNS 8.8.8.8. Choose based on your priorities: Cloudflare for speed, Quad9 for security, Google for broad compatibility. For detailed step-by-step instructions on every platform, see our guide to changing DNS settings.
Enable DNS over HTTPS or DNS over TLS
DNS over HTTPS (DoH) and DNS over TLS (DoT) encrypt your DNS queries, preventing interception. Most modern browsers support DoH natively. In Firefox, go to Settings, Privacy & Security, and enable DNS over HTTPS. In Chrome, go to Settings, Privacy and Security, and enable Use secure DNS. On Android 9 and later, use Private DNS with a resolver hostname that supports DoT. On iOS, you can use the DNS settings in Settings to configure a DoT resolver.
Encrypted DNS does not prevent all forms of DNS leaks, but it prevents your ISP from intercepting and logging your queries. It also prevents network-level transparent DNS proxies from redirecting your traffic.
Check Your VPN Settings
If you use a VPN, verify that it includes DNS leak protection. Most reputable VPN providers have this feature built in, but it may not be enabled by default. Check your VPN client settings for options like "DNS leak protection," "kill switch," or "block outside DNS." Enable all of them.
After enabling these settings, run our DNS leak test to confirm that your queries are going through the VPN's resolver and not leaking to your ISP.
Change Your Router DNS
Log into your router's admin panel (usually at 192.168.1.1 or 192.168.0.1) and find the DNS settings. Change them to your preferred resolver. This ensures that all devices on your network use the correct DNS by default, including devices where you cannot manually configure DNS settings like smart TVs and IoT devices.
If your ISP locks the router DNS settings, you may need to use a different approach, such as configuring DNS at the device level or using a VPN with DNS leak protection.
Disable Smart Multi-Homed Name Resolution
On Windows, you can disable Smart Multi-Homed Name Resolution through Group Policy or the registry. This prevents Windows from sending DNS queries to all network interfaces simultaneously, which is a common source of DNS leaks on Windows machines with multiple network connections.
Open the Group Policy Editor, navigate to Computer Configuration, Administrative Templates, Network, DNS Client, and enable the setting "Turn off smart multi-homed name resolution."
DNS Leaks and VPNs
VPNs are supposed to protect your privacy by encrypting your traffic and routing it through a remote server. But if DNS queries bypass the VPN tunnel, your privacy is compromised. This is one of the most common and misunderstood problems with VPN usage.
A properly configured VPN should handle DNS queries through its own encrypted tunnel. When you connect to a VPN, the VPN client should set your system DNS to the VPN's resolver and block any DNS queries that try to leave the tunnel. This is what "DNS leak protection" means in VPN settings.
The problem is that not all VPN clients do this correctly. Some VPN clients only encrypt traffic on certain ports, leaving DNS traffic on port 53 unprotected. Others do not set the system DNS at all, relying on the user to configure it manually. And some VPN clients handle IPv4 DNS correctly but not IPv6, creating a partial leak.
To check whether your VPN is leaking DNS, disconnect from the VPN and run our DNS leak test. Note which resolver answers your queries. Then connect to your VPN and run the test again. If the resolver changes to the VPN's resolver, your VPN is handling DNS correctly. If the resolver remains the same, your VPN is leaking DNS queries.
This is especially important for users who rely on VPNs for censorship circumvention or political privacy. In countries where internet surveillance is widespread, a DNS leak can reveal your browsing activity even while you are connected to a VPN. Privacy-focused DNS resolvers combined with proper VPN configuration provide the strongest protection.
Some VPN providers offer their own DNS-over-HTTPS resolvers that integrate with their VPN client. These are generally the safest option because they are designed to work together. Third-party DNS resolvers may not be compatible with all VPN configurations, which can lead to conflicts or leaks.
Preventing DNS Leaks
Prevention is better than detection. Here are the proactive steps you should take to ensure your DNS queries are not being intercepted.
Start with a secure DNS resolver. Choose a resolver that supports DNS-over-HTTPS and DNS-over-TLS. Cloudflare 1.1.1.1, Quad9 9.9.9.9, and Google DNS 8.8.8.8 all support encrypted DNS. Configure this resolver on your device and, if possible, on your router.
Enable encrypted DNS in your browser. Most modern browsers support DNS-over-HTTPS. Enable it in your browser settings. This encrypts DNS queries at the application level, which means they bypass operating system DNS settings entirely. Even if your OS is configured to use your ISP's DNS, your browser queries go through the encrypted resolver.
Configure DNS on your router. Changing DNS at the router level ensures that all devices on your network use the correct resolver. This is the most comprehensive approach because it covers devices where you cannot manually configure DNS, such as smart TVs, gaming consoles, and IoT devices.
Disable IPv6 if you do not need it. If your network does not require IPv6, disabling it eliminates the possibility of DNS leaks over IPv6. This is a blunt approach, but it is effective. If you do need IPv6, make sure to configure DNS for both IPv4 and IPv6.
Use a VPN with DNS leak protection. If you use a VPN, ensure it includes DNS leak protection and that the feature is enabled. Test it regularly with our tool. VPN configurations can change after updates, and a setting that was working correctly may stop working after a software update.
Monitor your DNS traffic. Run our DNS leak test periodically, especially after changing network settings, installing new software, or updating your operating system or VPN client. DNS leaks can appear suddenly due to configuration changes that you did not make intentionally.
Consider your threat model. The level of DNS leak protection you need depends on your situation. For most people, enabling encrypted DNS in the browser and using a reputable resolver is sufficient. If you are a journalist, activist, or someone living under authoritarian surveillance, you need more comprehensive protection including a VPN with DNS leak protection, encrypted DNS at the system level, and regular testing.
Test Your DNS Speed
Now that you know how DNS leaks work and how to prevent them, make sure you are using the fastest resolver for your location. Our DNS speed test tool compares 17+ DNS servers in real time and shows you which one performs best from your network.
A fast, private DNS resolver gives you the best of both worlds: quick page loads and protected queries. Pair a fast resolver with DNS over HTTPS and you have a solid foundation for internet privacy.
Understanding how DNS works under the hood helps you make better decisions about your network configuration. If you want to go deeper, read our guide to how DNS works and learn about the full resolution process from your browser to the root servers.
Frequently Asked Questions
Can my ISP see my DNS queries even with a VPN?
If your VPN is configured correctly with DNS leak protection, your ISP cannot see your DNS queries. The queries are encrypted and routed through the VPN tunnel to the VPN's resolver. However, if your VPN leaks DNS, the ISP can see every domain you visit. Run our DNS leak test while connected to your VPN to verify.
Does DNS over HTTPS completely prevent DNS leaks?
DNS over HTTPS encrypts DNS queries at the application level, which prevents network-level interception by your ISP or transparent DNS proxies. However, it does not prevent all forms of DNS leaks. If your browser is configured to use DoH but your operating system is sending separate DNS queries through a different resolver, those OS-level queries can still leak. For complete protection, configure encrypted DNS at both the browser and system levels.
How often should I test for DNS leaks?
Test after any significant change to your network configuration, operating system updates, VPN client updates, or browser updates. For most people, testing once a month is sufficient. If you rely on a VPN for safety, test every time you connect to a new network, such as public Wi-Fi.
Is using my ISP's DNS server always a privacy risk?
Your ISP's DNS server logs your queries by default in most jurisdictions. The data can be retained for months and may be shared with third parties, advertisers, or government agencies depending on local laws. Using a third-party resolver like privacy-focused DNS servers gives you more control over who sees your browsing activity.
Can I fix DNS leaks without changing my DNS server?
Not really. If your current DNS server is your ISP's resolver and you are experiencing a leak, the fix involves switching to a different resolver that supports encrypted DNS. You can also enable DNS over HTTPS in your browser, which encrypts queries regardless of the underlying resolver. The key is to use a resolver you trust and ensure your queries reach it without being intercepted.