What is a DNS Leak?

A DNS leak occurs when your DNS queries are sent outside the encrypted VPN tunnel to your ISP's default DNS servers, revealing which websites you're visiting even though you're connected to a VPN.

A DNS leak is a privacy vulnerability that occurs when a VPN fails to route DNS requests through the encrypted tunnel. Even though your browsing traffic is protected, the DNS queries — which translate domain names like "example.com" into IP addresses — slip out to your ISP's DNS servers, exposing your browsing activity.

It's one of the most common and misunderstood VPN privacy failures. You may think you're fully protected, when in fact your ISP can still see every domain you visit.

What is DNS?

DNS (Domain Name System) is the internet's phone book. When you type a URL into your browser, your device sends a DNS query to a DNS server asking "what's the IP address for this domain?" Normally, this query goes to your ISP's DNS servers — which means your ISP has a full log of every website you visit.

A VPN is supposed to handle DNS queries internally, routing them through the encrypted tunnel to DNS servers operated by the VPN provider, so your ISP never sees the requests.

How DNS Leaks Happen

DNS leaks can occur when:

• Your operating system is configured to use a DNS server outside the VPN (often the ISP default)
• A VPN client fails to override the OS DNS settings
• Split tunneling is misconfigured and DNS traffic escapes the tunnel
• Your router's DNS settings override the VPN client's configuration

Testing for DNS Leaks

You can check whether your VPN is leaking DNS with free tools like dnsleaktest.com or ipleak.net. Connect to your VPN, run a standard test, and check which DNS servers appear. If you see your ISP's servers, you have a leak. If you only see servers belonging to your VPN provider, you're protected.

DNS Leak vs. WebRTC Leak

A DNS leak exposes which domains you visit. A WebRTC leak is a different issue specific to browsers — WebRTC can reveal your real IP address even when a VPN is active. Both should be tested separately. Browser extensions or browser settings can mitigate WebRTC leaks.

How to Fix a DNS Leak

1. Use a VPN with built-in DNS leak protection — Most reputable providers (NordVPN, ExpressVPN, Mullvad) run their own DNS servers and force all DNS traffic through the tunnel
2. Configure DNS manually — Set your device or router to use a privacy-focused DNS provider like Cloudflare (1.1.1.1) or Google (8.8.8.8) with DNS-over-HTTPS
3. Enable DNS leak protection in your VPN client settings — most clients have a dedicated toggle

A kill switch won't prevent a DNS leak — it only protects against IP exposure when the VPN drops entirely. These are separate protections and both matter.