← Blog · May 23, 2026 · dns, vpn, privacy

Is Your DNS Leaking? How to Test and Fix It

Short answer — open dnsleaktest.com (or ipleak.net), run the extended test, and look at the resolver hostnames it returns. If you see your ISP's name while connected to a VPN, your DNS is leaking. The fix is either "push DNS" in the VPN client config, or a system-level DoH/DoT setting that bypasses the local resolver entirely.

What a DNS leak actually is

When you connect to a VPN, your IP traffic tunnels through the VPN server. But DNS resolution is a separate question — your OS still needs to translate example.com into an IP before it can send the packet.

A "leak" happens when those DNS queries skip the tunnel and go directly to the resolver your OS already had configured (usually your ISP's, learned via DHCP when you joined the network). Your ISP — and anyone watching the wire between you and them — sees every domain you visit, even though the actual web request goes out via the VPN exit node.

How to test

  1. Connect to your VPN.
  2. Go to dnsleaktest.com and run the extended test (6+ queries).
  3. Look at the resolver hostnames and ASN/owner columns.

Read the result like this:

What you seeVerdict
All resolvers owned by your VPN provider (NordVPN, Mullvad, Proton, etc.)No leak. You're fine.
Cloudflare (1.1.1.1) or Google (8.8.8.8) onlyNo leak in the "ISP can see your queries" sense, but your VPN provider isn't intercepting DNS — usually intentional.
Your ISP's name (Comcast, BT, Telstra, etc.)Leak. ISP sees every domain you visit.
Mix of VPN provider + your ISPPartial leak. Still bad — one query in five going to your ISP is enough to deanonymize.

The four causes of DNS leaks (in order of frequency)

  1. VPN client doesn't push DNS settings. OpenVPN configs without dhcp-option DNS, or WireGuard configs missing the DNS = line. The tunnel comes up, but the OS keeps using whatever DNS it had.
  2. Windows split DNS / smart multi-homed name resolution. Windows 8.1+ sends DNS queries to every interface in parallel. Even with a VPN, the ISP interface still gets and answers queries. Fixed by disabling SmartMultiHomedNameResolution via group policy.
  3. IPv6 leak. The VPN tunnels IPv4 only. Your OS asks for an AAAA record over the native (non-tunneled) IPv6 connection. ISP sees the query. Fix is to either tunnel IPv6 too or disable IPv6 entirely while connected.
  4. App-level DNS bypass. Chrome and Firefox can do DNS-over-HTTPS to a hardcoded resolver, ignoring the OS settings. Usually this is betterthan ISP DNS, but some users assume "VPN handles all DNS" — it doesn't.

How to fix — by platform

OpenVPN (any OS)

Add to client config:

pull-filter ignore "dhcp-option DNS"
dhcp-option DNS 10.8.0.1
block-outside-dns

The block-outside-dns directive prevents Windows from sending queries to any other interface.

WireGuard

Add to [Interface] block:

DNS = 10.8.0.1, fd00::1

WireGuard's DNS line sets the resolver and applies the routing rules automatically on Linux and macOS. On Windows, install the official WireGuard client which handles it.

Windows

Two registry/group-policy steps to fully prevent leaks:

macOS / iOS

Use the system-level DNS-over-HTTPS profile from 1.1.1.1 or NextDNS. Settings → General → VPN & Device Management → DNS. This forces all DNS through DoH regardless of what the VPN does.

Linux

Use systemd-resolved with DNSStubListener=yes and a per-interface DNS in your VPN's up script. Or just run a local DoH proxy like dnscrypt-proxy and point /etc/resolv.conf at 127.0.0.1.

Bonus — the WebRTC leak

Separate from DNS, browsers can leak your real IP via WebRTC's ICE candidate gathering. Test at browserleaks.com/webrtc. If your real IP shows up in the "local IP addresses" field, disable WebRTC (Firefox: media.peerconnection.enabled = false in about:config; Chrome: install a WebRTC Leak Prevent extension).

The takeaway

Test every time you change VPN provider, OS version, or DNS configuration. A clean leak test on one device doesn't guarantee a clean test on another. And a passing test today doesn't guarantee one after a Windows update next month.

Related tools

← All blog posts