SMIP
All articles
privacyvpndns

DNS leaks explained: what they are, why they matter, and how to fix them

A DNS leak quietly tells your ISP everywhere you're going on the internet — even when you're using a VPN. Here's what causes them, how to test for one, and how to plug the leak.

May 6, 20266 min read

You set up a VPN. You see the new IP at the top of showmyipaddress.io. You assume your traffic is private. Then you discover that your ISP — or whoever runs your network's DNS — still sees every website you visit, in plain English, by name.

That's a DNS leak. It's one of the most common ways VPN users accidentally reveal what they're doing despite paying for privacy. Worth understanding once and forever.

A quick refresher on DNS

When you type cloudflare.com into your browser, your computer doesn't know how to reach it directly. It first asks a DNS server to translate the name into an IP address (104.16.132.229). Only then can your traffic flow.

Every device has a DNS resolver configured. By default, that's whatever your ISP, router, or operating system set up. Common defaults:

  • Your ISP's DNS server (the most common — and the most trackable).
  • Public resolvers like Google (8.8.8.8), Cloudflare (1.1.1.1), or Quad9 (9.9.9.9).
  • Your VPN provider's DNS (if you're connected to a VPN that handles DNS too).

The resolver sees, in order, every domain you visit. Even if the content is encrypted via HTTPS, the names aren't — and neither are the queries themselves, in most cases.

What "DNS leak" means

A DNS leak is when:

  • You're connected to a VPN.
  • You believe your traffic is going through the VPN tunnel.
  • But your DNS queries are bypassing the tunnel and going to your original DNS server (usually your ISP's).

Result: your ISP doesn't see what data you're sending, but they see exactly which sites you're connecting to. They can build a list. They can sell it. They can hand it over under subpoena. The VPN's promise of privacy quietly evaporates.

How DNS leaks happen

Several common causes:

1. Your VPN doesn't push its own DNS

Cheap or misconfigured VPNs route IP traffic through the tunnel but leave DNS queries going to whatever DNS your OS had configured. The fix is usually a setting in the VPN client labeled "Use VPN DNS" or "Block DNS outside tunnel." Reputable VPN providers (Mullvad, Proton, NordVPN, IVPN, ExpressVPN) enable this by default.

2. Windows uses "smart multi-homed name resolution"

Windows 10 and 11 try to query DNS through every network adapter at once for speed. Even with a VPN active, queries go through both the tunnel and your original network. The first response wins. This means your local network's DNS sees every query.

The fix:

  • Enable a "block all DNS outside the tunnel" setting in your VPN (most clients have this).
  • Or use Group Policy to disable Smart Multi-Homed Name Resolution (gpedit.msc → Computer Configuration → Administrative Templates → Network → DNS Client → "Turn off smart multi-homed name resolution" → Enabled).

3. IPv6 isn't tunnelled

Older VPNs only tunnel IPv4. If your network has IPv6 enabled (most do today), IPv6 traffic — including DNS queries — bypasses the tunnel. The fix:

  • Use a VPN that explicitly handles IPv6.
  • Or disable IPv6 on the device while the VPN is active.

4. WebRTC or browser-level DNS

Some browsers (notably Chrome and Edge) do their own DNS prefetching and async DNS lookups outside the OS resolver. Other browsers route through DoH (DNS over HTTPS) to a third party. These can sneak around a VPN's DNS settings.

The fix is browser-specific. In Chrome, disable "Use secure DNS" in privacy settings if you've configured your VPN to handle DNS. Or run a WebRTC leak test to confirm what's happening.

5. Your VPN has crashed silently

If the tunnel drops mid-session, your OS quietly falls back to the underlying network. Use a VPN with a kill switch that blocks all traffic when the tunnel is down.

How to detect a DNS leak

Three quick tests:

  1. Compare DNS resolver IPs. Run a DNS leak test (we'll add one to the site soon). If the resolver IPs returned belong to your ISP or your home router, that's a leak. If they belong to your VPN provider, you're clean.
  2. Compare countries. If your VPN is set to Sweden but your DNS resolver is in your home country, something's leaking.
  3. Watch in your VPN dashboard. Many VPN clients show whether DNS is being tunnelled. If it says "DNS leaks: detected," fix it before you use the VPN for anything sensitive.

We're building a dedicated DNS leak test tool — coming soon.

How to fix a DNS leak

The 95% solution

Use a reputable paid VPN with DNS leak protection enabled. That's it. Mullvad, Proton VPN, IVPN, NordVPN, and ExpressVPN all handle this correctly by default. Verify it's on in their app's settings:

  • "Block DNS leaks" → on
  • "Force VPN DNS" → on
  • "Kill switch" → on
  • IPv6: tunnelled or disabled

Manual override

If you don't fully trust your VPN's DNS handling, manually set a DNS resolver that's reachable through the tunnel:

  • Cloudflare: 1.1.1.1 and 1.0.0.1
  • Quad9: 9.9.9.9 (privacy-focused, blocks malware domains)
  • NextDNS: 45.90.28.0 (configurable, with privacy-respecting defaults)

Set these in your OS network settings while your VPN is active. They'll be queried through the tunnel. Just remember to undo it when you disconnect the VPN — otherwise your "leak" becomes permanent.

Disable IPv6

On Windows: Network properties → uncheck "Internet Protocol Version 6 (TCP/IPv6)." On macOS: System Settings → Network → details → TCP/IP → Configure IPv6: "Off." On Linux: depends on distro; sysctl -w net.ipv6.conf.all.disable_ipv6=1 is the universal route.

This is heavy-handed but eliminates one whole class of leak.

Does any of this matter for normal users?

If you only use a VPN to dodge geo-blocks for streaming: not really. Your worst case is your ISP knowing you're on a streaming site, which they already suspect.

If you use a VPN for serious privacy reasons — sensitive research, evading censorship, keeping work and personal traffic separate, avoiding profile-building advertisers — then yes, DNS leaks matter a lot. The VPN you're paying for doesn't deliver much value if it leaks half your activity.

TL;DR

  • A DNS leak means your DNS queries bypass your VPN tunnel and go to your ISP.
  • Causes: misconfigured VPN, Windows multi-homed DNS, untunneled IPv6, browser-level DNS.
  • Fix: use a quality VPN with leak protection, kill switch, and IPv6 handling. Verify with a leak test after every connection.
  • For most people, picking a reputable paid VPN and enabling its default protections is enough.

The next time you connect a VPN, take ten seconds to verify there's no leak. It's a habit worth building.