DNS Leak Test
Test whether your VPN leaks DNS requests. Identify exposed DNS servers and protect your privacy online.
What Is a DNS Leak
DNS translates domain names into IP addresses. When DNS queries bypass your VPN or proxy tunnel, the resolver can see which sites you are trying to reach even if the page content is encrypted.
A DNS leak breaks the assumption that all network traffic follows the protected path. You may appear safe on an IP test while your DNS still exposes browsing intent.
For privacy-sensitive use cases, DNS should follow the same network path and exit location as your IP traffic. Any divergence is a leak signal.
Why DNS Leaks Happen
VPN clients may fail to override system DNS settings, or routers may enforce ISP resolvers at the network level. In those cases, DNS continues to use the local path while web traffic uses the VPN.
Browser features like DNS over HTTPS can override system DNS and send queries directly to public resolvers. Split tunneling and multi-interface devices add more paths that can leak DNS unintentionally.
How the DNS Leak Test Works
The test observes which resolver IPs handle your DNS requests and compares them to your expected privacy model. If you are on a VPN, those resolvers should belong to the VPN provider or a DNS service you explicitly chose.
The test does not need to inspect your browsing history. Resolver identity alone is enough to determine whether DNS is escaping the tunnel.
Interpreting Resolver Results
Safe results usually show resolver ownership aligned with your VPN or trusted DNS provider. If you see your ISP, router, or local network in the resolver list, DNS is leaking.
Mixed results can happen when the browser uses DoH while the system uses local DNS. In that case, you may see both the DoH provider and your ISP.
How to Fix a DNS Leak
Enable VPN DNS protection, block local DNS, and turn on kill switch features where available. These settings prevent the OS from falling back to ISP resolvers when the VPN is active.
If your router enforces DNS, update it to use your VPN provider or a trusted resolver. Retest after every change to confirm that the resolver identity has changed.
If the VPN cannot enforce DNS, consider a client that supports DNS push or a system-wide firewall rule that blocks DNS traffic outside the tunnel.
DoH and DoT Considerations
DNS over HTTPS and DNS over TLS encrypt DNS queries, but they do not automatically route through your VPN. If the DoH provider is reached directly, it can still leak your DNS outside the tunnel.
If you use DoH/DoT, make sure the traffic goes through the VPN interface, or configure the VPN to push its own secure DNS.
A good check is to compare resolver ownership with and without DoH enabled. If ownership changes to a public resolver outside your VPN, you are likely leaking.
Operational Checklist
Retest after OS updates, browser updates, or VPN changes. Many leaks appear after a client update resets DNS settings.
Test on every device and network you use. Mobile networks, captive portals, and corporate Wi-Fi can behave differently and introduce unexpected resolvers.
Document your expected resolver ranges so you can quickly spot deviations during audits or incident response.
Router and Enterprise Scenarios
Some routers enforce ISP DNS for all devices regardless of local settings. If you manage the router, update its DNS servers to match your VPN or trusted provider.
In corporate environments, group policies may lock DNS settings. VPN clients might be unable to override those policies without administrator changes.
Symptoms of a DNS Leak
If you see your ISP or local network in the resolver list while the IP test shows a VPN exit, you almost certainly have a leak.
Intermittent results often mean DNS is switching between resolvers. This can happen when a VPN reconnects, a network changes, or the browser toggles DoH.
A sudden spike in region-locked content or unexpected geo matches can also indicate DNS is escaping the tunnel.
Choosing a DNS Provider
A trusted DNS provider should be transparent about logging, support encrypted DNS, and operate in regions aligned with your privacy requirements.
If your VPN provides its own resolver, prefer it for consistency. Mixing VPN traffic with third-party DNS can create a mismatch that looks like a leak.
Testing Best Practices
Run the test in a fresh browser session to avoid cached DNS results. Clear the browser DNS cache if the tool keeps showing older resolvers.
Test both with and without browser DoH enabled. Comparing the two modes helps identify whether the leak originates from the browser or the network stack.
Browser, OS, and App Differences
Different browsers may use different DNS behaviors. One browser may use DoH by default while another relies on the OS resolver, which can produce inconsistent results across tools.
Mobile apps and desktop clients can also behave differently. If you rely on privacy or compliance, test the same network path in each environment you actually use.
If you manage multiple profiles, verify each profile separately. Extensions or enterprise policies can override DNS behavior without visible UI changes.