How to Fix a DNS Leak
Step-by-step guidance for fixing DNS leaks across devices and VPNs.
Enable VPN DNS Protection
Turn on any VPN options labeled DNS protection, block local DNS, or kill switch. These features keep DNS queries inside the tunnel and prevent fallback to ISP resolvers.
If your VPN provides its own resolver, use it. This ensures DNS requests and IP traffic share the same exit path.
After enabling protection, disconnect and reconnect the VPN to ensure the new settings take effect.
Align DoH and DoT
DNS over HTTPS and DNS over TLS encrypt DNS but can still bypass the VPN if routed directly. Align DoH/DoT with the VPN path or disable it while testing.
Browsers may enable DoH automatically after updates. Recheck settings when leak results change unexpectedly.
Fix Router and Network Overrides
Some routers force ISP DNS for all devices. If you control the router, change its DNS to your VPN provider or a trusted resolver.
Public Wi-Fi and captive portals can intercept DNS. Retest after connecting to new networks to ensure protection remains active.
If you cannot change the router, a system-wide VPN or firewall rule may be the only reliable fix.
Disable Split Tunneling for DNS
Split tunneling is a common cause of DNS leaks. If you must use it, ensure DNS queries are routed through the VPN even when other traffic is split.
For high-privacy use cases, avoid split tunneling entirely and route all traffic through the VPN.
Clear Caches and Restart
Flush DNS caches on the OS and browser to avoid stale resolver results. Restart the VPN client after changing settings.
Retest in a fresh browser session to verify that the new resolver path is active.
If results still show the ISP, reboot the device to ensure cached network settings are fully cleared.
Verify with Multiple Tests
Run the DNS leak test multiple times and compare with IP and WebRTC tests. All tools should show a consistent country and provider.
If results are inconsistent, you likely have a partial leak or multiple resolvers in use.
Hardening for Teams
Use device management or group policies to enforce DNS settings on managed endpoints.
Document the expected resolver ranges so you can quickly detect drift during audits or incident response.
Retest After Changes
Retest after OS updates, browser updates, or VPN client upgrades. Leaks often reappear after software changes reset DNS behavior.
If you travel or change networks frequently, add DNS leak testing to your regular privacy checklist.
OS-Specific Settings
On Windows, DNS settings can be overridden by network profiles or enterprise policies. Verify adapter-level DNS settings and group policies.
On macOS and Linux, check network services and resolver configuration files to ensure VPN DNS is prioritized.
Browser Settings
Browsers may enable DoH by default, which can override system DNS. Align the browser’s secure DNS settings with your VPN or disable DoH while testing.
Extensions can also modify DNS behavior. Temporarily disable extensions if results remain inconsistent.
Firewall and Kill Switch
A kill switch blocks network traffic outside the VPN, including DNS. Enable it if your threat model requires strict protection.
Advanced users can use firewall rules to block outbound DNS on all interfaces except the VPN tunnel.
Validation Checklist
Confirm that resolver IPs belong to the VPN or a trusted provider you chose.
Verify that IP, DNS, and WebRTC tests all show consistent country and ISP data.
If results diverge, treat it as a partial leak and revisit DNS routing.
When to Contact Support
If leaks persist after all fixes, contact your VPN provider. Some VPNs cannot override DNS on certain networks or devices.
Provide the leak test results and resolver IPs so support can identify configuration issues faster.
Device-Specific Notes
On mobile devices, VPN apps may run in the background with limited permissions, which can cause DNS to fall back to the carrier resolver.
If your device supports per-app VPN, verify that the browser is included in the VPN scope.
Preferred Resolver Strategy
If your VPN offers a private resolver, use it for maximum consistency. If not, choose a trusted resolver with clear logging policies and support for encrypted DNS.
Avoid mixing multiple resolvers unless you understand the routing path for each one.
Consistency is more important than chasing the “fastest” resolver when privacy is the priority.
Automation and Monitoring
Teams can automate DNS leak checks in onboarding or periodic audits. This reduces the chance of silent regressions after updates.
Keep a list of expected resolver IPs and alert when test results deviate from that baseline.
Even a simple monthly check can catch issues before they impact many users.
Troubleshooting Order
Start with the VPN client settings, then verify OS DNS, then check router DNS. This order reduces confusion and isolates the layer responsible for the leak.
After each change, retest immediately. Multiple changes at once can make root-cause analysis difficult.
Keep notes for each step so you can revert safely if a change breaks connectivity.
Long-Term Prevention
Keep VPN and browser software updated, but revalidate DNS behavior after each update.
Document your preferred DNS configuration so it can be re-applied quickly if settings reset.
If possible, standardize on one VPN client across devices to reduce configuration drift.