Donate
Donate

DNS Leak Test Guide

How to test your VPN for DNS leaks, read the results, and fix the root cause

What this guide does

A DNS leak happens when your queries go to your ISP resolver instead of your VPN resolver. Even if your visible IP changes, leaked DNS can still expose provider and location patterns. This page is a written walkthrough: it explains what a leak is, points you to the tools that run the actual checks, and shows how to interpret the result.

Run the live tests now:

What is a DNS leak in a VPN?

A DNS leak in a VPN means the website lookup part of your traffic is not following the same protected path as your public IP. The VPN may hide your IP address, but your resolver can still reveal your ISP, network region, or a third-party DNS provider you did not intend to use.

This is why a DNS leak test belongs next to an IP check. The IP result answers "what address do websites see?" The DNS result answers "who resolves the domains I visit?"

Run the full VPN checks

How to run a DNS leak test

  1. Capture baseline details on the homepage IP checker (IP, ISP, ASN).
  2. Connect your VPN and repeat the same checks.
  3. Compare ASN/provider signals with ASN Lookup and Proxy Check.
  4. Validate resolver behavior with DNS Lookup and confirm hostname consistency via Reverse DNS.

Related checks

How to fix DNS leaks

  • Enable DNS leak protection and kill switch in your VPN app.
  • Disable conflicting custom DNS settings in the OS/browser.
  • Review split tunneling rules for browser and resolver apps.
  • Keep one DNS strategy: VPN DNS or trusted encrypted DNS.

After changes, run the same before/after checks again. You want consistent VPN indicators across IP, ASN, and DNS context.

Fix guides

Why DNS leaks happen even with a VPN

Most DNS leaks fall into one of four categories. Understanding which one applies helps you fix it faster instead of guessing at settings.

  • OS-level resolver override. Windows, macOS, and Linux can send DNS queries through the system resolver before the VPN tunnel intercepts them. This is the most common cause on desktop.
  • Browser DNS-over-HTTPS (DoH).Chrome, Firefox, and Edge can use their own encrypted DNS path that bypasses the VPN tunnel entirely. Check browser settings for “Secure DNS” or “DNS over HTTPS” and disable it while using a VPN, or point it at the VPN provider’s resolver.
  • Split tunneling misconfiguration. If your VPN excludes the browser or specific apps from the tunnel, their DNS queries go through your normal ISP resolver.
  • IPv6 DNS fallback. Some networks send DNS queries over IPv6 even when IPv4 is tunneled. If your VPN does not handle IPv6, those queries leak. Run the IPv6 leak test to check.

Fix the root cause

DNS leak test results: what they actually mean

After running a before/after comparison, you will see one of these patterns. Each one tells you something different about your setup.

  • ISP resolver before, VPN resolver after: no leak. DNS queries are routed through the VPN tunnel as expected.
  • ISP resolver before AND after: DNS leak confirmed. The VPN is not capturing DNS traffic. Enable DNS leak protection in your VPN app.
  • Public resolver (Cloudflare, Google) before and after: you are using a third-party DNS provider. Not a leak in the traditional sense, but the resolver operator can still see your query pattern.
  • Mixed resolvers after connecting: partial leak. Some queries go through the VPN, others do not. Usually caused by split tunneling or browser DoH. Fix the split before trusting the connection.

Validate with these tools

DNS leak found? Use a VPN with private DNS protection

If ISP resolvers still appear after connecting your VPN, the tunnel is not capturing DNS traffic. Reconnect, disable browser DoH if needed, and use a provider with built-in DNS leak protection.

Try VPN DNS leak protectionCompare VPNs

What to do next after a DNS leak check

Continue with browser-level checks, routing verification, and a full VPN checklist.

1Next step
Browser leak

Run a WebRTC leak test

DNS and WebRTC are different leak paths. A DNS pass does not guarantee browser WebRTC is clean.

Check WebRTC leaks
2Next step
IPv6 path

Run an IPv6 leak test

A VPN can route IPv4 correctly while still exposing your normal IPv6 path. Validate both before you trust the setup.

Check IPv6 leaks
3Next step
Guided flow

Use the VPN verification wizard

Track IP, DNS, WebRTC, proxy signals, and optional ASN changes in one guided checklist.

Open wizard
4Next step
Extra signal

Compare proxy/VPN signals

Use proxy detection as another signal to interpret routing behavior and potential false positives.

Run proxy check
5Next step
Routing check

Confirm ASN/provider shift

Compare the network owner before and after connecting the VPN to verify route changes.

Check ASN

Protect your IP

Related Articles

How to Fix a VPN DNS Leak: Windows, Mac & Browser9 min readFebruary 9, 2026VPN Connected but IP Not Changing? How to Fix It8 min readFebruary 9, 2026VPN vs Proxy: Privacy, Speed, and Which to Use14 min readDecember 1, 2025What is a VPN and How Does it Work?9 min readNovember 9, 2025How to Hide My IP: VPN, Proxy, Tor, and What Actually Works10 min readMarch 4, 2026

Frequently asked questions

What is a DNS leak in a VPN?
A DNS leak happens when your device sends DNS queries through your normal ISP resolver instead of the VPN tunnel. Your public IP can look correct while your ISP still sees every domain you visit. The fix is to enable the VPN provider DNS or set a private resolver and re-test.
How do I fix a DNS leak?
Enable VPN-provided DNS or DNS leak protection in the VPN app, switch the OS DNS to a private resolver such as Cloudflare 1.1.1.1, disable IPv6 if the VPN does not tunnel it, then re-run the DNS leak test until results match the VPN exit network.
What is a DNS leak test?
A DNS leak test checks whether your resolver traffic stays inside the VPN path or leaks to ISP/public resolvers outside the tunnel.
Can I leak DNS even if my IP changes?
Yes. Your public IP can change while DNS queries still leak outside the VPN tunnel.
How often should I test for DNS leaks?
Test after VPN app updates, OS network changes, and when switching between Wi-Fi and mobile/hotspot networks.
Do browser settings affect DNS leaks?
Yes. DNS-over-HTTPS and extension routing behavior can bypass VPN DNS settings in some configurations.
What should I do after I detect a leak?
Enable leak protection features, adjust DNS/split tunneling settings, then re-run the same checks until results are consistent.