DNS Leak Explained: Testing Your VPN in 2026

Your VPN is on, your IP shows you in another country, everything looks fine. But every domain you type in your browser — gmail.com, netflix.com, bankofamerica.com — may still be going to your ISP's DNS servers. This is called a DNS leak, and it's one of the most common holes in VPN protection. If your IP is hidden but the sites you visit are still being logged, your privacy is essentially fake.

What Is DNS and Why Does It Matter?

DNS (Domain Name System) works like the phone book of the internet. When you type youtube.com in your browser, your computer must first translate that domain into an IP address. DNS servers do this translation. By default, your operating system uses your ISP's DNS servers (Comcast, Verizon, BT, Deutsche Telekom, etc.).

The problem: every domain you visit gets logged on those DNS servers. Your ISP knows exactly how often you connect to pornhub.com, wikipedia.org, protonmail.com. In many jurisdictions, these logs are retained for years.

Ideally, a VPN connection routes DNS queries through the encrypted tunnel and uses the VPN provider's own DNS servers (or privacy-focused alternatives like Cloudflare or Quad9). But this doesn't always work flawlessly.

How DNS Leaks Happen

DNS leaks have several typical causes:

Misconfiguration: The VPN client establishes the tunnel but fails to override the OS's DNS routing. Traffic goes through the VPN, DNS queries go to the ISP.

IPv6 leak: Most VPNs encrypt only IPv4 traffic. On an IPv6-enabled connection, IPv6 packets escape outside the tunnel.

Transparent DNS proxying: Some ISPs intercept DNS queries and redirect them to their own servers. Even queries leaving through the VPN can be hijacked.

WebRTC leak: Browsers' real-time communication API can bypass the VPN to expose your local and public IP.

Connection drop: When the VPN tunnel drops, DNS queries revert to the system DNS. This is why a kill switch is critical.

DHCP enforcement: Some routers force all DNS traffic to their own servers. If the VPN client can't override this, leaks occur.

How to Test for DNS Leaks

The most reliable tools for testing leaks:

ipleak.net

The most comprehensive testing site. On a single page, it shows you:

• Public IPv4 address
• IPv6 address (if any)
• List of DNS servers being used and their locations
• IP detected via WebRTC
• Torrent IP detection

Open ipleak.net while the VPN is connected. The DNS servers should be IPs belonging to your VPN provider or known privacy DNS resolvers (Cloudflare 1.1.1.1, Quad9 9.9.9.9). If you see your home ISP's DNS servers, you have a leak.

dnsleaktest.com

Offers two test modes: standard test (5 queries) and extended test (about 30 queries). The extended test is more reliable because some leaks only trigger on specific domains.

Run the Extended Test while the VPN is connected. All servers shown should be in your VPN provider's infrastructure. If you see DNS from multiple different ISPs, you have a partial leak.

browserleaks.com

Provides detailed browser-based tests. It particularly exposes browser-level risks like WebRTC, fingerprinting, and canvas leaks. A VPN alone cannot close these vectors.

IPv6 Leak: The Most Commonly Overlooked Issue

IPv6 is the successor to IPv4 and is becoming increasingly common. Most major ISPs now support IPv6.

The problem: many VPN providers don't support IPv6. When the VPN connects, only IPv4 traffic goes through the tunnel. IPv6 packets exit through the regular network adapter with your real IPv6 address.

Result: tests checking IP through IPv4 say "everything is fine," but IPv6-supporting sites see your real location.

Solutions:

1. Enable your VPN provider's IPv6 support — ProtonVPN, Mullvad, AirVPN support it
2. Disable IPv6 entirely — turn it off in OS network settings
3. Enable the provider's "IPv6 leak protection" feature — available in modern clients

On ipleak.net, the "Your IPv6 address" field should be empty or show the VPN provider.

WebRTC Leak: The Browser's Betrayal

WebRTC (Web Real-Time Communication) is an API browsers use for video calls and file sharing. The problem: WebRTC must learn both your local and public IP to establish P2P connections, and it queries the OS's network stack directly, bypassing the VPN.

Result: even with VPN active, a webpage can learn your real IP through WebRTC API. Ad networks have been using this method for years.

Solutions:

• Brave: Forces WebRTC to operate over the VPN by default
• Firefox: about:config and set media.peerconnection.enabled = false
• Chrome/Edge: WebRTC Network Limiter extension
• uBlock Origin: Settings > "Prevent WebRTC from leaking local IP addresses" enabled

On browserleaks.com/webrtc, the local IP should be empty or belong to the VPN.

DNS-over-HTTPS and DNS-over-TLS

Classic DNS queries go in plaintext (port 53). This means even without a VPN, DNS traffic is visible to anyone on the network. DoH (DNS-over-HTTPS) and DoT (DNS-over-TLS) encrypt these queries.

Modern browsers (Firefox, Chrome, Edge) support DoH by default. Cloudflare 1.1.1.1, Quad9 9.9.9.9, and NextDNS are popular DoH endpoints.

Subtle point: DoH protects DNS queries from network observers but doesn't enforce going through the VPN. If your browser's DoH provider is different from your VPN's, your VPN provider sees no DNS queries — but the DoH provider does. For consistency, configure DoH at the OS level using your VPN's resolver, or rely entirely on the VPN's DNS handling.

Fixing DNS Leaks

If you find a DNS leak in your test, work through these steps:

1. Update your VPN client: Older versions may have routing bugs. Upgrade to the latest version.

2. Switch protocol: WireGuard's DNS handling is generally cleaner than OpenVPN. If you're on OpenVPN, switch to WireGuard.

3. Enable DNS leak protection in the client: Most providers ship this option, but it isn't always on by default.

4. Disable IPv6 at the OS level: On Windows from Network Adapter properties, on macOS from Network preferences.

5. Override DNS manually: Set the OS's DNS servers to Cloudflare (1.1.1.1) or Quad9 (9.9.9.9). VPN's own DNS adds another protection layer.

6. Block WebRTC: Use a browser extension or the Brave browser by default.

7. Use system-level kill switch: A kill switch prevents brief leak windows from appearing during connection drops.

If leaks persist after these steps, your VPN provider's DNS handling is likely faulty. Consider switching providers — modern providers like ProtonVPN, Mullvad, NordVPN have very low leak rates.

How VPN Providers Handle DNS

Quality varies dramatically across providers.

Mullvad: Operates its own DNS resolvers, blocks ad/tracker domains by default. Mature implementation against IPv6 and WebRTC leaks.

NordVPN: Uses NordVPN's own DNS, supports threat protection (ad/malware blocking). NordLynx (WireGuard variant) routes DNS cleanly.

ProtonVPN: Operates its own DNS infrastructure, NetShield feature blocks ads and malware. Has IPv6 leak protection.

ExpressVPN: Provides DNS protection on every server, has its own resolvers. Generally clean with respect to leaks.

Free VPNs: Significant leakage problems are common. Some forward DNS queries straight to the user's ISP — the free vs paid VPN difference shows up most clearly here.

When choosing a provider, look for "private DNS" or "no-logs DNS" features. The WireGuard vs OpenVPN comparison covers protocol-level DNS routing differences.

Frequently Asked Questions

How often should I run a DNS leak test? Test every time you change networks (home, work, public Wi-Fi). For sensitive uses, also after VPN updates and OS updates.

Does ipleak.net give a definitive answer? It's a strong indicator, but not 100% conclusive. Cross-test with dnsleaktest.com extended test. If both show your VPN's DNS, you're fine.

Can a leak occur without my knowledge? Yes, this is the most dangerous case. After OS updates, network changes, or VPN client crashes, leaks can start without warning. Periodic testing is the only protection.

Are there free leak tests? Yes. ipleak.net, dnsleaktest.com, browserleaks.com — all free. Avoid paid leak testing tools, they offer no advantage.

Does mobile DNS leak too? Yes, particularly on Android. iOS has tighter network controls but isn't immune. Run the same tests on mobile.

Conclusion

DNS leaks are the most underestimated risk in VPN privacy. Hiding your IP without hiding your DNS queries provides only half-protection — your ISP and trackers still see exactly which domains you're visiting. Modern VPN providers offer DNS leak protection, but the user must verify and run regular tests.

For comprehensive protection covering IPv4, IPv6, WebRTC, and DNS queries together, ensure your VPN supports all leak protections, that IPv6 is either tunneled or disabled, and that your browser's WebRTC settings are hardened. To find a leak-proof setup, the DNS leak protection scores in our VPN comparison can help you decide.

Privacy isn't just hiding your IP — which domains you resolve is data just as valuable as the IP itself.