What DNS Is and Why It Matters for Privacy
Every time you type a website address, your device sends a DNS query to translate that domain name into an IP address. Think of it as a phone book lookup that happens before every website visit. By default, these queries go to your ISP's DNS servers -- which means your ISP can see every domain you visit, even if the actual page content is encrypted with HTTPS. A VPN is supposed to route DNS queries through the encrypted VPN tunnel so your ISP cannot see them.
What a DNS Leak Is
A DNS leak occurs when DNS queries bypass the VPN tunnel and go directly to your ISP's DNS servers even though you are connected to a VPN. The result: your VPN is hiding your IP address and encrypting your web traffic, but your ISP can still see which websites you visit via the DNS queries. You get less privacy than you think you are getting. From the outside, it looks like your traffic goes to the VPN, but your browsing history is still visible to your ISP.
Why DNS Leaks Happen
Windows-specific: Windows has a 'smart multi-homed name resolution' feature that sends DNS queries to multiple servers simultaneously for speed. This can bypass the VPN's DNS. Most good VPN apps disable this when connecting. IPv6 leaks: if your ISP assigns you an IPv6 address but your VPN only tunnels IPv4 traffic, IPv6 DNS queries bypass the VPN. VPN misconfiguration: some VPN apps, especially older or poorly built ones, do not properly redirect DNS through the tunnel. Network switching: if you switch from WiFi to mobile data, DNS settings may temporarily revert during the handoff.
How to Test for DNS Leaks
Connect to your VPN. Go to dnsleaktest.com or ipleak.net. Run the standard or extended test. The results show which DNS servers your queries are going to. If you see your ISP's DNS servers (typically named something like 'dns.example-isp.com' or with your ISP's name), you have a DNS leak. You should only see DNS servers belonging to your VPN provider or a third-party resolver you configured (like Cloudflare 1.1.1.1 via the VPN).
How to Fix DNS Leaks
Use a VPN with DNS leak protection built in: ExpressVPN, NordVPN, Mullvad, and ProtonVPN all run their own DNS servers and route all DNS through the tunnel by default. On Windows: go to network adapter settings, find the VPN adapter's DNS settings, and set them manually to your VPN provider's DNS IP. Disable IPv6 on your network adapter if your VPN does not support IPv6 tunneling. Enable the kill switch in your VPN app -- this prevents any traffic (including DNS) from going outside the tunnel if the VPN connection drops.