What Is a DNS Leak?
A DNS leak occurs when your DNS queries (the requests your device makes to translate domain names like google.com into IP addresses) are sent outside the VPN tunnel, typically to your ISP's DNS servers. When this happens, your ISP can see every domain name you visit even though your browsing traffic is encrypted by the VPN. A DNS leak defeats the privacy purpose of using a VPN.
How to Test for DNS Leaks
The fastest way: visit dnsleaktest.com or ipleak.net while connected to your VPN. Run the extended test. The results show which DNS servers your device is using. If the DNS servers listed are from your ISP (you can check by looking at the organization/ISP name next to each IP), you have a DNS leak. If the DNS servers belong to your VPN provider or are from a country your VPN is routing through, you are not leaking.
Why DNS Leaks Happen
Windows Smart Multi-Homed Name Resolution: Windows sends DNS queries to multiple interfaces simultaneously for speed. This can cause DNS requests to bypass the VPN. Enabled by default in Windows 8, 10, and 11. Teredo: a Microsoft transition technology that can route IPv6 traffic outside the VPN tunnel. IPv6 leaks: if your VPN only tunnels IPv4 traffic but your device uses IPv6, the IPv6 DNS requests go directly to your ISP. WebRTC leaks (similar but different): WebRTC can expose your real IP address in the browser even with a VPN active, but this is a browser issue rather than a DNS-specific leak.
How to Fix DNS Leaks
Use a VPN that includes DNS leak protection: NordVPN, ExpressVPN, and ProtonVPN all route DNS queries through their own servers and block system-level DNS bypass attempts. Disable Teredo: open Command Prompt as administrator, run: netsh interface teredo set state disabled. Enable IPv6 leak protection: in your VPN app settings, look for an IPv6 leak prevention or IPv6 kill switch option. Use a third-party DNS service manually set in your network adapter settings (e.g., 1.1.1.1 for Cloudflare or 9.9.9.9 for Quad9). This does not fix all leak causes but adds a layer.
Kill Switch as a Related Protection
A VPN kill switch blocks all internet traffic if the VPN connection drops. This prevents DNS queries from reverting to your ISP's DNS when the VPN reconnects. Kill switches and DNS leak protection address overlapping but distinct failure modes. Enable both for maximum protection.