DNS Leak
IntermediateA privacy failure where your DNS lookups escape the VPN tunnel and go to your ISP's servers — revealing every site you visit despite the encryption.
In depth
A DNS leak happens when your device sends domain-name lookups outside your VPN tunnel — typically straight to your ISP's DNS servers. The tunnel still encrypts your traffic, but the lookups themselves announce every domain you visit to exactly the party the VPN was supposed to blind.
Why it happens
Every connection starts with a DNS query ("what's the IP for example.com?"). Operating systems are opportunistic about resolving names fast: cached resolver settings, per-interface DNS configuration, and features like Windows' smart multi-homed resolution can all route queries to the local network's resolver instead of the VPN's. The result is a tunnel that carries your traffic while your lookup history walks out the front door.
What a leak reveals
- Your browsing map: every domain you resolve, timestamped — enough to reconstruct your online life without decrypting anything.
- Your real identity context: queries arriving at your ISP's resolver are tied to your subscriber account.
- Geo-inconsistency: websites can notice your DNS resolver is in a different country than your VPN IP, a signal used to detect and block VPN users.
Prevention
Quality VPNs run their own DNS resolvers inside the tunnel and force all queries through them; many also block outside DNS at the firewall level. Test regularly with a DNS-leak test site: if any listed resolver belongs to your ISP while connected, you're leaking.
Test after every change
OS updates, new networks, and VPN app reinstalls can silently reintroduce leaks. A thirty-second leak test after such changes is the cheapest privacy insurance available.
Examples
- A VPN user runs a leak test and finds their ISP's resolvers listed — their browsing history was visible all along.
- A streaming site blocks a viewer whose VPN IP is in the US but whose DNS queries resolve in Germany.
- A Windows feature races DNS queries across all interfaces, leaking lookups past the tunnel.
Common use cases
FAQs
Connect to your VPN and run a DNS-leak test website. It lists every resolver answering your queries — all results should belong to your VPN provider. Any resolver owned by your ISP means you're leaking.
Yes — metadata is the story. Your full domain-by-domain browsing history, timestamped and tied to your ISP account, leaks even though page contents stay encrypted. For most privacy threat models, that history is exactly what needed hiding.
Enable your VPN's own DNS and leak-protection settings first — reputable apps force queries through the tunnel. If leaks persist, disable smart multi-homed resolution on Windows, remove manual DNS overrides, or set your system DNS to the VPN's resolvers.