What Is a DNS Leak and How Do You Prevent It?

Last updated: March 2026 · 8 min read

You've connected to your VPN. Your IP address shows the correct VPN location. You feel safe. But there's a hidden problem that most VPN users never check: your DNS requests may be leaking outside the VPN tunnel entirely, quietly reporting your browsing activity to your ISP.

This is called a DNS leak, and it's more common than you'd expect — even with paid, reputable VPN services. Here's everything you need to know.

What Is DNS?

DNS stands for Domain Name System — often described as the internet's phone book.

When you type a web address like bbc.co.uk into your browser, your device doesn't automatically know where that website is located on the internet. It needs to translate the human-readable domain name into a machine-readable IP address (like 151.101.64.81). That translation is performed by a DNS server.

Every time you visit a website, your device sends a DNS query asking: "What is the IP address for this domain?" The DNS server looks it up and sends the answer back. This happens invisibly, dozens or hundreds of times per browsing session.

Normally, your DNS queries go to your ISP's DNS servers. That means your ISP receives a complete log of every domain you look up — effectively, a record of every website you visit.

What Is a DNS Leak?

A DNS leak occurs when your DNS queries bypass the VPN tunnel and go directly to your ISP's DNS servers, even though you have a VPN connected.

In theory, when you use a VPN, all your traffic — including DNS queries — should be routed through the VPN. The DNS queries should go to the VPN provider's own DNS servers, not your ISP's. If they don't, you have a DNS leak.

The result: your IP address may show the VPN server location, but your ISP can still see a full list of every domain you looked up. You get the false impression of privacy while your browsing history remains exposed.

Why DNS Leaks Matter for Privacy

DNS leaks can have real consequences:

Your ISP logs your browsing: UK ISPs are legally required to retain browsing history data for 12 months under the Investigatory Powers Act. A DNS leak hands them this data even when you think you're protected.
Parental controls and firewalls still work: If your router or ISP uses DNS-based filtering, a DNS leak means those filters still see and can block your requests.
Streaming services detect your region: Netflix and other services sometimes detect your real region through DNS servers even when your IP shows a VPN location.
Advertisers can profile you: DNS queries are sometimes logged and sold by ISPs for advertising purposes in some jurisdictions.

What Causes DNS Leaks?

DNS leaks can happen for several technical reasons:

The VPN app doesn't override system DNS: Some VPN clients don't properly redirect DNS queries through the tunnel. Your operating system then falls back to its default DNS servers — usually your ISP's.
Manual DNS settings on your device or router: If you've manually set DNS servers (for example, using Google's 8.8.8.8 or Cloudflare's 1.1.1.1), these settings may persist and bypass the VPN.
"Smart DNS" services or antivirus tools: Some security software intercepts DNS queries independently, routing them outside the VPN tunnel.
Browser DNS-over-HTTPS (DoH): Modern browsers like Chrome and Firefox can send encrypted DNS queries directly to their own DNS resolvers (like Cloudflare), bypassing both your ISP and your VPN's DNS entirely.
IPv6 leaks: If your VPN only tunnels IPv4 traffic, IPv6 DNS queries may travel outside the tunnel entirely. This is a common oversight in older or budget VPN clients.
VPN connection drops: If your VPN briefly disconnects and reconnects, there can be a window during which DNS queries go directly to your ISP.

How to Test for a DNS Leak

Testing for a DNS leak is straightforward. Here's how to do it properly:

Connect to your VPN and choose a server in another country.
Visit a DNS leak test tool (GoIPScan's network scanner checks for common exposure signals).
Look at the DNS servers listed in the results. If any of them belong to your ISP — rather than your VPN provider — you have a DNS leak.
Note the server locations. If you're connected to a VPN in Germany but the DNS servers are showing UK locations, something is wrong.

It's worth running the test a few times, as DNS servers can rotate. Also test on both Wi-Fi and mobile data if you use the VPN on your phone.

How to Fix a DNS Leak

The fix depends on where the leak is coming from:

1. Use a VPN with Built-in DNS Leak Protection

The simplest fix is to use a VPN client that explicitly routes all DNS traffic through the tunnel. Most major providers (ExpressVPN, NordVPN, Mullvad) offer DNS leak protection as a standard feature. Check your VPN app settings to make sure it's enabled.

2. Enable the Kill Switch

A kill switch cuts your internet if the VPN drops, preventing any traffic — including DNS — from leaking outside the tunnel during a reconnection gap.

3. Configure DNS Manually

If your VPN doesn't handle DNS well, you can manually configure your device to use privacy-respecting DNS servers:

Cloudflare DNS: 1.1.1.1 and 1.0.0.1 (no logging of personal data)
Quad9: 9.9.9.9 (blocks malicious domains)

Set these in your network adapter settings, not just in the browser.

4. Disable Browser DNS-over-HTTPS (or Point It to Your VPN's Resolver)

In Chrome: Settings → Privacy and Security → Security → Use secure DNS → Turn off, or select your VPN provider's resolver. In Firefox: Settings → General → Network Settings → Enable DNS over HTTPS and choose a provider aligned with your VPN.

5. Check for IPv6 Leaks

If your VPN doesn't support IPv6 tunnelling, disable IPv6 on your network adapter to prevent IPv6 DNS queries from bypassing the tunnel. This is done in your operating system's network settings.

The Difference Between a DNS Leak and a WebRTC Leak

These are related but different privacy problems:

DNS leak: Your domain lookup requests go to the wrong server (usually your ISP's), revealing which websites you visit.
WebRTC leak: Your browser's real IP address is exposed through the WebRTC browser API, even when a VPN is active. This can reveal your home IP to websites directly.

Both can occur simultaneously, and fixing one doesn't necessarily fix the other. Use GoIPScan's VPN Leak Test to check for WebRTC leaks specifically.

Frequently Asked Questions

Does using HTTPS protect me from DNS leaks?

No. HTTPS encrypts the content of your requests, but the DNS lookup that determines which server to connect to still happens before the HTTPS connection is established. DNS leaks happen at the DNS layer, not the HTTP layer.

My VPN shows a green tick — does that mean no DNS leak?

Not necessarily. Some VPN apps show a connected status without verifying whether DNS is correctly routed. Always test with an independent tool rather than relying on the VPN app's own status indicator.

Can my router cause DNS leaks?

Yes. Some routers intercept DNS queries at the network level and redirect them to the ISP's servers regardless of what your VPN does. This is common with certain ISP-provided routers. If you suspect this, test from your mobile data connection to compare results.

Is DNS-over-HTTPS (DoH) enough to prevent leaks?

DoH encrypts your DNS queries so they can't be read in transit, but they still go to a specific DNS resolver. If that resolver isn't your VPN's, you're still effectively bypassing the VPN's DNS. DoH is useful but not a complete substitute for proper VPN DNS leak protection.

Check if your VPN is leaking your real IP address

🛡️ Run VPN Leak Test Full Network Scan →