Appearance
What is a DNS leak, and how do you check for one?
A DNS leak is when your domain-name lookups escape the VPN tunnel and go to your ISP's resolver — so even though your traffic is encrypted, your ISP still sees the name of every site you visit. The tunnel is working, the padlock is real, and yet the single most revealing metadata stream — which domains you look up, and when — flows exactly where it did before you paid for a VPN. This guide explains how that happens, how to check for it honestly, and how to fix it.
Maintained by the ipconfig.io team · Reviewed 1 July 2026
What DNS reveals about you
Before your device can connect to any site, it asks a DNS resolver to turn the domain name into an IP address. Whoever runs that resolver gets a complete, timestamped feed of every domain you visit — not the pages, not the content, but the domains and the pattern. On a normal connection that resolver usually belongs to your ISP.
A VPN is supposed to move that trust: your lookups should travel inside the encrypted tunnel to the VPN's own resolver. When they don't — when they slip out to the ISP's resolver on the regular interface — that's the leak. Nothing looks broken. Sites load normally. The only symptom is invisible: the wrong party is answering your lookups.
How do I check for a DNS leak?
Start with what your system thinks it's using:
bash
resolvectl status | grep -A2 'DNS Servers'bash
scutil --dns | grep 'nameserver\[0\]'powershell
ipconfig /all | findstr "DNS Servers"Connected to a VPN, the resolver shown should be an address inside the tunnel (often a private 10.x address) — not your ISP's resolver and not a public one you set years ago and forgot.
Configuration only tells you intent, though. The authoritative test is observing which resolvers actually make queries on your behalf: use a dedicated DNS leak test page (BrowserLeaks and similar tools work by having your browser resolve unique subdomains and recording which resolver asks). While the VPN is connected, every resolver detected should belong to the VPN provider. If your ISP's name shows up, you have a leak.
Then confirm the tunnel itself is doing its job at the IP layer:
bash
curl ipconfig.io/asn-orgOff VPN this names your ISP; on VPN it must name the VPN's network. If the IP side checks out but the leak test still shows your ISP's resolvers, the problem is specifically DNS — the fixes below are aimed at exactly that.
What causes a DNS leak?
| Cause | What's happening |
|---|---|
| OS keeps the old resolver | The VPN connects, but the system still sends lookups to the ISP resolver on the physical interface |
| Manually-set DNS | A hardcoded resolver (on the device or the router) bypasses the tunnel's DNS entirely |
| IPv6 escapes an IPv4-only VPN | Lookups (and traffic) ride IPv6 outside a tunnel that only captured IPv4 — see the VPN leak guide |
| Windows smart multi-homed resolution | Older Windows versions query every interface in parallel and take the fastest answer — including the leaky one |
How do I fix a DNS leak?
The durable fix is structural, not a settings tweak: use a VPN client that runs its own resolver inside the tunnel and refuses DNS on every other path, with a kill switch so nothing falls back to the ISP when the tunnel drops. Proton VPN does all three by default — in-tunnel DNS, leak protection, kill switch — and is independently audited and no-logs. (Affiliate link; it helps keep ipconfig.io free. Any client with in-tunnel DNS and a kill switch meets the bar.)
Whatever client you use, verify after reconnecting: the leak test should show only VPN-owned resolvers, and curl ipconfig.io/asn-org should name the VPN, not your ISP. If you have IPv6, test both families — a tunnel that only moves IPv4 leaves the other half of your traffic at home.
Frequently asked questions
What is a DNS leak? Your domain lookups traveling outside the VPN tunnel to your ISP's resolver. Traffic stays encrypted, but the ISP still sees every domain you visit.
How do I check for a DNS leak? Check the configured resolver (resolvectl status, scutil --dns, or ipconfig /all), then run a dedicated DNS leak test while on VPN. Every detected resolver should belong to the VPN provider.
What causes a DNS leak? The OS keeping the ISP resolver active, a hardcoded DNS server bypassing the tunnel, IPv6 escaping an IPv4-only VPN, or Windows querying all interfaces at once.
How do I fix a DNS leak? A VPN client with its own in-tunnel DNS, leak blocking, and a kill switch — then re-test to confirm only the VPN's resolvers answer for you.
Next steps
- Check if your VPN is leaking your real IP — the IP-layer half of this test, on IPv4 and IPv6.
- What is a WebRTC leak? — the browser-side channel that can expose your address even with DNS handled.
- Find your ISP from your IP — read the
asn_orgfield this guide uses to verify the tunnel.