What exactly is a DNS leak?

It’s when your device sends domain lookups to a resolver outside your private route (e.g., to ISP DNS instead of VPN’s DNS), exposing browsing activity.

Does DNS-over-HTTPS alone stop leaks?

It encrypts queries but may still bypass your VPN route or fall back to system DNS. Align DoH/DoT with your VPN or use the VPN’s DNS to avoid mismatch.

How do I know I fixed the leak?

After configuring, re-test on MyIPScan DNS Lookup. Resolver IPs/ASNs should change with your VPN, and match your chosen strategy (VPN DNS or DoH/DoT).

Home › FAQ › What Is a DNS Leak and How to Prevent It

What Is a DNS Leak and How to Prevent It

Updated: October 15, 2025

A DNS leak happens when your device sends domain lookups to a resolver outside your intended private route — for example, to your ISP’s DNS instead of the VPN’s or your chosen encrypted resolver. This exposes the websites you visit to networks and third parties, even if your IP is hidden. Below we explain what DNS leaks are, how to test for them, and how to prevent leaks on VPNs, browsers, and operating systems.

What is DNS and why leaks matter

DNS translates human-readable names (like example.com) into IP addresses. If DNS queries bypass your VPN tunnel or encrypted resolver, observers can infer your browsing activity. Leaks reduce privacy, break region settings, and can trigger streaming or corporate restrictions.

Common causes of DNS leaks

OS resolver overrides: System or adapter DNS points to ISP resolvers and ignores the VPN’s DNS.
Split tunneling or policy routing: Some apps bypass the VPN, sending DNS outside the tunnel.
IPv6 path differences: IPv6 lookups can exit via different resolvers if not handled by the VPN.
Smart DNS / captive portals: “Helpful” network services rewrite DNS to local resolvers.
Browser settings or extensions: Per-app DoH with fallback to system DNS can create mixed paths.

How to test for DNS leaks (2 minutes)

Connect your VPN (or configure your resolver) and open What is My IP to confirm a changed public IP.
Run DNS Lookup and note the resolver IPs / ASNs / country reported.
Disable the VPN and repeat the test. If the resolver list is the same as without VPN, you have a leak.
If you use IPv6, ensure the test shows IPv6 resolvers consistent with your setup.

Fixing DNS leaks: proven methods

Use VPN-provided DNS: enable the option “Use VPN DNS” or “Block outside DNS” in your app. Turn on the kill switch.
Force encrypted DNS: set DNS-over-HTTPS (DoH) or DNS-over-TLS (DoT) to a trusted resolver (system-wide or browser), but keep it consistent with your VPN route.
Handle IPv6: enable IPv6 in the VPN client or disable IPv6 on the adapter if your VPN doesn’t support it.
Avoid split tunneling for browsers and sensitive apps, or include DNS in the tunnel explicitly.
Set adapter priority: ensure the VPN virtual adapter has higher priority and pushes its DNS.
Router-level DNS (optional): if you control the router, set encrypted DNS there and disable ISP overrides.

DoH, DoT, VPN DNS — what’s the difference?

Option	Encrypts DNS?	Hides from ISP?	Consistent with VPN?	Best use
DoH (DNS-over-HTTPS)	✅ Yes	✅ Yes	⚠️ Sometimes	Browser-level privacy; per-app control
DoT (DNS-over-TLS)	✅ Yes	✅ Yes	⚠️ Sometimes	System-wide on mobile/routers
VPN DNS	✅ Via tunnel	✅ Yes	✅ Yes	Best with VPN; avoids route mismatch

Tip: Mixing per-app DoH with a VPN can still leak if the browser falls back to system DNS or routes outside the tunnel.

Checklist: secure setup in 5 steps

Enable VPN DNS + kill switch in your VPN app.
Pick a single DNS strategy (VPN DNS or DoH/DoT) and stick to it across apps.
Handle IPv6: enable in VPN or disable system IPv6 temporarily.
Re-test on DNS Lookup; resolvers should match your chosen strategy.
Harden the browser (block third‑party cookies, limit extensions, consider anti‑fingerprinting).

Test now: Check your current IP on What is My IP, then verify resolvers via DNS Lookup and browser IP via WebRTC Leak Test.