MyIPScan
Resolver-signal check

DNS Leak Test: Check VPN DNS Leaks and Resolver Mismatch

Run a focused DNS leak test, compare resolver owner before and after VPN changes, and understand whether a mismatch is a real review item or normal resolver routing.

This is a limited resolver-signal diagnostic. It queries public DNS-over-HTTPS resolver-signal endpoints and a MyIPScan DNS Lookup API control. It is not authoritative DNS capture, and a low-review result does not prove every DNS route was checked.

DNS privacy check

Current Result

Not checked yet
Ready to check. Run the DNS check to gather browser-visible resolver signals. The result is limited and should be compared with your VPN, browser secure-DNS, and operating-system DNS settings.
Browser signal
Cloudflare and Google public DoH resolver-signal responses.
Server control
MyIPScan DNS Lookup API checks example.com through a free DoH resolver as a control.
Not covered
Authoritative DNS observations, every app route, router DNS, and OS-level DNS behavior.
Privacy
Before/after comparison is stored only in this browser until cleared.
Verdict first Compare later Details below

Short answer

A DNS leak is about resolver ownership, not country labels alone

If your VPN is connected and DNS still goes to your ISP, router, or an unexpected browser Secure DNS provider, that is worth reviewing. If only the country label differs, it may be anycast, resolver routing, or database mismatch rather than a leak.

Run DNS Check Windows DNS guide DNS country mismatch Safe Copy
ResultLikely meaningNext step
Resolver is VPN providerUsually expected when the VPN controls DNS.Run VPN, WebRTC, and IPv6 checks before calling the setup clean.
Resolver is ISP/routerPossible DNS leak while VPN is connected.Review VPN DNS leak protection, Windows adapter DNS, and split tunneling.
Resolver is public DNS you choseMay be intentional browser Secure DNS or system DNS.Document it in the receipt and check whether it matches your goal.
Country differs onlyNot automatically a leak; anycast and geolocation can differ.Focus on resolver owner and route intent.

DNS leak test checklist

How to run a DNS leak test before and after VPN changes

Use the first run as a baseline, then reconnect the VPN or change Secure DNS and run the DNS leak test again. The useful comparison is whether resolver ownership moved from your ISP, router, or browser Secure DNS provider to the route you expected.

  • Check resolver owner first; country labels can differ because of anycast or geolocation databases.
  • Compare DNS with WebRTC and IPv6 before judging a VPN setup.
  • Use Safe Copy when you need to save the outcome without raw resolver details.

When to investigate

DNS leak results that deserve a closer look

Review the setup when the resolver still belongs to your ISP or router while the VPN is connected, when browser Secure DNS bypasses the route you expected, or when the result changes between normal and private browser profiles.

Then check VPN DNS leak protection, split tunneling, operating-system DNS settings, browser Secure DNS, and router DNS in that order.

Exposure estimate and receipt limits

A DNS review flag means the visible resolver signal may not match what you expected. It is not automatic proof of harm. Receipt exports use safe categories and remove raw resolver IPs and other sensitive diagnostic identifiers. Read the methodology.

See what Safe Copy includes before sharing or saving a result.

Want the full picture? Run the Privacy Exposure Report.

Combine IP, WebRTC, IPv6, DNS leak, fingerprint, user-agent, and related privacy signals in one report.

Run report

What this DNS check can show

DNS turns a domain name into the IP address your browser needs to connect. This page can show resolver signals returned by public browser-accessible DoH endpoints and whether the MyIPScan server-side DNS control is reachable.

Unknown, IPv6, or inconsistent resolver signals may be worth checking against your expected VPN or secure-DNS route. They are not automatic proof of a problem.

What this check cannot show

This page cannot see every DNS request made by your operating system, router, VPN app, browser secure-DNS setting, or other apps. It also cannot observe authoritative DNS query logs for randomized test domains.

Use the result as a practical signal, then compare it with your VPN app settings and a second network or browser when the signal looks inconsistent.

How this resolver-signal check works

The browser queries public DNS-over-HTTPS resolver-signal endpoints. The page labels known public resolver patterns, unknown signals, IPv6 resolver signals, and endpoint failures with conservative statuses.

The page also calls the existing MyIPScan DNS Lookup API for a harmless control lookup. That API uses a free public DoH resolver and helps separate "DNS lookup API is reachable" from "browser resolver signal is visible."

Status meanings

  • No obvious mismatch: the limited signals did not show an unexpected resolver pattern.
  • Possible mismatch: one or more signals should be compared with expected VPN or browser DNS settings.
  • Limited signal: the test ran but cannot cover every DNS route.
  • Unable to check: public resolver-signal endpoints were blocked, timed out, or returned no usable data.

Before / after VPN

How to compare DNS behavior

Run the check before changing VPN or secure-DNS settings, save the result, then reconnect your VPN and run the check again. The comparison stays in memory for this page session only.

  1. Run the DNS check on your current connection.
  2. Use Save as Before VPN after results appear.
  3. Enable or reconnect your VPN, or change secure-DNS settings.
  4. Run the check again and review changed resolver signals.
  5. Clear the local comparison when you are done.

Fixes

What to check when DNS looks inconsistent

These steps can help when DNS signals do not match the route you expected.

  1. Enable DNS leak protection in your VPN app if the setting exists.
  2. Use your VPN provider's DNS servers or one trusted secure-DNS resolver intentionally.
  3. Review browser secure-DNS settings because they can differ from system DNS settings.
  4. Reconnect the VPN after changing DNS settings.
  5. Run the VPN Leak Test, WebRTC Leak Test, and IPv6 Leak Test for neighboring exposure signals.

Related tools

Continue the privacy check

DNS Records LookupLook up A, AAAA, MX, TXT, NS, and CNAME records with the server-side DNS tool. VPN Leak TestCombine DNS, WebRTC, IPv6, IP, and browser signals. Windows DNS Leak TestUse the desktop troubleshooting flow for VPN DNS settings, secure DNS, and resolver mismatch. WebRTC Leak TestCheck whether browser ICE candidates expose IP details. IPv6 Leak TestLook for IPv6 exposure while using a VPN. MethodologyRead how each MyIPScan diagnostic works and where it is limited.

Related guides

Learn the signals

What Is a DNS Leak and How to Prevent ItUnderstand DNS leaks and practical prevention steps. DNS Leak Topic HubFollow the DNS leak cluster for VPN resolver mismatch, secure DNS, and troubleshooting paths. Windows DNS Leak Test GuideFollow the Windows-specific path after this tool reports a resolver route worth reviewing. What Is a WebRTC Leak?See how browser networking can reveal IP candidates. What Is a VPN and How Does It Hide My IP?Learn what VPNs route and what they do not hide. How to Hide Your IP AddressCompare VPNs, Tor, proxies, and safer browser habits. VPN for Crypto AccountsUse DNS and IP checks as possible signals before sensitive account sessions. VPN Kill Switch ExplainedUnderstand why kill switches and DNS behavior still need separate checks. Guides HomeOpen the MyIPScan blog for newer privacy guides.

Before / after privacy flow

Compare one browser or VPN change at a time

This page is focused on browser-visible resolver signals and resolver-owner mismatch. Run the focused DNS check first, then use Public Exposure Report when IP, WebRTC, IPv6, and fingerprint context also matters. Results are visible browser/session signals, not a certification.

1. BaselineRun the focused check before changing VPN, DNS, browser, profile, or network settings.
2. Change one thingConnect or switch VPN, change Secure DNS, adjust WebRTC/fingerprint settings, or move networks.
3. RetestRun the same check again in the same browser/session when possible.
4. CompareReview changed and unchanged IP route, DNS, WebRTC, IPv6, fingerprint, and User-Agent signals.
5. Safe receiptUse Safe Copy or the Safe Privacy Receipt instead of sharing raw identifiers.

Status language

Use conservative result labels

These labels keep the result understandable without implying a VPN, browser, device, or account is safe.

Visible

A browser/session signal was visible and should be compared with what you expected.

Expected

The observed signal appears consistent with the stated route or browser behavior.

Review

The signal may need closer review before relying on this setup for the current session.

Limited

The check ran, but this page cannot cover every app, device route, server, or future connection.

Not detected

The tested signal was not observed in this browser/session.

Not checked

The signal has not run yet or the browser did not provide enough data.

Fix checklist

Where to review settings after a signal needs attention

Settings names change. Treat this as a route to verify, then rerun the focused check and the Public Exposure Report.

ChromeReview Secure DNS, WebRTC policy/extensions, profile state, and site permissions.
EdgeReview Chromium privacy settings, managed policies, Secure DNS, and VPN split tunneling.
FirefoxReview Enhanced Tracking Protection, DNS over HTTPS, and advanced WebRTC preferences when appropriate.
BraveReview Shields, fingerprinting protections, and WebRTC IP handling policy.
SafariReview website permissions, iCloud Private Relay context, and operating-system privacy settings.
iOSRetest after VPN profile, relay, mobile data, or Wi-Fi changes. Browser controls may be limited.
AndroidReview per-app VPN, Private DNS, browser permissions, and Wi-Fi versus mobile data behavior.
WindowsReview VPN adapter DNS, split tunneling, IPv6, browser Secure DNS, and firewall/proxy rules.
macOSReview VPN profile order, DNS settings, iCloud Private Relay context, and browser-specific privacy controls.
Public Exposure ReportDefault next step for a combined route map and Safe Privacy Receipt. Is My VPN Working?Before/after VPN workflow for visible browser/session signals. What Websites Can See About MePlain-language map of signals websites may read from this browser/session. Check My Browser PrivacyFocused path for fingerprint, WebRTC, IPv6, User-Agent, and browser settings.

Check DNS

What this checks

Visible DNS resolver signals, including resolver owner, route expectations, browser Secure DNS behavior, and mismatches between DNS and the visible IP route.

Limits

What this cannot check

It cannot see every DNS request from every app, inspect router or ISP logs, or prove that all browsing destinations are private.

Read results

How to interpret results

A good result means the resolver owner matches the route you expected, or the result explains a known provider or anycast mismatch without an ISP/router resolver appearing unexpectedly.

Warnings

What a warning means

A warning means DNS may still be routed through an ISP, router, browser Secure DNS provider, or resolver path you did not expect while testing.

Fix path

What to do next

Review VPN DNS settings, browser Secure DNS, router DNS, and split-tunnel rules. Country labels alone can be misleading because DNS uses anycast and shared infrastructure.

Retest

When to retest

Retest after reconnecting the VPN, changing Secure DNS, changing router DNS, switching browser profiles, or moving to another network.

Related tools

Continue with the closest checks

Public Exposure ReportFull browser-session report with Safe Copy, issues, fixes, and clear limits. VPN Leak TestCompare visible IP, DNS, WebRTC, IPv6, and browser signals. WebRTC Leak TestBrowser ICE candidate behavior and WebRTC exposure signals. IPv6 Leak TestIPv6 visibility alongside IPv4 in the current session. MethodologyReview how MyIPScan labels signals, limitations, and Safe Copy output.