What Is a DNS Leak?
When you use a VPN, all your internet traffic — including DNS queries — should travel through the encrypted VPN tunnel. A DNS leak occurs when your DNS queries bypass the VPN tunnel and are sent directly to your ISP's DNS servers instead. This means your ISP can see which websites you are visiting, even though you are using a VPN.
DNS (Domain Name System) is the internet's phone book: when you type a domain name like example.com, your device queries a DNS server to get the corresponding IP address. If this query leaks outside the VPN tunnel, it reveals your browsing destinations to whoever operates the DNS server — typically your ISP.
Why DNS Leaks Happen
Misconfigured VPN: The VPN client fails to route all traffic, including DNS, through the tunnel. OS-level DNS settings: Windows, macOS, and mobile operating systems may have their own DNS resolution mechanisms that bypass the VPN. WebRTC: Browser WebRTC functionality can leak your real IP and DNS even when a VPN is active. Smart Multi-Homed Name Resolution (Windows): Windows 10/11 sends DNS queries to all available interfaces simultaneously for speed, potentially causing leaks.
How to Test for DNS Leaks
Visit these test sites while connected to your VPN:
- dnsleaktest.com
- ipleak.net
- browserleaks.com/dns
Run the Standard test. Results should show only DNS servers belonging to your VPN provider. If you see your ISP's DNS servers in the results, you have a DNS leak.
How to Fix DNS Leaks
Choose a VPN with built-in DNS leak protection
Quality VPN providers (Mullvad, ProtonVPN, ExpressVPN) include DNS leak protection by default. Enable this setting explicitly if it is available in your VPN client settings.
Set custom DNS servers:
Configure your operating system to use a privacy-respecting DNS provider instead of your ISP's servers:
- Cloudflare: 1.1.1.1 and 1.0.0.1
- Google: 8.8.8.8 and 8.8.4.4 (less private — still Google)
- NextDNS or AdGuard DNS for filtering
Windows-specific: Disable Smart Multi-Homed Name Resolution through Group Policy if you are a Windows pro/enterprise user.
Disable WebRTC in your browser
Firefox: about:config > media.peerconnection.enabled > set to false Chrome: Requires an extension like WebRTC Network Limiter Brave: Built-in WebRTC protection in privacy settings
Use a VPN with a kill switch
A kill switch blocks all internet traffic if the VPN connection drops, preventing fallback to your regular connection during the gap.
DNS Leaks and Email Privacy
DNS leaks affect privacy at the network level — revealing which sites you visit but not the content of your communications (HTTPS protects content). Email privacy through Temp90 addresses a different layer — identity protection at the registration level — and is complementary to fixing DNS leaks rather than overlapping.
Frequently Asked Questions
Does a DNS leak mean my VPN is not working?
The VPN tunnel itself may be intact and encrypting traffic, but if DNS queries leak outside the tunnel, your browsing destinations are visible to your ISP. This is a specific failure mode rather than a complete VPN failure.
Can HTTPS protect me from DNS leak exposure?
HTTPS encrypts the content of communications but not DNS queries. DNS-over-HTTPS (DoH) encrypts DNS queries specifically. Use both HTTPS and DoH for comprehensive protection.
Is DNS-over-HTTPS the same as a VPN?
No. DoH encrypts only your DNS queries. A VPN encrypts all traffic. DoH prevents your ISP from seeing your domain lookups; a VPN prevents them from seeing any of your traffic. They are complementary tools.
Conclusion
DNS leaks are a specific VPN failure mode that can undermine network privacy even when the VPN connection itself is active. Testing for leaks, using a VPN with built-in DNS protection, and configuring privacy-respecting DNS servers eliminate this vulnerability. Combined with browser WebRTC protection, these measures ensure your VPN provides the network privacy it promises.