What Is a DNS Leak and How Do You Fix It?

Q: Can I have a DNS leak without using a VPN?

Technically no. A DNS leak is defined relative to a VPN tunnel — it describes DNS traffic that escapes a tunnel it should travel through. Without a VPN there is no tunnel to leak from. Your ISP sees all DNS queries by default. If you want DNS privacy without a VPN, use DNS over HTTPS or DNS over TLS to encrypt queries.

Q: Does encrypted DNS (DoH) prevent DNS leaks?

Partly. DNS over HTTPS encrypts your DNS queries so your ISP cannot read them. However, it does not guarantee your DNS queries travel through the VPN tunnel when a VPN is active — they may bypass the VPN entirely and go directly to the DoH provider. Whether this matters depends on your threat model: your ISP cannot read queries, but your VPN provider also cannot see them.

5 min read · Updated April 2026

A Domain Name System (DNS) leak is when your Virtual Private Network (VPN) encrypts your browsing traffic but leaves your DNS lookups unprotected — sending them directly to your Internet Service Provider (ISP) instead of routing them through the VPN tunnel. Your ISP still sees every website you attempt to visit, even though you are paying for a VPN specifically to prevent this.

What Is DNS, in Plain English?

Before your browser can load any website, it needs to translate the site's human-readable name (like example.com) into a numerical IP address that servers actually use. This translation service is called the Domain Name System (DNS) — often described as the internet's phonebook.

When you type bbc.com into your browser, your device sends a DNS query to a DNS server asking: "What is the IP address of bbc.com?" The DNS server responds with the answer, and your browser connects to that IP address to load the page. The entire process takes milliseconds and happens invisibly.

By default, your device uses the DNS servers provided by your ISP. The original DNS specification is documented in RFC 1034 and RFC 1035 published by the Internet Engineering Task Force (IETF). These foundational documents define a system that was designed for reliability, not privacy — DNS queries were sent in plaintext with no encryption and no authentication.

Cloudflare's Learning Center on DNS explains how DNS resolution works end-to-end in accessible language.

Why Do DNS Leaks Happen?

A DNS leak is not typically a deliberate failure — it is usually a configuration problem in the VPN software or operating system.

When you connect to a VPN, the intended behavior is that all your internet traffic — including DNS queries — travels through the encrypted VPN tunnel. The VPN provider's DNS servers handle your lookups, not your ISP's. Websites see the VPN server's IP address, and your ISP sees only that you are connected to a VPN.

The actual behavior, in many cases, is different. Several common causes of DNS leaks:

Operating system fallback behavior. Modern operating systems — including Windows, macOS, and Linux — are designed to be resilient. If the primary DNS server does not respond quickly, the OS automatically tries the next configured DNS server. When a VPN is active, the VPN's DNS server is usually primary, but the ISP's DNS server may remain as a fallback. If the VPN DNS is slow or momentarily unavailable, the OS falls back to the ISP's server and sends the query in plaintext.

VPN apps that do not force DNS routing. Some VPN applications establish the encrypted tunnel for browsing traffic but do not explicitly redirect DNS queries through that tunnel. DNS requests then continue to flow to the default system resolver — your ISP.

Dual-stack network configurations. If your connection has both Internet Protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6) active, a VPN that only tunnels IPv4 may leave IPv6 DNS queries unprotected. The ISP receives the IPv6 DNS traffic directly.

WebRTC. Some browsers can leak DNS information through the WebRTC protocol even when a VPN is active, though this is a narrower issue specific to browser behavior rather than the VPN tunnel itself.

How Do You Know If Your VPN Is Leaking DNS?

The most revealing signal is the ISP name your connection reports. Check what your connection actually reveals — we show your apparent ISP based on your current IP address. If your VPN is working correctly, the ISP name should reflect your VPN provider's network, not your real broadband provider. If you see your home ISP's name while your VPN claims to be active, something is leaking — either your real IP address, your DNS, or both.

A few important caveats: this tool shows ISP classification based on the IP address we observe. It is not a dedicated DNS leak test — it does not independently test your DNS resolver. If the IP address appears correct (showing your VPN provider) but you still suspect DNS leaks, use a dedicated DNS leak test tool in addition to checking your apparent ISP here.

How to Fix a DNS Leak

The fix depends on what is causing the leak, but there are three reliable approaches.

Choose a VPN with built-in DNS leak protection. Reputable VPN providers explicitly address DNS routing in their software. Look for a VPN that runs its own DNS servers and routes all DNS queries through the encrypted tunnel — and that documents this behavior clearly. Most trustworthy providers will also have a DNS leak protection toggle in their settings.

Configure encrypted DNS at the operating system level. DNS over HTTPS (DoH) and DNS over TLS (DoT) are encrypted variants of the DNS protocol that prevent your ISP from reading your queries. Mozilla's developer documentation covers how to enable DoH in Firefox. Windows 11, macOS Ventura and later, and many Linux distributions support DoH or DoT natively in their network settings.

Enabling encrypted DNS at the OS level adds a layer of protection even when your VPN is not active — your ISP cannot read your DNS queries regardless of your VPN status. However, it does not guarantee that DNS traffic goes through the VPN tunnel when the VPN is connected; that depends on the VPN application's configuration.

Test after every major network change. DNS leak behavior can change when you switch networks, update your VPN client, or install OS updates. Establish a habit of checking your apparent ISP after connecting to a new network or updating your software.

So What Does This Mean for You?

If you use a VPN specifically to keep your browsing private — from your ISP, from employers on a corporate network, or from the websites you visit — a DNS leak means your privacy protection has a gap that undermines the whole purpose.

The scenario is worth making concrete: you pay for a VPN service, connect to a server in another country, and believe your browsing is private. Meanwhile, your ISP receives a plaintext log of every domain you look up. They see that you visited a health information site, a news outlet associated with a particular political viewpoint, a financial services provider, and a legal research database — all in the same evening. The VPN's encryption protected the content of those visits, but the fact that you made them, and when, is completely visible.

DNS leaks are fixable, and fixing them is not technically difficult. The barrier is awareness: most people do not know to check.

Frequently Asked Questions

Does my VPN leak DNS?

Most reputable VPN applications include DNS leak protection by default, but "reputable" is doing a lot of work in that sentence. Check your VPN provider's documentation for explicit confirmation that DNS queries are routed through the tunnel. Then verify it: connect to your VPN and check your apparent ISP — if it shows your real broadband provider instead of your VPN provider, something is leaking. Run this check after every major OS update or network configuration change, because DNS routing can silently break when software changes.

Can I have a DNS leak without using a VPN?

Technically no. The term "DNS leak" is defined relative to a VPN tunnel — it describes DNS traffic that escapes a tunnel it should travel through. Without a VPN, there is no tunnel for DNS to leak out of. Your ISP sees all your DNS queries by default, and that is simply how the unprotected internet works rather than a "leak." If you want DNS privacy without a VPN, encrypted DNS (DNS over HTTPS or DNS over TLS) prevents your ISP from reading your queries, though it does not hide which IP addresses you connect to.

Does encrypted DNS (DoH) prevent DNS leaks?

Partly. DNS over HTTPS (DoH) encrypts your DNS queries so your ISP cannot read them, which is meaningful privacy protection in its own right. However, if you are using a VPN, DoH does not guarantee that your DNS queries travel through the VPN tunnel — they might go directly to the DoH provider's servers, bypassing the VPN entirely. Whether this matters depends on your threat model: your ISP cannot read the queries (because they are encrypted), but your VPN provider also cannot see them, and the DoH provider can. Configuration matters more than any single technology.

Sources

RFC 1035 — Domain Names: Implementation and Specification: The foundational DNS protocol specification from the IETF
Cloudflare Learning: What Is DNS?: Plain-English explanation of how DNS resolution works
Mozilla Developer Network: DNS over HTTPS: How to enable encrypted DNS in Firefox and what it protects