What is a DNS leak? How to check, fix, and prevent it

If you care about online privacy, it’s worth knowing about DNS leaks. Even with a VPN, they can reveal what you’re up to online.

But don’t worry. It’s easy to understand, check for, and fix. In this guide, we’ll break down exactly what a DNS leak is, how it happens, and simple steps you can take to prevent it.

What does DNS mean?

DNS stands for Domain Name System. It’s like the internet’s phonebook. Instead of making you remember long strings of numbers (IP addresses) for every website you visit, DNS lets you type in a name like “example.com” and automatically finds the right address for you.

This system makes the web easy to use. Without DNS, you'd have to memorize numeric IP addresses for every site, which would make browsing a lot more complicated.

Learn more: If you're curious, you can read more details about DNS, including how to find and check your DNS server.

What does a DNS leak do?

A DNS leak can expose the websites you visit, even if the rest of your traffic is encrypted. This undermines your privacy by allowing ISPs, companies, or even government agencies to see your browsing history. It can also leave you vulnerable to tracking or interception through methods like man-in-the-middle attacks.

What causes DNS leaks

A DNS leak doesn’t usually have one single cause. It can happen for a few different reasons, so fixing it may take a little trial and error.

VPN doesn’t encrypt DNS requests

When you use a VPN, your internet traffic is meant to be encrypted and routed through a secure tunnel that hides your activity from your ISP or local network. But sometimes, DNS requests (the “phonebook lookups” for website addresses) can bypass that tunnel and get handled by your ISP instead. That’s known as a DNS leak.That’s why it’s important to choose a VPN that properly prevents DNS leaks.

VPN lacks IPv6 support

One often-overlooked cause of DNS leaks is IPv6 traffic. Most VPN services are still primarily designed around IPv4, the older internet addressing system. However, IPv6 adoption is steadily growing worldwide. Many operating systems will prefer IPv6 connections if they’re available.

If your VPN doesn’t support or properly block IPv6 traffic, your device may send DNS queries over IPv6 directly to your ISP, even while your IPv4 traffic is safely inside the VPN tunnel. This happens because your operating system simply chooses the available IPv6 path, bypassing the VPN’s protection altogether.

VPN disconnects unexpectedly

If your VPN drops for even a moment, most systems will instantly fall back to using your ISP’s DNS servers. That means your DNS requests can leak, even if your VPN usually encrypts them.

This can also happen when you switch network interfaces, for example, going from Wi-Fi to Ethernet. Some VPNs might not detect the change, and your DNS queries could quietly bypass the encrypted tunnel.

That’s why top-notch VPNs offer a kill switch. This feature automatically disconnects you from the internet if your VPN drops its connection momentarily. That way, your DNS requests can’t be resubmitted to your ISP.

Misconfigured network settings or firewalls

Sometimes, custom network setups, like smart DNS, proxy tools, or manual router DNS entries, override your VPN. A firewall might also block VPN DNS traffic but allow normal DNS through, causing leaks. If you’re using a good VPN that routes DNS requests, has leak protection, and includes a kill switch but still are having a leak, it’s most likely a misconfigured setting.

How to test for DNS leaks

Testing for DNS leaks is a simple way to make sure your VPN is really keeping your browsing private. Even if your VPN claims to offer leak protection, it's smart to check occasionally, just to be safe. Here’s how to do it step-by-step:

Step 1. Disconnect your VPN

First, turn off your VPN to see what your normal, unprotected DNS traffic looks like. This gives you a baseline to compare against later. Just open your VPN app and click the disconnect button.

Step 2. Open a DNS leak test site

With your VPN still off, go to ExpressVPN’s DNS leak test page. You’ll see a list of DNS servers your device is using. These will usually be your ISP’s servers along with their locations.

Step 3. Connect to your VPN

Turn your VPN back on and connect to the server location you want (for example, London or New York).

Step 4. Run the test again

Return to the test site and repeat the process. This time, the DNS servers shown should belong to your VPN provider and match the VPN server location you picked. If you see only your VPN’s DNS servers, you're good: your traffic is private. If any of your ISP’s DNS servers or unexpected locations appear, it means you have a DNS leak.For more advanced testing options, check out ExpressVPN’s leak testing tools page, which includes additional resources for privacy-conscious users.

How to fix and prevent a DNS leak

An open DNS leak is a massive risk to your privacy. Here’s how to fix existing leaks and prevent them in the future.

Use VPN with DNS leak protection

The easiest method is to use a reputable VPN that offers built-in DNS leak protection. This ensures your DNS requests stay inside the secure tunnel, preventing your ISP or others from seeing your browsing activity. Look for VPNs that run their own encrypted DNS servers and have passed independent leak tests.

It’s also best to choose a VPN that supports IPv6 traffic or one that automatically blocks IPv6 connections to prevent leaks, ensuring all DNS queries go through their encrypted IPv4-only tunnels.

Configure private DNS

You can also use secure DNS protocols and manually configure them. These encrypt your DNS queries, similarly to a VPN. It’s possible to set one up on a Windows or Android device and many routers. You technically can use one alongside a VPN, but this requires exact configurations. I’d recommend beginners stick to a VPN instead, for simplicity.

Use a firewall to block external DNS traffic

A specially configured firewall can block DNS requests that attempt to bypass your VPN tunnel. This forces all DNS queries through your VPN’s secure channel. Some advanced firewalls can even whitelist your VPN’s DNS servers, blocking everything else. This will typically require some technical expertise on your end to avoid improper configurations.

Use custom DNS settings if needed

If you're not using a VPN, you can still take a small step to improve your privacy by manually setting your device or router to use a trusted DNS provider like Cloudflare (1.1.1.1) or Google DNS (8.8.8.8). This won’t encrypt your DNS requests, but it does let you choose who handles them, rather than leaving that to your internet provider.

Need help setting it up? Look for a Windows tutorial or macOS tutorial to guide you through the steps.

Just keep in mind: using a custom DNS is more about trusting the company behind it. You’re basically saying, “I’d rather let this company handle my DNS than my ISP.” So it’s worth checking their privacy policies first. For instance, if you’re not comfortable with how Google uses data, you might prefer Cloudflare instead.

How to stop DNS leak on iPhone

iPhones don’t let you manually set up an encrypted DNS the way other devices might. But don’t worry, you still have a couple of easy options:

• Use a DNS app from the App Store: These apps let you route your DNS traffic through a trusted provider like Cloudflare.
• Use a VPN with built-in DNS leak protection, like ExpressVPN: This is usually the easier and more secure option, since the VPN encrypts all your traffic, including DNS requests, automatically.

Which VPN has no DNS leaks

ExpressVPN stands out for its strong DNS protection. It runs its own private, encrypted DNS on every VPN server, so your DNS requests are never exposed to third parties like ISPs, Wi-Fi operators, or advertisers.

ExpressVPN also routes all your DNS queries through its encrypted tunnel automatically, so there’s no extra setup needed. This helps prevent DNS hijacking, blocking, filtering, or manipulation by censors.

It doesn’t keep any activity or connection logs, so your DNS requests can’t be recorded or sold to anyone. Plus, its network is optimized for fast, reliable DNS lookups while using the same strong 256-bit AES encryption that protects all of your internet traffic.

Common DNS leak myths and misconceptions

It’s easy enough to misunderstand a DNS leak and associate it with other cybersecurity issues. Just remember that a DNS leak doesn’t mean that your VPN is broken; it means your DNS queries aren’t staying inside the secure tunnel.

Are DNS leaks the same as IP leaks?

No, they’re two different things, even though both can compromise your privacy.

• An IP leak happens when your real IP address is exposed, revealing your approximate location and potentially identifying you online.
• A DNS leak doesn’t reveal your IP, but it does show which websites you’re trying to visit. It exposes your browsing history by sending those DNS lookups to your ISP instead of through your VPN’s secure servers.

Does Incognito mode prevent DNS leaks?

Not at all. Incognito mode is often misunderstood. It only stops your browser from saving local data like history, cookies, and form entries on your device.

It does not encrypt your internet traffic or reroute your DNS queries in any way. Your ISP, network administrator, or anyone monitoring the connection can still see the DNS requests your device sends.