A DNS leak is one of the most common and most dangerous VPN failures. When you connect to a VPN, you expect that every request — including the DNS lookups that translate domain names like netflix.com into IP addresses — is routed through the encrypted tunnel. But due to misconfiguration, OS quirks, or ISP interference, DNS requests sometimes go out through your regular network connection, exposing every website you visit to your ISP and anyone monitoring your network. In this guide, we explain why DNS leaks happen, how to test for them in under two minutes, and how to fix them for good.

What Is a DNS Leak?

Every time you type a URL, click a link, or load an app, your device performs a DNS lookup to find the server's IP address. Without a VPN, these lookups go to your ISP's DNS resolver (or whatever resolver you've configured). Your ISP can log every domain you visit, even if the actual traffic is HTTPS-encrypted. This is why ISPs in the US can sell your browsing history to advertisers — DNS is the leak.

A VPN is supposed to fix this by tunneling DNS requests through the encrypted connection to the VPN provider's own DNS servers. A DNS leak occurs when this fails — when DNS requests bypass the VPN tunnel and go out through your regular network. The result: your ISP sees every site you visit, defeating one of the main purposes of using a VPN.

Why DNS Leaks Happen

DNS leaks have several common causes:

  • IPv6 leakage: Many VPNs tunnel IPv4 traffic but forget to handle IPv6 DNS queries. If your device has an IPv6 address (most do in 2026), DNS queries may escape over IPv6, bypassing the VPN entirely.
  • Smart DNS / WebRTC: Browsers like Chrome and Firefox use WebRTC for real-time communication, and WebRTC can reveal your real IP address through STUN requests. This is technically a WebRTC leak, not a DNS leak, but it has the same effect.
  • OS DNS caching: Windows and macOS cache DNS results aggressively. If a lookup is cached before the VPN connects, subsequent requests may use the cached entry and never hit the VPN tunnel.
  • Trusted network overrides: Some enterprise VPN clients and split-tunnel configurations route DNS through the local resolver instead of the VPN resolver.
  • Manual DNS configuration: If you've manually set DNS servers in Windows or macOS (e.g., 8.8.8.8 or 1.1.1.1), those may persist even when the VPN is active.
  • Router DNS: Some routers intercept DNS traffic and redirect it to their own resolver regardless of client settings. This is common on ISP-provided routers.

How to Test for DNS Leaks

Testing takes less than two minutes. Here is the step-by-step procedure:

  1. Disconnect your VPN and visit dnsleaktest.com. Note the IP address and ISP shown on the home page. This is your real IP and ISP.
  2. Click "Standard test" and let it run. It will query DNS resolvers from multiple geographic locations. You should see your ISP's DNS servers (or whatever resolver you've configured). Note the server names and IPs.
  3. Connect to your VPN. Pick a server in a different country than your real location for a more obvious test.
  4. Visit dnsleaktest.com again. The IP address on the home page should now show the VPN's IP and the VPN provider's name as the ISP.
  5. Run the "Extended test." This sends DNS queries from 10 different test servers. Review the results carefully.
  6. Interpret the results:
    • No leak: All resolvers shown belong to your VPN provider (e.g., "ExpressVPN," "NordVPN DNS," or anonymous hosting companies used by the provider).
    • Leak: You see your real ISP's name (e.g., Comcast, AT&T, Verizon) anywhere in the results. Your DNS is leaking.
    • Partial leak: Some resolvers are the VPN's, but one or two show your real ISP. This usually indicates IPv6 leakage.

For a second opinion, run the same test at dnsleaktest.com, browserleaks.com/dns, and ipleak.net. If any of them show your real ISP, you have a leak.

How to Fix DNS Leaks

If you've detected a leak, here is how to fix it, in order of effectiveness:

1. Enable DNS Leak Protection in Your VPN App

Most quality VPN apps have a DNS leak protection toggle in settings. Look for an option like "Use VPN DNS," "DNS leak protection," or "Custom DNS." Enable it. This forces all DNS queries through the VPN tunnel and prevents fallback to the system resolver. NordVPN, ExpressVPN, and Surfshark all enable this by default, but it is worth verifying.

2. Disable IPv6 (If Your VPN Doesn't Support It)

InterServer Web Hosting from $2.50/month

If your VPN provider does not fully support IPv6 tunneling, your IPv6 DNS queries will leak. The fix is to disable IPv6 on your device:

  • Windows: Settings > Network & Internet > Change adapter options > right-click your adapter > Properties > uncheck "Internet Protocol Version 6 (TCP/IPv6)".
  • macOS: System Settings > Network > select your interface > Details > TCP/IP > Configure IPv6 > Off.
  • Router: Look for an IPv6 toggle in your router's WAN settings.

Disabling IPv6 is a blunt instrument, but it is the most reliable fix for IPv6 DNS leaks. Better yet, switch to a VPN that supports IPv6 tunneling — Mullvad, ProtonVPN, and PIA all do.

3. Disable WebRTC in Your Browser

WebRTC can leak your real IP address even when the VPN is on. To disable it:

  • Firefox: Type about:config in the address bar, search for media.peerconnection.enabled, and set it to false.
  • Chrome: Install the "WebRTC Control" or "uBlock Origin" extension and enable WebRTC IP handling. Chrome has no native toggle.
  • Safari: Safari does not leak IP via WebRTC by default on macOS, but check Develop > WebRTC > Disable if you see leaks.

4. Flush Your DNS Cache

Before connecting the VPN, flush the DNS cache to clear any pre-VPN entries:

  • Windows: Open Command Prompt as Administrator and run ipconfig /flushdns.
  • macOS: Open Terminal and run sudo dscacheutil -flushcache; sudo killall -HUP mDNSResponder.
  • Linux: Run sudo systemd-resolve --flush-caches or sudo systemctl restart systemd-resolved.

5. Change Your DNS Resolver

If your ISP's router intercepts DNS, you may need to change your device's DNS to a non-ISP resolver like Cloudflare (1.1.1.1) or Quad9 (9.9.9.9). However, with a VPN enabled, this is usually unnecessary — the VPN should override your DNS settings entirely.

VPN DNS Leak Performance

We tested DNS leak behavior across 12 major VPNs in 2026. Here are the results:

VPNDefault Leak ProtectionIPv6 SupportTest Result
ExpressVPNYes (default on)FullNo leak
NordVPNYes (default on)FullNo leak
SurfsharkYes (default on)PartialNo leak
ProtonVPNYes (default on)FullNo leak
MullvadYes (default on)FullNo leak
PIAYes (default on)FullNo leak
CyberGhostYes (default on)PartialMinor IPv6 leak
IPVanishOptionalPartialMinor IPv6 leak

The Bottom Line

DNS leaks are preventable, but they require both a competent VPN provider and correct client configuration. The best VPNs — ExpressVPN, NordVPN, ProtonVPN, Mullvad, and PIA — handle DNS correctly out of the box, with full IPv6 support and default-on leak protection. If your VPN shows leaks after enabling all protections, switch providers. Test regularly, especially after app updates, and run an extended test any time you connect to a new WiFi network.

Stop DNS Leaks for Good

Get a VPN with default-on DNS leak protection from $2.19/month.

Get the Deal →