Privacy Tools #DNS leak#VPN#privacy

DNS Leak Test and Fix Guide

Discover what DNS leaks are, how to test for them, and exactly how to fix them on Windows, Linux, macOS, and VPN clients.

7 min read

What Is a DNS Leak?

Every time you visit a website, your device sends a DNS query to translate the domain name (like example.com) into an IP address. If you are using a VPN, those queries should travel through the VPN tunnel to a private DNS resolver — your ISP should never see them.

A DNS leak happens when DNS queries bypass the VPN tunnel and go directly to your ISP’s resolver (or another unintended resolver) in plaintext. Your VPN hides your traffic content, but your DNS queries reveal every domain you visit to your ISP, making the VPN substantially less useful for privacy.

DNS leaks are surprisingly common and are caused by operating system DNS fallback behavior, WebRTC, misconfigured VPN clients, IPv6 exposure, and split-tunneling settings.

How to Test for DNS Leaks

Method 1: dnsleaktest.com

The fastest test. Visit dnsleaktest.com and click “Extended test.” The site makes DNS queries from your browser and reports which resolvers answered them. If you see your ISP’s DNS servers listed instead of your VPN provider’s, you have a leak.

Method 2: ipleak.net

IPLeak tests DNS, WebRTC local IP, IPv6, and geolocation simultaneously. It is the most comprehensive single-page leak test available.

Method 3: browserleaks.com/dns

BrowserLeaks provides a more detailed DNS test including EDNS client subnet data, which can expose your approximate geographic location even when DNS queries reach the correct resolver.

Method 4: Command Line (Linux/macOS)

# Check which resolver is answering your queries
dig +short whoami.akamai.net
dig +short myip.opendns.com @resolver1.opendns.com

# On Linux, check current resolver
resolvectl status
cat /etc/resolv.conf

If the IP returned by these commands belongs to your ISP, you have a leak.

Common Causes and Fixes

Windows DNS Leak (Smart Multi-Homed Name Resolution)

Windows 10 and 11 use a feature called Smart Multi-Homed Name Resolution (SMHNR) that sends DNS queries to all available network interfaces simultaneously and uses the first response. This is a major leak source for VPN users.

Fix via Group Policy (Windows Pro/Enterprise):

  1. Open gpedit.msc
  2. Navigate to: Computer Configuration → Administrative Templates → Network → DNS Client
  3. Set “Turn off smart multi-homed name resolution” to Enabled

Fix via Registry (Windows Home):

# Run as Administrator in PowerShell
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient" `
  -Name "DisableSmartNameResolution" -Value 1 -Type DWord

Restart after applying either fix.

Windows DNS via PowerShell (All Adapters)

Force all network adapters to use specific DNS servers and prevent fallback:

# List all adapters
Get-DnsClientServerAddress

# Set DNS for a specific adapter (replace "Wi-Fi" with your adapter name)
Set-DnsClientServerAddress -InterfaceAlias "Wi-Fi" -ServerAddresses ("10.8.0.1","10.8.0.2")

Linux: systemd-resolved Leak

On Ubuntu, Fedora, and most modern Linux distros, systemd-resolved manages DNS. When a VPN connects, it may not correctly override the system resolver.

Check current DNS:

resolvectl status

Force VPN DNS via systemd-resolved:

Edit /etc/systemd/resolved.conf:

[Resolve]
DNS=10.8.0.1
FallbackDNS=
DNSStubListener=yes

Then restart: sudo systemctl restart systemd-resolved

For NetworkManager users, set DNS to VPN-provided servers in the connection profile and set DNS priority to a negative value (e.g., -100) to ensure the VPN DNS takes precedence.

macOS DNS Leak

macOS can leak DNS when a VPN does not properly register DNS servers with the system resolver. Check with:

scutil --dns | grep nameserver

Fix by manually setting DNS in System Settings → Network → [Your VPN interface] → DNS to your VPN’s DNS servers (e.g., Mullvad uses 10.64.0.1).

IPv6 DNS Leak

If your VPN only tunnels IPv4, IPv6 DNS queries go unencrypted over your ISP’s network. This is extremely common.

Fix on Linux:

# Disable IPv6 temporarily
sudo sysctl -w net.ipv6.conf.all.disable_ipv6=1
sudo sysctl -w net.ipv6.conf.default.disable_ipv6=1

Make permanent by adding these lines to /etc/sysctl.conf.

Fix on Windows:

# Disable IPv6 on all adapters
Disable-NetAdapterBinding -Name "*" -ComponentID ms_tcpip6

Most quality VPN clients (Mullvad, ProtonVPN) now include full IPv6 leak protection by default — check your client settings to confirm it is enabled.

WebRTC Leak

WebRTC is a browser API used for video/audio calls. It can bypass your VPN and expose your real IP address directly via STUN requests, even if all DNS is properly routed.

Fix in Firefox:

Set media.peerconnection.enabled = false in about:config.

Fix in Chrome/Brave:

Install the WebRTC Leak Prevent extension, or in Brave go to Settings → Privacy and security → WebRTC IP handling policy and set it to “Disable non-proxied UDP.”

VPN Client-Specific Fixes

Mullvad VPN

Mullvad’s client includes a DNS leak protection toggle under Settings → Advanced. Enable it. Also enable the kill switch to prevent any traffic outside the tunnel.

ProtonVPN

In the ProtonVPN Linux app: go to Settings → Connection and enable “DNS leak prevention.” On Linux CLI, ProtonVPN uses its own systemd-resolved integration — run protonvpn-cli s to check connection status.

OpenVPN (Manual Configs)

Add these lines to your .ovpn config to force DNS through the tunnel:

dhcp-option DNS 10.8.0.1
block-outside-dns

The block-outside-dns directive is Windows-specific but critical — it blocks all DNS not routed through the VPN adapter.

WireGuard

In your WireGuard config file, set the DNS field in the [Interface] section:

[Interface]
DNS = 10.64.0.1

This forces WireGuard to use the specified resolver for all DNS queries while the tunnel is active.

Verification After Fixing

After applying your fixes:

  1. Disconnect from the VPN completely
  2. Run a baseline test at dnsleaktest.com (note your real ISP resolvers)
  3. Connect to the VPN
  4. Run the extended test again
  5. Confirm only VPN-affiliated resolvers appear (no ISP resolvers)
  6. Check ipleak.net for WebRTC and IPv6 leaks

A clean result shows only your VPN provider’s DNS servers with no ISP resolvers, no WebRTC local IP exposure, and no IPv6 addresses.

Summary

DNS leaks silently undermine VPN privacy by exposing your browsing history to your ISP. The most common causes are Windows SMHNR, IPv6 exposure, WebRTC, and misconfigured VPN clients. Test at dnsleaktest.com and ipleak.net regularly, apply the OS-level fixes above, and enable your VPN client’s built-in DNS protection to ensure your queries stay inside the tunnel.

#network privacy #DNS security #privacy #VPN #DNS leak

// related articles

privacy-tools VPN over Tor vs Tor over VPN: Which Setup Actually Protects You? 7 min read privacy-tools I2P Anonymous Network: Complete Setup and Browsing Guide 7 min read privacy-tools Digital Privacy Audit Checklist 2026 9 min read