A DNS leak means your DNS queries are leaving your VPN tunnel and going to your ISP's resolver instead. Your traffic is encrypted but your browsing destinations are still visible. Here is why it happens and how to check for it.
7 min read
A DNS leak is when your DNS queries travel outside the VPN tunnel. Your connection appears to be working (the VPN shows as connected, your IP has changed, your traffic is encrypted), but the DNS lookups that reveal which domains you are visiting are still going to your ISP's resolver rather than the VPN's.
The result is that your ISP can still see every domain you visit, even though you are using a VPN. Everything else the VPN was supposed to protect is working. Just not DNS.
This matters because DNS queries are one of the most revealing pieces of data your ISP can collect. If you have not read the DNS and privacy article, it covers why DNS visibility is such a significant issue in the first place.
There are several common causes.
VPN not intercepting DNS: Some VPN clients establish an encrypted tunnel for regular traffic but do not redirect DNS queries through it. The queries continue going to the system resolver, which is typically your ISP.
OS-level DNS fallback: Operating systems have fallback behaviour for when DNS resolution fails or is slow. If the VPN's DNS resolver does not respond quickly enough, the OS may retry via the default system resolver, which bypasses the tunnel.
Split tunneling misconfiguration: If a VPN is configured to only route some traffic through the tunnel, DNS queries for non-tunneled traffic may go outside. If the VPN app does not handle this carefully, all DNS can leak.
Third-party DNS configured on the system: If a system-level DNS setting points to a resolver outside the VPN's control, and the VPN does not override it, those queries will go to the external resolver rather than through the tunnel.
Windows has a feature called Smart Multi-Homed Name Resolution (SMHNR). When enabled, Windows sends DNS queries to all available network interfaces simultaneously and uses the first response it gets, regardless of which interface it came from. The intent is faster resolution. The side effect is that DNS queries can leave through your regular network interface rather than the VPN tunnel, even when you are connected to a VPN.
A related issue is Link-Local Multicast Name Resolution (LLMNR).1 LLMNR is a protocol that allows devices on a local network to resolve names without a DNS server. It operates separately from standard DNS and ignores VPN tunnels entirely. VPN clients that do not explicitly disable LLMNR may leak local name resolution queries to the network.
Well-maintained VPN clients on Windows handle both of these automatically. If you are using an older or less reliable client, or configuring a VPN manually, you may need to disable SMHNR and LLMNR in the Windows registry yourself.
Most VPNs were built when IPv4 was the only protocol that mattered. IPv6 was added as an afterthought, or not at all. If your ISP has assigned you an IPv6 address and your VPN does not tunnel IPv6 traffic, your device will make IPv6 connections directly over your regular network interface, bypassing the VPN entirely.
DNS queries for IPv6-enabled sites may go out over the IPv6 interface to your ISP's IPv6 DNS resolver. This is an IPv6 DNS leak and it is distinct from an IPv4 DNS leak, though both expose the same information.
The fix is either to use a VPN that handles IPv6 traffic natively, or to disable IPv6 on your system while using the VPN. Disabling IPv6 entirely is a blunt solution but effective if you cannot confirm your VPN handles it correctly.
Testing is straightforward. Connect to your VPN, then visit a DNS leak test tool.2 The tool will show you which DNS servers are resolving your queries. If the resolvers listed belong to your ISP or a third-party resolver you did not configure, you have a leak. If they belong to your VPN provider, you are clean.
Tools like ipleak.net3 test for DNS leaks, IPv6 leaks, and WebRTC leaks together, which is useful because these issues tend to appear in combination.
Run the test on a few different networks if you can: your home connection, a mobile hotspot, a public network. DNS leak behaviour sometimes depends on the network configuration, so a VPN that behaves correctly on your home router may leak on a network with different DNS settings.
If you find a leak, the options depend on why it is happening.
Use a VPN with built-in DNS leak protection: The simplest fix. A VPN that handles this correctly at the application level does not require manual configuration. BuycatVPN routes all DNS through the tunnel automatically.
Enable the kill switch: A kill switch blocks all internet traffic if the VPN connection drops. Some kill switch implementations also block DNS queries that would otherwise go outside the tunnel. Check your VPN app's settings.
Disable IPv6 if your VPN doesn't support it: On Windows: Settings > Network > your adapter > IPv6 > uncheck. On macOS: System Settings > Network > your adapter > Details > TCP/IP > Configure IPv6 > Off.
Disable LLMNR and SMHNR on Windows: Both can be disabled via Group Policy or directly in the registry. This is only necessary if your VPN client does not handle it, which well-maintained clients should.
After making any change, run the leak test again to confirm the fix took effect. It is worth running periodically whenever you update your VPN client or change your network setup.
B. Aboba et al., IETF, January 2007. Defines the protocol Windows uses for local name resolution that can cause DNS to bypass VPN tunnels.
A tool for testing whether DNS queries are leaving your VPN tunnel.
Tests for DNS, IPv6, and WebRTC leaks simultaneously.
F. Gont et al., IETF, February 2021. Relevant to understanding IPv6 address assignment behaviour.
