DNS Leak: Why It Matters and How to Test

DNS queries reveal which domains you are trying to reach. Even if the actual connection to the website is encrypted (HTTPS), the DNS query happens first and is often unencrypted (though DNS over HTTPS and DNS over TLS are changing that). Your ISP can see: you requested example.com, bank.com, health-site.com. That is a detailed log of your browsing activity.

A VPN that does not handle DNS correctly is incomplete. The VPN encrypts your traffic and routes it through their server — but if DNS goes elsewhere, the encryption and routing are partially defeated. A proper VPN forces all DNS queries through the tunnel to the VPN's DNS servers. The VPN provider can then resolve domains without your ISP seeing the queries.

When you visit a site, your device sends a DNS query to resolve the domain. With a VPN, that query should go through the VPN tunnel to the VPN provider's DNS servers. Your ISP never sees it. The VPN server resolves the domain and returns the IP; your traffic then goes to that IP through the tunnel.

A leak occurs when the DNS query goes outside the tunnel — to your ISP's DNS, Google's 8.8.8.8, or another third-party resolver. The query may be sent before the VPN is fully established, or the VPN client may fail to override the system DNS. Either way, your ISP or the third-party sees which domains you requested.

Some VPN clients do not properly route DNS through the tunnel. They may leave the system's default DNS in place, or they may fail to override DNS settings on certain platforms. This is a VPN provider issue — a well-designed client forces DNS through the tunnel.

Many networks now use IPv6. If your VPN tunnels only IPv4 traffic, IPv6 traffic — including IPv6 DNS queries — may go outside the tunnel. That is an IPv6 leak, which can include DNS. A good VPN either blocks IPv6 or tunnels it.

If you use split tunneling and exclude certain apps, those apps may use the system DNS instead of the VPN's DNS. Their DNS queries go to your ISP. This is expected behavior for excluded apps — but it means you should not exclude sensitive apps, or you should understand that their DNS is exposed.

Some operating systems have multiple network interfaces and complex routing. On Windows, for example, certain features (like "smart multi-homed name resolution") can send DNS queries to multiple servers, including ones outside the VPN. A VPN client must account for these behaviors.

Some networks push DNS settings via DHCP or other mechanisms. If the VPN does not override these, the device may use the network's DNS. This is common on corporate or university networks where the network administrator controls DNS.

In many countries, ISPs are permitted to collect and log DNS queries. They can build a profile of your browsing habits, sell that data to advertisers, or share it with law enforcement. A VPN is supposed to prevent that. A DNS leak means it does not.

DNS queries are tied to your connection. Even if the VPN masks your IP for the actual website connection, a leaked DNS query can be correlated with your real IP by your ISP. In some cases, this can reveal your identity or location.

On public WiFi, DNS queries may go to the network's DNS server or be visible to other users. A leak means the WiFi operator — or an attacker on the network — can see which sites you visit. That is a significant privacy and security risk.

Visit a DNS leak test site (such as dnsleaktest.com or the KloudVPN DNS leak test tool) while connected to your VPN. The test makes DNS requests and reports which servers responded. All responding servers should be operated by your VPN provider. If you see servers from your ISP, Google, Cloudflare (unless your VPN uses them), or other third parties, you have a leak.

The test will list DNS server IPs and sometimes their hostnames or organizations. Your VPN provider's DNS servers should be the only ones that appear. If the test shows servers in your actual location (your country, your ISP) when you are connected to a VPN server in another country, that is a strong indicator of a leak.

Some tests run multiple queries to simulate real browsing. Run an extended test to increase confidence. DNS leaks can be intermittent — a single test might miss them. Test periodically, especially after OS updates, VPN app updates, or network changes.

The primary fix is to use a VPN that properly handles DNS. A good VPN client forces all DNS through the tunnel and uses the VPN provider's DNS servers. If your current VPN leaks, consider switching to one with a proven no-leak design. KloudVPN routes all DNS through the VPN.

Some VPN apps have a "DNS leak protection" or "Block DNS outside VPN" option. Enable it. This setting forces the system to use only the VPN's DNS when the VPN is connected.

If the leak is caused by IPv6, disabling IPv6 on your device can stop it. This is a workaround, not a fix — a proper VPN should handle IPv6. But if your VPN does not, disabling IPv6 prevents IPv6 DNS from leaking.

If you use split tunneling, excluded apps will use the system DNS. That is expected. If you want full DNS protection, use a full tunnel — do not exclude apps that do DNS lookups.

On some platforms, you can manually set your DNS to the VPN provider's DNS servers when the VPN is connected. This is fragile — the VPN app should handle it automatically. Use manual configuration only if the VPN app does not fix the leak and you cannot switch providers.

Windows has "smart multi-homed name resolution" which can send DNS to multiple servers. A good VPN client overrides this and forces DNS through the tunnel. Test on Windows — leaks are common if the VPN does not fully integrate with Windows networking.

Apple devices use system-level DNS resolution. VPN apps that use the Network Extension framework can intercept DNS. Test after each iOS or macOS update — Apple sometimes changes networking behavior.

Android and Linux allow per-interface DNS. VPN clients that create a virtual interface should route DNS through it. Some custom ROMs or network managers can override VPN DNS — test on your specific setup.

When you use a VPN to access region-locked content, the streaming service checks your IP and sometimes your DNS. If DNS leaks to your ISP, the service may detect a mismatch — your IP says you are in the US, but your DNS says you are elsewhere. That can trigger blocks or limit content. A leak-free VPN ensures consistent geo-access.

Some banks and payment processors use IP and DNS to detect fraud. A DNS leak can create inconsistent signals — your connection appears from one location, your DNS from another. That may trigger security checks or block transactions. For banking, a leak-free VPN is essential.

A VPN that handles DNS sends your queries through the encrypted tunnel to the VPN's DNS servers. That protects you from your ISP. DoH encrypts DNS to a third-party provider — but that provider then sees your queries. For VPN users, VPN DNS is the right choice.

VPN browser extensions protect only browser traffic. They may use different DNS than your system VPN. If you use both a system VPN and a browser extension, ensure they do not conflict. Prefer a full system VPN for complete DNS protection.

Some ad blockers or privacy extensions route DNS through their own resolvers. That can bypass your VPN's DNS. Check extension settings — disable "use our DNS" or similar if you want all DNS to go through the VPN.

Extensions that enable DNS over HTTPS (DoH) may send DNS to Cloudflare, Google, or another provider instead of your VPN. For VPN users, let the VPN handle DNS. Disable DoH extensions when the VPN is active, or use a VPN that integrates DoH within the tunnel.

Test when you first set up your VPN, after any VPN or OS update, when you change networks (e.g. switch from WiFi to Ethernet, or join a new WiFi), and periodically (e.g. monthly) as a routine check.

Connect to VPN servers in different countries and run the test each time. Some leaks may be server-specific or routing-specific. If you use split tunneling, test with it enabled and with your typical configuration.

If you find a leak, note the conditions: which server, which network, which OS version. That helps when reporting to your VPN provider or troubleshooting. Keep a log if leaks recur — patterns help identify root causes.