What Is a DNS Leak and Why It Ruins Your VPN

You turned on the VPN. The little lock icon appeared. You think you're private. But there's a specific, common failure mode where your DNS queries — every domain name your device looks up — leak outside the VPN tunnel to your ISP's resolver. Your ISP still knows exactly which sites you're visiting. The VPN lied to you, or at least didn't deliver what you thought you bought.

Why DNS Leaks Happen

A DNS leak happens when your operating system sends DNS queries through the regular network stack instead of routing them through the VPN tunnel. This can happen because the VPN client didn't properly override the system's DNS settings, because Windows' Smart Multi-Homed Name Resolution feature sends queries to multiple resolvers simultaneously and uses whichever responds first, or because certain applications bypass the system resolver entirely.

On Windows, this is a chronic problem. The OS was built to be helpful with DNS resolution, and 'helpful' in this context means 'sends queries wherever it thinks is fastest.' VPN software has to actively fight this tendency. Not all of it does a good job.

What a DNS Leak Actually Exposes

When your DNS queries leak to your ISP's resolver, your ISP gets a timestamped list of every domain you've looked up. Not the full URLs — just the domains. But that's enough to know you visited a medical information site, a job board, a political news outlet, or an adult site. The domain alone tells a story.

Wait — this matters. The IP address on your traffic is hidden by the VPN. But DNS leaks mean your browsing profile is fully visible anyway, just through a different channel. You've encrypted your front door and left the back window open.

How to Test for a DNS Leak

Running a DNS leak test is simple — tools like ours send queries to test servers and check which resolver answers. If the resolver belongs to your ISP or a company in your country when you're connected to a VPN in a different country, you have a leak. The test takes about 15 seconds and gives you a clear yes or no.

Fixing It

Most quality VPN clients have a DNS leak protection setting — enable it. Manually set your DNS servers to ones operated by or associated with your VPN provider. On Windows, you can disable Smart Multi-Homed Name Resolution through Group Policy. On Linux, using systemd-resolved with the VPN's DNS pushed correctly usually handles it cleanly. Test again after each change — don't assume it worked.