Leak Tests
DNS Leak Test
Check whether your DNS queries are leaking to your ISP — even when your VPN is connected. See exactly which DNS resolvers your browser is using, their ISP attribution, and their location. If you spot your ISP's name, your VPN is leaking.
Your DNS servers will appear here after running the test
Standard test complete. Run an extended test for more thorough detection using additional DNS query methods.
Scored using our published, open-source methodology. View methodology
What this test checks
DNS resolver identification
The test identifies every DNS server handling your domain lookups — IP address, hostname, country, and ISP — so you can see immediately whether they belong to your VPN provider or your ISP.
Geolocation of each resolver
Each DNS server is geolocated so you can verify the resolver is in the country your VPN server is located in. An ISP resolver appearing in your home country is the clearest sign of a DNS leak.
ISP / organisation attribution
We show the ASN and organisation name behind each resolver. If you see your ISP's name (BT, Comcast, Vodafone, etc.) here while your VPN is connected, you have a confirmed DNS leak.
Leak verdict per resolver
Each resolver row gets an individual verdict — VPN resolver (safe), ISP resolver (leaked), or third-party resolver (warning). The overall verdict summarises all detected servers.
How a DNS leak bypasses your VPN
Normal VPN path vs leaked path
Your device
Visit example.com
VPN tunnel
Encrypted traffic
VPN DNS server
Safe — ISP blind
or if leaking
ISP resolver
Leaked — ISP sees all
When a DNS leak occurs, DNS traffic skips the VPN tunnel entirely (the red branch above).
Your web traffic stays encrypted but your ISP's DNS logs reveal every domain you visit,
when you visit it, and how often.
What causes DNS leaks
VPN misconfiguration
The VPN client routes your web traffic through the tunnel but fails to redirect DNS queries. DNS runs on UDP port 53 and some VPN implementations only intercept TCP connections, leaving DNS exposed.
Windows Smart Multi-Homed DNS
Windows 8, 10, and 11 send DNS queries to all available network interfaces simultaneously and use the fastest response. Your VPN adapter may respond first, but Windows also accepts the ISP response.
IPv6 DNS not tunnelled
Many VPNs only tunnel IPv4 traffic. If your ISP provides IPv6, DNS queries over IPv6 travel completely outside the VPN tunnel — invisible to the VPN application and unencrypted to your ISP.
VPN reconnection gap
When a VPN connection drops and reconnects, there is a brief window where DNS queries revert to the system default — typically your ISP's resolver. This is why a kill switch is essential.
Browser DNS-over-HTTPS override
Chrome and Firefox have built-in DNS-over-HTTPS (DoH) settings that can override the system DNS. If configured incorrectly, the browser may query a specific DoH provider that bypasses the VPN's DNS.
Router-level DNS override
Some routers are configured to intercept and redirect all DNS queries to the ISP regardless of what the device requests. This is common on ISP-provided routers and transparent DNS proxies.
How to fix a DNS leak
Step-by-step fix guide
1
Switch to a VPN with DNS leak protection built in
The most reliable fix. Mullvad, ProtonVPN, and ExpressVPN all operate their own DNS resolvers and route all DNS queries through the encrypted tunnel by default — no configuration required. Mullvad's resolver blocks ads and trackers as a bonus.
Best fix — zero configuration
2
Enable DNS leak protection in your VPN settings
Most modern VPN clients have a "DNS leak protection" toggle. In NordVPN: Settings → DNS → enable custom DNS. In ExpressVPN: Options → DNS → Use ExpressVPN DNS servers. In Mullvad: this is enabled automatically and cannot be disabled.
Configuration fix
3
Disable Windows Smart Multi-Homed DNS via Group Policy
Open Group Policy Editor (
Windows 8 / 10 / 11
gpedit.msc), navigate to Computer Configuration → Administrative Templates → Network → DNS Client → "Turn off smart multi-homed name resolution" and set it to Enabled. Restart required.4
Set a manual privacy-respecting DNS server
Even if your VPN leaks, setting your OS-level DNS to Cloudflare (
Fallback mitigation
1.1.1.1), Quad9 (9.9.9.9), or NextDNS prevents your ISP's resolver from being used as a fallback. This doesn't fix the leak source but limits its impact.5
Enable the VPN kill switch
A kill switch blocks all internet traffic if the VPN connection drops, preventing DNS queries from reverting to your ISP resolver during reconnection gaps. This is the most underused safety feature in VPN apps — enable it in advanced settings.
Prevents reconnection leaks
Frequently asked questions