Many people believe that enabling a VPN automatically guarantees complete anonymity. In reality, a VPN is only one layer of protection. A VPN encrypts your internet traffic and routes it through a remote server before it reaches the public internet, masking your real IP address in the process.
However, modern operating systems and browsers use multiple networking features simultaneously. If any one of those features bypasses the encrypted VPN tunnel, your device may still reveal information about your real network connection. These situations are known as privacy leaks.
Common causes of leaks include:
DNS stands for Domain Name System. It acts like the phonebook of the internet. When you type a website name such as privacyinternational.org, your computer must first discover the numerical IP address of that website before it can connect.
To obtain that address, your device sends a request to a DNS server. Normally, your internet service provider assigns your device a DNS server which they control. This means that your ISP can see every domain name your device attempts to visit.
When you connect to a VPN, your DNS queries should ideally be sent through the VPN provider's DNS servers instead. If your device continues to send those queries to your ISP while connected to a VPN, this creates what is known as a DNS leak.
Even if the rest of your traffic is encrypted, a DNS leak allows your ISP — or any entity monitoring your network — to see which websites you are trying to access.
You can verify your connection using our DNS Leak Test tool.
Many users underestimate the amount of information DNS queries reveal. Even if your encrypted traffic hides the content of your communication, DNS queries expose the domains you visit.
For example, DNS requests can reveal visits to websites such as:
Because DNS queries are usually sent before encrypted communication begins, they act as a form of metadata that can still reveal a detailed browsing profile.
Some internet service providers implement a system called a transparent DNS proxy. Instead of allowing your device to send DNS queries to a server of your choice, the ISP intercepts all DNS traffic and silently redirects it to their own DNS infrastructure.
Even if you configure your device to use public DNS services like Google DNS or OpenDNS, a transparent DNS proxy may override those settings.
This technique allows ISPs to:
If your VPN connection does not properly tunnel DNS traffic, these proxies may still capture your DNS requests.
An IP leak occurs when your real public IP address becomes visible to websites or external servers despite being connected to a VPN or anonymity network.
Your IP address can reveal several important pieces of information about you, including:
When a VPN is functioning correctly, websites should only see the IP address of the VPN server instead of your real address.
You can check whether your real IP is exposed by running the IP Leak Test.
WebRTC (Web Real-Time Communication) is a browser technology that allows web applications to create direct peer-to-peer connections for video calls, voice chats, and file transfers.
While this technology is useful for real-time communication platforms, it also introduces a potential privacy risk. During the process of establishing connections, WebRTC may reveal your device's real IP address to websites.
This exposure can occur even if a VPN is active because WebRTC sometimes bypasses the encrypted tunnel and communicates directly with external servers.
You can test whether your browser exposes your IP using the WebRTC Leak Test.
The internet currently uses two addressing systems: IPv4 and IPv6. While many VPN services protect IPv4 traffic, not all of them properly handle IPv6 connections.
If IPv6 traffic bypasses the VPN tunnel, your real IPv6 address may be exposed directly to websites.
Because IPv6 adoption continues to grow worldwide, this type of leak is becoming increasingly important for privacy-conscious users.
Preventing leaks usually involves a combination of proper VPN configuration and browser settings. Some of the most effective steps include:
Testing your connection periodically ensures that your VPN configuration continues to protect your identity even after browser updates or network changes.
It is a good idea to test your connection whenever you:
Even small configuration changes can alter how your system routes traffic.
You can run a complete set of tests using the tools available in the PrivacyTestLab tools directory.
