Short answer: A DNS leak happens when domain lookups go to a resolver outside the route you expected. If you are asking what is a DNS leak and how to prevent it, start with the resolver path: choose the DNS path you want, make the VPN, browser, operating system, router, and IPv6 settings follow it, and retest after important network changes.
DNS leaks matter because DNS can expose domain-level patterns even when HTTPS protects page contents. They do not reveal passwords, full encrypted page contents, or every action online. They can still show that a device looked up a bank, workplace portal, messaging service, health site, crypto exchange, or streaming service.
This page is the prevention and fix guide. If you need the basic meaning first, start with the brief definition below, then align VPN DNS, browser DNS, system DNS, router behavior, split tunneling, and IPv6 handling.
Quick answer
- DNS translates domains into addresses. Before a browser connects, it usually asks a resolver where the domain lives.
- A DNS leak is a route mismatch. DNS goes to an ISP, router, workplace, browser DoH provider, or other resolver when you expected VPN DNS or another chosen route.
- Prevention is alignment. VPN DNS, browser DNS, system DNS, router DNS, IPv6, and split tunneling need to agree with your intended setup.
- Tests are snapshots. A clean DNS leak result is useful, but it is not proof of permanent privacy or every app on the device.
Brief definition: what is a DNS leak?
DNS is the naming system that maps readable domains to IP addresses. RFC 8499 defines DNS terminology, while RFC 1034 and RFC 1035 describe core DNS concepts and protocol behavior.
In practical privacy troubleshooting, a DNS leak means the lookup path does not match the route you intended. A common example is a VPN session where the visible public IP belongs to the VPN, but DNS lookups still go to the ISP, router, local network, browser DNS provider, or workplace resolver.
For the query what is a DNS leak and how to prevent it, the important distinction is route intent. DNS itself is necessary. The leak is the mismatch between the resolver you meant to use and the resolver that actually receives the lookup.
What DNS leaks can reveal and what they cannot prove
A DNS resolver can see domain lookups, resolver timing, and the network path used for those lookups. That can be sensitive because domain names can imply services, interests, employers, medical portals, financial platforms, or apps. DNS can be revealing even without full page contents.
DNS usually does not reveal the full URL after the domain, passwords, payment details, page text, or encrypted message contents protected by HTTPS. DNS data alone also does not prove who personally used a device. Accounts, cookies, browser fingerprints, payment records, device identifiers, and provider records can add more context than DNS by itself.
This is why prevention should be precise rather than alarmist. The goal is not to become invisible. The goal is to keep resolver-path signals consistent with the privacy route you actually chose.
Why DNS leaks happen
- VPN DNS is not enforced: the VPN changes the visible IP but the operating system keeps using ISP or router DNS.
- Split tunneling: some apps or domains bypass the VPN and may also bypass VPN DNS.
- Browser DNS over HTTPS: a browser can send DNS to its own encrypted resolver instead of using system or VPN DNS.
- Router or captive portal rules: hotel, workplace, school, ISP, or public Wi-Fi networks can redirect DNS during connection setup.
- IPv6 mismatch: IPv6 traffic or IPv6 DNS can follow a different route if the VPN handles only IPv4 or blocks IPv6 poorly.
- Manual adapter settings: old DNS entries on Windows, macOS, Linux, Android, iOS, or router profiles can override expectations.
- Fallback behavior: if one resolver fails, the OS, browser, or VPN app may try another resolver.
How to prevent DNS leaks: 7 practical fixes
- Choose one intended DNS strategy. Decide whether the session should use VPN DNS, browser DoH, system encrypted DNS, router DNS, or a managed workplace resolver.
- Enable VPN DNS and leak protection. Use the VPN provider's DNS handling, kill switch, and block-outside-DNS options where available.
- Check browser DNS over HTTPS. Browser-level DoH can be useful, but it can also bypass VPN DNS expectations if enabled separately.
- Review split tunneling. Make sure the browsers and apps that matter are inside the VPN route if you expect their DNS to use the VPN.
- Handle IPv6 deliberately. Prefer correct IPv6 support, or use the VPN provider's documented IPv6 blocking mode. Do not make permanent IPv6 shutdown the default answer.
- Remove stale manual DNS settings. Check adapter, router, mobile profile, and browser settings that may have been left over from older troubleshooting.
- Retest after changes. Run IP, DNS, WebRTC, and IPv6 checks after reconnecting, changing Wi-Fi/cellular networks, changing VPN servers, or updating browser settings.
Prevention checklist by layer
| Layer | What to align | Why it matters |
|---|---|---|
| VPN app | DNS handling, kill switch, reconnect behavior, and split-tunnel rules | The VPN can change the visible IP while DNS still follows a different route if DNS is not controlled. |
| Browser | DoH settings, profiles, extensions, and WebRTC behavior | A browser can use DNS and network candidates that differ from the operating system or VPN app. |
| Operating system | Adapter DNS, mobile profiles, private DNS settings, and fallback resolvers | Old manual settings can survive VPN changes and keep sending lookups to an unexpected resolver. |
| Router or local network | DHCP DNS, captive portal behavior, IPv6 settings, and local policy | Hotels, workplaces, schools, and home routers can influence DNS before the browser even opens. |
| IPv6 route | Provider-supported IPv6, documented blocking mode, and leak-test results | IPv6 can be correct, blocked, or mismatched depending on the VPN and router configuration. |
This layer-by-layer view prevents a common mistake: changing one setting and assuming the whole device is fixed. For most users, what is a DNS leak and how to prevent it comes down to checking the exact browser, app, network, and VPN route used for the session that matters.
How to test whether prevention worked
Start with a baseline. Open What Is My IP without the VPN or privacy route, then connect the route you want to verify. Next, run DNS Leak Test and compare the resolver owner, ASN, country, and provider with your intended DNS strategy.
Then check related signals. Use WebRTC Leak Test because browser candidates can differ from DNS. Use IPv6 Leak Test because IPv6 may follow a different route from IPv4. Use VPN Leak Test when you want the combined view.
Only test networks and devices you own or are authorized to manage. These checks are passive browser-session checks, not permission to investigate other networks.
How to interpret common DNS leak results
| Result | Usually means | What to check next |
|---|---|---|
| ISP resolver appears while VPN is connected | Likely DNS route mismatch or VPN DNS not enforced | Enable VPN DNS protection, reconnect, and retest |
| VPN provider resolver appears | Often expected for VPN-managed DNS | Still check IPv6, WebRTC, and reconnect behavior |
| Browser DoH resolver appears | Browser DNS may override system or VPN DNS | Decide whether browser DoH or VPN DNS is intended |
| Resolver differs by browser or app | Profile settings, per-app DNS, or split tunneling may differ | Test the specific browser or app you use for sensitive activity |
| Resolver country differs from VPN exit country | Could be anycast, provider routing, or a mismatch | Compare ASN and provider, not only country labels |
| IPv6 appears outside expected route | VPN may not tunnel or block IPv6 as expected | Use provider-documented IPv6 handling and retest |
DoH, DoT, VPN DNS, and Smart DNS compared
| Option | What it does | Privacy limit | Best use |
|---|---|---|---|
| DNS over HTTPS | Encrypts DNS over HTTPS to a chosen resolver; standardized in RFC 8484 | May bypass VPN DNS if browser-managed | Intentional browser or OS encrypted DNS |
| DNS over TLS | Encrypts DNS over TLS; described in RFC 7858 | Needs clear resolver choice and OS/router support | System or router-level encrypted DNS |
| VPN DNS | Routes DNS through the VPN tunnel or provider resolver | Depends on VPN app, kill switch, reconnect behavior, and IPv6 handling | Most VPN privacy workflows |
| Smart DNS | Changes DNS-based routing for device or streaming compatibility | Usually not a privacy tool and usually does not encrypt DNS | Specific compatibility cases, not privacy-sensitive browsing |
DNS leaks, VPNs, IPv6, and WebRTC
A VPN can show the expected exit IP while DNS uses another path. That does not automatically prove the VPN is unsafe, but it does mean the configuration needs review. DNS, IP, IPv6, and WebRTC are related signals, not the same signal.
IPv6 is a common source of confusion. Some VPNs support IPv6, some block it, and some route only IPv4. WebRTC is browser-specific and can expose candidate signals in some setups. A clean DNS result is useful, but prevention is stronger when IP, DNS, WebRTC, and IPv6 all match the route you intended.
When DNS leak prevention matters most
- Public Wi-Fi: local network DNS can be more exposed or controlled by captive portals.
- Work or school networks: managed DNS may be required, so use approved settings rather than trying to bypass policy.
- Travel: resolver country and VPN exit country mismatches can trigger confusing login or location behavior.
- Split tunneling: apps outside the VPN can create DNS results that do not match the browser you tested.
- Sensitive accounts: account providers may evaluate IP, DNS, device, region, and behavior signals together.
- VPN troubleshooting: DNS results help explain why location, access, or leak-test results appear inconsistent.
What not to do
- Do not treat a VPN as anonymity. A VPN changes a network route and shifts trust; it does not remove identity, accounts, cookies, or device signals.
- Do not treat one DNS leak test as a full privacy audit. It is one snapshot from one browser, network, and moment.
- Do not make IPv6 shutdown the default fix. Prefer correct VPN/router behavior or provider-documented IPv6 handling.
- Do not assume random DNS resolvers are safer. Resolver trust, logging, jurisdiction, uptime, and performance all matter.
- Do not ignore browser and account tracking. DNS leak prevention cannot remove logins, cookies, browser fingerprints, payment records, or device identifiers.
What to do next
If your resolver matches the intended route, keep the setup simple and retest after major changes. If it does not match, decide which DNS strategy you want first: VPN DNS, browser DoH, system encrypted DNS, or router DNS. Then align VPN, browser, OS, router, IPv6, and split-tunnel settings around that choice.
The practical answer to what is a DNS leak and how to prevent it is straightforward: find the resolver path you actually use, compare it with the route you intended, fix mismatches carefully, and verify IP, DNS, WebRTC, and IPv6 together.
Frequently asked questions
What is a DNS leak?
A DNS leak happens when domain lookups use a resolver outside the route you intended, such as ISP DNS while a VPN is connected. It can reveal domain-level browsing patterns to a resolver or network path you did not expect.
How do I prevent DNS leaks with a VPN?
Use the VPN provider's DNS handling, enable leak protection if available, avoid conflicting browser or adapter DNS settings, check IPv6 behavior, and retest after reconnecting or changing networks.
Is DNS over HTTPS enough to prevent DNS leaks?
Not by itself. DNS over HTTPS encrypts DNS to a chosen resolver, but it may bypass VPN DNS expectations if it is controlled by the browser. Use it intentionally and verify the route.
Can IPv6 or WebRTC cause DNS leak confusion?
Yes. IPv6, WebRTC, browser DNS, and VPN routing are separate signals. A visible IP can look correct while DNS, IPv6, or WebRTC results still need review.
Does a clean DNS leak test prove full privacy?
No. A clean result is a useful snapshot for the current browser and network state. It does not prove every app uses the same route or remove account, cookie, device, or browser tracking.
Sources and methodology
MyIPScan tools and examples show observable browser and network signals. IP and geolocation results can be approximate, and VPN, DNS, WebRTC, IPv6, ASN, reputation, and browser checks are snapshots. A single result does not prove complete privacy or security. See the MyIPScan methodology and editorial policy.
This FAQ was updated using MyIPScan editorial guardrails: clear DNS privacy explanations, no anonymity guarantees, no one-test privacy proof, no provider rankings, no unsafe bypass advice, and careful distinction between DNS, VPN routing, WebRTC, IPv6, and browser behavior.