MyIPScan
How-To Guide

How to Fix a DNS Leak

Enable VPN DNS protection, disable Windows SMHNR, switch to full-tunnel mode, and verify with the DNS Leak Test. Takes around 15 minutes.

By: Katia Belokon · Updated June 2026

Before you start: Connect your VPN, then confirm the leak by opening the DNS Leak Test. If you see your ISP's DNS servers listed, this guide is for you.

Step 1 — Confirm the DNS leak

With your VPN connected, open the MyIPScan DNS Leak Test. The test shows which DNS resolvers are handling your queries. If the servers listed belong to your ISP rather than your VPN provider, DNS queries are bypassing the VPN tunnel.

A clean result shows DNS servers from your VPN provider's network, not from your home ISP or mobile carrier.

Step 2 — Enable VPN DNS leak protection

Most VPN clients include a DNS leak protection setting. This is the first thing to try:

  1. Open your VPN client's Settings or Preferences.
  2. Look for any of these options: DNS leak protection, Prevent DNS leaks, Use VPN DNS, Block DNS outside VPN tunnel.
  3. Enable the setting.
  4. Disconnect and reconnect the VPN.
  5. Re-run the DNS Leak Test.

If the leak is resolved, you are done. If not, continue to Step 3.

Step 3 — Switch to full-tunnel mode

Split-tunnel VPN mode routes only some applications or destinations through the VPN, leaving the rest — including potentially DNS — on the regular internet connection. Full-tunnel mode routes all traffic through the VPN.

  1. In your VPN client settings, check for a split-tunnel or app exclusion setting.
  2. If enabled, disable it (or remove all app exclusions) to restore full-tunnel operation.
  3. Reconnect the VPN and re-run the DNS leak test.

Step 4 — Disable Windows SMHNR (Windows only)

Windows 8.1 through Windows 11 include Smart Multi-Homed Name Resolution (SMHNR), which sends DNS queries to all available network resolvers simultaneously and uses the fastest response. When a VPN is active, this means queries go to both the VPN's DNS and your ISP's DNS in parallel — causing a DNS leak that VPN client settings alone may not prevent.

Via Group Policy (Windows Pro / Enterprise)

  1. Press Win + R, type gpedit.msc, and press Enter.
  2. Navigate to: Computer Configuration > Administrative Templates > Network > DNS Client.
  3. Double-click "Turn off smart multi-homed name resolution".
  4. Set it to Enabled and click OK.
  5. Restart your computer, reconnect the VPN, and re-test.

Via Registry (Windows Home)

  1. Press Win + R, type regedit, and press Enter.
  2. Navigate to: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient
  3. If the DNSClient key does not exist, right-click Windows NT > New > Key and name it DNSClient.
  4. Inside DNSClient, right-click > New > DWORD (32-bit) Value.
  5. Name it DisableSmartNameResolution and set its value to 1.
  6. Restart your computer, reconnect the VPN, and re-test.

Step 5 — Optional: enable encrypted DNS

As a secondary layer of protection, configure DNS over HTTPS (DoH) in your browser. This encrypts DNS queries at the browser level, so even if a query reaches your ISP's resolver it is encrypted.

  • Firefox: Settings > Privacy & Security > DNS over HTTPS > Enable (choose a provider)
  • Chrome/Edge: Settings > Privacy and security > Security > Use secure DNS > select provider

Recommended DNS providers: Cloudflare 1.1.1.1, Quad9 9.9.9.9, or your VPN provider's own DoH endpoint if available.

Step 6 — Verify the fix

Run the DNS Leak Test one more time with your VPN connected. The result should show DNS servers from your VPN provider's network. If your ISP's DNS still appears, repeat Step 4 (Windows SMHNR) and confirm your VPN is in full-tunnel mode.

Related guides and tools

Frequently asked questions

What causes a DNS leak with a VPN?

The most common causes are: Windows Smart Multi-Homed Name Resolution sending DNS queries to all available resolvers at once; split-tunnel mode routing DNS outside the VPN tunnel; the VPN client not overriding the system DNS configured by DHCP; or the VPN app failing to set up its DNS correctly after reconnecting.

Does a DNS leak reveal the websites I visit?

Yes, to your ISP's DNS resolver. When your browser looks up a domain name, that query is visible to whichever DNS resolver handles it. A DNS leak means your ISP sees the domain names you resolve, even if the connection itself goes through the VPN and your IP is the VPN's exit IP.

Will setting my DNS to 1.1.1.1 or 8.8.8.8 fix a DNS leak?

Not on its own. If Windows SMHNR or split-tunnel configuration is routing DNS outside the VPN, your queries reach multiple resolvers regardless of which DNS address you set. The underlying routing issue must be fixed first. After fixing the routing, you can use any privacy-focused DNS server you prefer.

What is Windows Smart Multi-Homed Name Resolution?

SMHNR is a Windows feature (enabled by default since Windows 8.1) that sends DNS queries to all available network resolvers in parallel and uses the fastest response. When a VPN is active, it sends queries to both the VPN's DNS and the ISP's DNS simultaneously. Even if the ISP result is discarded, the query was still sent and visible to the ISP's resolver.

My VPN claims to have DNS leak protection. Why am I still leaking?

"DNS leak protection" implementations vary. Some VPN clients override the system DNS server but do not handle SMHNR on Windows. Others only work in full-tunnel mode. Check that your VPN is in full-tunnel mode, that SMHNR is disabled on Windows, and that the DNS Leak Test confirms your VPN's resolver is the only one responding.