MyIPScan
Guide

What Is a DNS Leak? Causes, Risks, and How to Fix It

A DNS leak lets your ISP see every domain name you visit even when you are connected to a VPN. Understanding what causes DNS leaks helps you prevent them and verify your VPN is working as expected.

By: Katia Belokon · Updated June 2026

What is DNS?

DNS (Domain Name System) is the internet's address book. When you type "google.com" into your browser, your device sends a DNS query to a DNS resolver — typically one operated by your ISP — asking for the IP address associated with that domain. The resolver looks up the answer and returns the IP so your browser can connect to the correct server.

DNS queries are sent in plaintext by default, which means your ISP's resolver can see every domain name your device requests, along with the time of each request. This is how your ISP builds a picture of your browsing habits even when the content itself is encrypted by HTTPS.

What is a DNS leak?

A DNS leak occurs when your DNS queries are sent to your ISP's DNS resolver — or another resolver outside your VPN — instead of the VPN provider's encrypted resolver, even while you are connected to the VPN. Your browsing traffic may be encrypted inside the VPN tunnel, but the DNS queries travel outside it.

The result: your ISP can see every domain name you visit, even though your intent was to prevent exactly that by using a VPN.

What causes DNS leaks?

  • Windows DNS fallback: Windows has a feature called Smart Multi-Homed Name Resolution that sends DNS queries to multiple resolvers simultaneously and uses whichever responds fastest. If the VPN's DNS is slower, Windows may accept the ISP's DNS response. This is one of the most common causes of DNS leaks on Windows.
  • Split tunneling: When split tunneling is configured to route only certain apps or traffic through the VPN, DNS queries from excluded apps may go directly to the system DNS resolver.
  • Router-level DNS: If your router is configured to use your ISP's DNS resolver, and the VPN client does not fully override DNS at the OS level, DNS queries may bypass the VPN.
  • VPN reconnection: When a VPN drops and reconnects, there is a brief period where the VPN's DNS override is not active and queries go to the default system DNS.
  • VPN clients that do not override DNS: Some VPN clients — particularly older or manual OpenVPN configurations — do not automatically override the system DNS with the VPN's resolver.

How to test for a DNS leak

  1. Disconnect your VPN. Run MyIPScan's DNS Leak Test and note which DNS resolver responds. This will be your ISP's DNS server.
  2. Connect your VPN.
  3. Run the DNS Leak Test again in the same browser.
  4. If the DNS resolver shown is still your ISP's server (or another unexpected resolver), you have a DNS leak. The resolver should now be your VPN provider's DNS server.

Common DNS resolvers and what they mean: if the test shows Cloudflare (AS13335) or Google (AS15169), it means DNS is going through those public resolvers — not necessarily a leak if your VPN deliberately uses those. If it shows your ISP's ASN (e.g., Comcast, BT, Deutsche Telekom), that is a DNS leak.

How to fix a DNS leak

  • Use a VPN client with built-in DNS leak protection — Mullvad and IVPN provide this by default. ProtonVPN does too when the kill switch is enabled.
  • On Windows: Disable Smart Multi-Homed Name Resolution via Group Policy (gpedit.msc → Administrative Templates → Network → DNS Client → Turn off smart multi-homed name resolution) and ensure your VPN client sets DNS at the adapter level.
  • On macOS/Linux: Configure your network adapter's DNS settings to use the VPN's DNS while connected, or use a local DNS resolver like systemd-resolved with strict forwarding.
  • Router-level fix: Configure your router to use a privacy-friendly DNS such as Quad9 (9.9.9.9) or the VPN's DNS, rather than your ISP's DNS.
  • Enable DNS over HTTPS (DoH) or DNS over TLS (DoT) in your browser to encrypt DNS queries independently of your VPN configuration.

Frequently asked questions

What is a DNS leak?

A DNS leak is when your DNS queries are sent to your ISP's resolver instead of the VPN's resolver, even while connected to a VPN. This lets your ISP see every domain name you visit despite your VPN being active.

What causes a DNS leak with a VPN?

Common causes include Windows DNS Smart Multi-Homed Name Resolution fallback, split tunneling configurations, router-level DNS settings that override the VPN, VPN reconnection gaps, and VPN clients that do not fully override system DNS.

How do I test for a DNS leak?

Connect your VPN, then run MyIPScan's DNS Leak Test. If the resolver shown is your ISP's DNS server instead of the VPN's resolver, you have a DNS leak. Compare with a baseline test run without the VPN connected.

Is a DNS leak dangerous?

A DNS leak means your ISP can log every domain name you visit even when you believe the VPN is protecting you. If your threat model involves preventing ISP monitoring of your browsing habits, a DNS leak is a significant privacy failure.

How do I fix a DNS leak?

Use a VPN with built-in DNS leak protection (Mullvad or IVPN). On Windows, disable Smart Multi-Homed Name Resolution. Configure your router to use a privacy-friendly DNS. Enable DNS over HTTPS in your browser as an additional layer.