What is a DNS leak? Everything you need to know to find and fix DNS leaks

Woman using a laptop in a coffeeshop
(Image credit: Shutterstock)

If you're interested in staying safe online then it pays to get the heads up on the security risks DNS leaks pose. But what are they, exactly, and how can you protect yourself?

Every time you access a new website your system sends a DNS (Domain Name System) request to find the site's server. These requests aren't encrypted, which means your ISP, Wi-Fi hotspot owners, even snoopers hanging around your favorite coffee shop might be able to log your browsing history.

Installing one of the best VPNs ensures your connection is encrypted, reducing the chance that hackers can watch what you're doing. However, not all providers guard against DNS leaks, particularly free VPNs. So, it's important to check that you're safe - and understanding how and where you're at risk through simple DNS leak tests that highlight security holes in seconds, and what to do if your setup is vulnerable. 

What is DNS?

Accessing a website looks easy - just enter its domain name in your browser. However, there's a lot of work going on underneath the hood.

In particular, for your browser to find a website’s server, it has to translate the domain into the server's IP address. The magic happens via the Domain Name System (DNS) Your browser sends a request to a DNS server, asking it to look up techradar.com (or whatever other site you're trying to visit) and the server sends back the IP address.

It's a clever scheme, but has some privacy problems. For instance, devices normally use your ISP's DNS server, which means it's possible for the company to see and log where you're going online. 

Connect to public Wi-Fi and it gets worse. Even if you're accessing an encrypted (HTTPS) website, your DNS request is usually sent in plain text, so other hotspot users might be able to spy on the sites you're visiting. 

And if that's not worrying enough, a malicious hotspot could force you to use its own DNS server, log your internet activities, maybe even redirect you to phishing or other fake sites to harvest your passwords and other personal information.  

What is a DNS leak?

Installing VPN software allows your device to route its DNS requests (and all its other internet traffic) through a secure connection. Banking-grade encryption software hides your web activities from your ISP, hotspot operators and others, as well as shielding you from pesky hotspot hackers.

At least, that's the theory. In reality, it's not always that simple. A 'DNS leak' happens when a VPN doesn't properly protect you, and your DNS queries, browsing history and maybe your device IP address are exposed to attackers.

The bad news is you'll probably have no idea any of this is happening. In fact, as you've installed a VPN, you'll probably think you're entirely safe.The good news is testing for a DNS leak is easy, and you can check your system within a few seconds.

How do I know if I have a DNS leak?

There are plenty of free DNS leak testing websites around, and the best do a great job of pointing out any privacy problems.

With your VPN disconnected, go to dnsleaktest.com and tap Extended Test. (This test simply performs more search queries than the 'Standard Test', meaning it maps all of your DNS servers.' Make a note of the DNS server IP addresses listed in the test report. The test will display the name of the ISP it thinks you’re using, so this should match the name of the one to which you’re currently subscribed. 

Next, connect to the VPN on the device you'll use most often and run the test again. If you see new DNS servers that don't belong to your ISP, the connection is secure. But if you still see some or all of your ISP DNS servers, you probably have a DNS leak.

To confirm this, check the same device at a couple of other testing sites. First go to BrowserLeaks . Scroll down to the button marked 'DNS Leak Test' and click it. Again if you see your ISP’s DNS server then you’re vulnerable to DNS leak.

Next try IPLeak  and IPX. Make sure to scroll down to ‘DNS’ in both cases to check that your ISP isn’t listed.

When you’re using the above pages you may notice a category labeled 'WebRTC'. WebRTC leaks are another way in which your public IP address can be revealed, even if you’re using 

It’s worth running tests on all devices. Passing (or failing) a test on an iPhone doesn't mean you'll see the same result on a Windows laptop or an Android phone, so we'd also recommend repeating the same leak test on every device you'll connect to the network - whether that's via an Android VPN, iPhone VPN, or your preferred mobile VPN app.. 

How can I fix a DNS leak?

It's hard to believe, but although most VPNs have some form of DNS leak protection, they don't always enable it by default. Open your app's Settings panel, look for an option like 'DNS leak protection' and make sure it's turned on. 

Enable 'IPv6 Leak Protection', too, if it's available, and look for and turn on any setting which forces the use of the VPN's own DNS servers. Some privacy experts actually recommend disabling IPV6 altogether, as it’s still not widely supported and it’s just another way for a bad actor to try to compromise your data. NordVPN has a guide on how to do this on various platforms but bear in mind their warning that most OS developers don’t recommend this. 

Windows users may also want to disable ‘Teredo’, which is designed to process IPV6 queries. Simply open the Command Prompt and type:

///CODE///
netsh interface teredo set state disabled
///CODE///

You can also search the VPN's support site for useful information on how to further protect yourself.

As a last resort, you could try changing your VPN protocols - this is the method the VPN uses to connect to its servers. Some protocols have their own versions of DNS leak protection, so if one fails, another might work. Go back to your app Settings panel and try a different protocol, if you have the option.

Flipping every possible app switch probably isn't a good idea, of course, so only make tweaks when they look promising. And whenever you change something, make a note, so you can restore the original setting if it doesn't work, or you notice other problems. (Changing protocol might fix a DNS leak but also slow you down, for instance.)

If none of this helps, maybe it's time to switch to a VPN which doesn't have a DNS leak. NordVPN and ExpressVPN always deliver leak-free results in our tests, although in the case of NordVPN using the browser extension alone without the VPN ‘client’ app may reveal an ISP’s DNS servers. Make sure to connect to the VPN via the NordVPN client to encrypt all your web traffic and stay safe. 

If you use the OpenVPN client on Mac or Linux to connect to your provider, then as of OpenVPN version 2.3.9 there’s a very simple way to fix DNS leaks. Simply open up the .ovpn configuration file you downloaded from the provider’s website and add the line:

///CODE///
Block-outside-dns
///CODE///

Windows users have it much easier, as the team on dnsleaktest.com has actually developed a program named ‘dnsfixsetup’. Once installed, each time you connect to a DNS server it will assign you a static IP address and force your machine to use your VPN provider’s DNS servers. It also resets your network settings to how they were before once you disconnect.

No matter what platform you use, you should also consider setting up a static IP. This way any DNS queries will always be sent to this fixed IP address, rather than an ever-changing dynamic one via DHCP (Dynamic Host Configuration Protocol).

You can also take this opportunity to update the DNS servers you use when connecting to the internet in a regular way to a public DNS service. For instance, Cloudflare has a strict 'no logs' policy and Google only logs IP addresses for 24-48 hours, strictly for troubleshooting purposes. 

What to do if there’s still a DNS leak 

If after following these steps you still find that you’re suffering from DNS leak, first save your work then restart all your devices. You also may have to do the same with your router to make sure changes have taken effect.

If the issue still persists, you may also need to flush your DNS cache. This clears out existing DNS settings, so your machine will only have a record of your VPN provider’s servers when you connect. 

In Windows, just open the command prompt and type:

///CODE///
ipconfig /flushdns
///CODE///

You’ll see a message saying the operation was successful. This works on all versions of Windows from XP onwards. 

If you’re using a Mac, open Terminal and type the following:

///CODE///
sudo dscacheutil -flushcache;sudo killall -HUP mDNSResponder
///CODE///

Unlike on Windows you won’t see a message, the Terminal will just go to a new line if the command works.

Linux users can also flush the DNS cache from the Terminal but the steps to do this vary depending on which distro you use. Visit the Support page for your particular version of Linux if you need help.

Most web browsers also contain their own DNS cache, which you should also flush. If you’re using a Chromium based browser like Google Chrome or Opera, just click the address bar and type [your browser name]://net-internals/#dns e.g.

///CODE///
chrome://net-internals/#dns
///ENDCODE///

From here you can click the button marked 'Clear Host Cache'

Edge users can follow the steps on the Microsoft Support site to clear their entire cache and cookies.

If you use a Firefox or one of its derivatives, type ///CODE///about:networking#dns/// in the address bar, then click the button marked 'Clear DNS Cache.'

What happens after fixing a DNS leak? 

Even after plugging a DNS leak, remember there are other ways you can be identified even whilst using a VPN such as browser fingerprinting.

Make sure to regularly check your VPN provider’s support pages to check your following best privacy practices. You should also apply any updates to your operating system and internet application as soon as they become available to fix security vulnerabilities.

If you’re keen to do more to protect your privacy, consider also installing the Tor Browser. Connections are encrypted and run through a series of relays. This not only conceals your IP address but you can also access special Tor ‘hidden services’ which use the extension .onion e.g. BBC News’ address is https://www.bbcnewsd73hkzno2ini43t4gblxvycyac5aw4gnv7t2rccijh7745uqd.onion/

The Tor network uses public key encryption to authenticate websites. These keys are stored in the .onion address (hence the jumble of numbers and letters), so don't rely on DNS at all. It’s virtually impossible for one .onion site to impersonate another due to relying on powerful cryptography. Browser fingerprinting is also extremely difficult as people accessing the dark net can do so using the standardized Tor Browser. 

TOPICS
Mike Williams
Lead security reviewer

Mike is a lead security reviewer at Future, where he stress-tests VPNs, antivirus and more to find out which services are sure to keep you safe, and which are best avoided. Mike began his career as a lead software developer in the engineering world, where his creations were used by big-name companies from Rolls Royce to British Nuclear Fuels and British Aerospace. The early PC viruses caught Mike's attention, and he developed an interest in analyzing malware, and learning the low-level technical details of how Windows and network security work under the hood.

With contributions from