What is a DNS leak when using a VPN?

A DNS leak happens when domain lookups (DNS queries) are sent outside the VPN tunnel — often to your ISP or a network’s DNS — even while the VPN appears connected. That can expose the sites you’re visiting as metadata.

Why do DNS leaks happen most often on Windows?

Windows can prioritise multiple network adapters, cached DNS, and fallback resolvers. After updates, sleep/wake, or network changes (Wi-Fi to hotspot), DNS can briefly route outside the tunnel unless the VPN enforces DNS protection and a proper kill switch.

Is IPv6 a common cause of leaks?

Yes. If your VPN protects IPv4 but doesn’t properly handle IPv6, some traffic (including DNS-related requests) may bypass the tunnel. Either use a VPN with solid IPv6 handling or disable IPv6 on that device/network.

Does a VPN make you anonymous?

Not fully. A VPN helps protect the network layer (IP/DNS leaks), but logins, cookies, fingerprinting and app identifiers can still link activity to you. Treat a VPN as one strong privacy layer, not total anonymity.

DNS Leak with a VPN: Detection & Fixes (2026)

Quick answer: A DNS leak means your DNS lookups (the domains you visit) escape the VPN tunnel. In this guide you’ll test DNS/IPv6/WebRTC in minutes and apply fixes on Windows, macOS, Android, iOS and routers — with realistic privacy limits.

If you want a clean baseline first, read What is a VPN?. If you just want “find & fix”, jump to Leak tests.

Written by Denys Shchur Updated: 2026-01-06 · 12–18 min read

Try NordVPN — DNS protection + kill switch Try Surfshark — RAM-only servers Try Proton VPN — privacy-first

On this page: Quick checklist · Why leaks happen · How to test · Fixes by device · FAQ

Clear definitions (what matters, what doesn’t)
Repeatable DNS/IPv6/WebRTC test routine
Device fixes + practical “edge cases”

Illustration for DNS leak detection and fixes (2026)

DNS leaks are one of the most common ways a “connected” VPN setup can still reveal sensitive metadata. A leak doesn’t necessarily expose the content of what you read — but it can expose which domains you visit and when, which is often enough for profiling, filtering, or correlation.

The good news: you can catch most leaks quickly with a simple routine and fix them with a small set of settings. The key is to test at the moments leaks usually happen: after updates, after sleep/wake, and after network changes.

Quick checklist (60 seconds)

Connect VPN → run DNS test → confirm you don’t see ISP/hotspot DNS.
Run IPv6 test → confirm IPv6 is protected or intentionally disabled.
Run WebRTC test in your main browser → confirm it doesn’t expose a real public IP.
Enable a proper kill switch → repeat after sleep/wake.
Repeat after switching Wi-Fi ↔ hotspot or after a VPN/OS update.

Key takeaway: “VPN connected” isn’t proof. A clean DNS/IPv6/WebRTC test is the proof.

VPN IP looks changed But DNS still shows ISP/hotspot That’s a leak signal

Diagram 1: A DNS leak happens when DNS lookups bypass the encrypted VPN tunnel.

Why DNS leaks happen (and when they’re most likely)

In real life, leaks are rarely “always on”. They often show up at transition points: after an OS/VPN update, after sleep/wake, or when changing networks. Windows is the most common culprit due to adapter priority, caching and fallback behaviour.

Common causes and what to check first
Cause	Why it leaks	Fast check
No proper kill switch	During brief disconnects DNS falls back to default resolvers.	Enable kill switch + retest after sleep/wake.
Split tunnelling	Some traffic (or DNS) intentionally bypasses the tunnel.	Turn split tunnelling off → compare results.
IPv6 handling	VPN protects IPv4 but IPv6 escapes outside the tunnel.	Run an IPv6 leak test; if leaking, use IPv6-safe VPN or disable IPv6.
DoH / browser DNS	The browser resolves DNS via its own channel.	Check browser DoH settings → retest.
Public Wi-Fi DNS enforcement	Hotspots push DNS/redirect rules (captive portals).	Login first → reconnect VPN → retest.

If you frequently use cafés, hotels or trains, combine this with VPN on public Wi-Fi and the Wi-Fi security checklist.

How to test DNS, IPv6 and WebRTC (a repeatable routine)

Do it like a mini lab: baseline without VPN, then with VPN, then after a reboot. This catches intermittent leaks that otherwise stay hidden for weeks.

Diagram 2: A simple decision flow that turns a test result into the next action.

What “good” vs “leak” looks like
Test	Good (with VPN)	Leak signal
DNS	Resolvers belong to the VPN or your intended secure configuration	ISP/hotspot DNS appears
IPv6	IPv6 protected (VPN IPv6) or intentionally disabled	Real IPv6 is visible
WebRTC	No real public IP exposed	Real public IP appears in WebRTC results

If you’re optimising your setup generally, see optimal VPN settings and VPN protocols. Some speed tweaks (like split tunnelling) can also make leaks more likely.

Fixes by device: Windows, macOS, Android, iOS and routers

The goal isn’t “more settings”. The goal is less randomness. Start with kill switch + DNS protection, then handle IPv6 and browser features.

Windows (most common leak point)

Enable DNS leak protection inside the VPN client (if offered).
Enable a proper kill switch and retest after sleep/wake.
After changes, flush DNS: ipconfig /flushdns
If your VPN doesn’t securely handle IPv6, disable IPv6 or use an IPv6-safe VPN configuration.

macOS

Enable DNS protection + auto-reconnect/always-on mode if available.
Check DNS state: scutil --dns
If leaks appear after sleep, reconnect VPN and retest.

Android

Enable “Always-on VPN” and “Block connections without VPN” (when available).
Be careful with split tunnelling: keep it off unless you really need it.
Retest after switching between Wi-Fi and mobile networks.

iOS

Prefer reputable official VPN apps and keep them updated.
After long idle periods, retest — leaks can happen around reconnect moments.
If profiles get messy, reinstall the VPN profile (see iPhone VPN setup).

Routers

VPN on the router is great for Smart TVs and consoles (see router VPN setup).
Set router/DHCP DNS to prevent devices falling back to ISP DNS.
If you don’t need IPv6, disabling it on the router can eliminate common leak paths.

Diagram 3: Three layers that prevent most real-world DNS leaks.

Repeatable troubleshooting checklist

Connect VPN → run DNS/IPv6/WebRTC tests.
Enable kill switch → retest after sleep/wake.
Disable split tunnelling (for testing) → compare results.
Handle IPv6 + browser DoH/WebRTC → retest.
Restart router/device → retest (catches intermittent leaks).

A “leak day” plan (so you don’t forget)
When	What you do	Time
After OS/VPN updates	Run quick DNS/IPv6/WebRTC tests + reconnect once	3–5 min
After network change	Retest (Wi-Fi ↔ hotspot)	2–4 min
Before streaming / travel	Check split tunnelling + DNS results	3–6 min
Monthly	10-minute hygiene check + quick notes	10 min

FAQ

How often should I test for leaks?: After initial setup, after OS/VPN updates, after sleep/wake issues, and whenever you change networks (home, work, public Wi-Fi).
Are free VPNs more likely to leak?: Often, yes — they may lack robust DNS enforcement and kill switch behaviour. If you’re comparing, see free vs paid VPN.
Is public DNS (1.1.1.1 / 9.9.9.9) enough?: It’s usually better than ISP DNS, but the ideal is DNS fully inside the VPN tunnel to reduce correlation risk.
What’s the fastest “first fix”?: Enable kill switch + DNS protection in your VPN app, then retest after sleep/wake.

Conclusion

DNS leaks are manageable if you treat testing as a habit, not a one-time task. A solid setup is: DNS protection + kill switch + clean handling of IPv6 and browser features. Retest on the days leaks actually happen — update day, network change day, and sleep/wake day.

Short video: VPN privacy explained in plain English

Key takeaway: the main job of a VPN is to separate who you are (your IP, ISP) from what you do (sites you access). DNS leaks rebuild that bridge — so we test.

If the player doesn’t load, watch on YouTube: https://www.youtube.com/watch?v=rzcAKFaZvhE.

About the author

Denys Shchur is the creator of VPN World, focusing on practical, test-driven guides about VPNs, online privacy and secure remote work. He spends far too much time checking for leaks so you don’t have to.

Recommended VPNs

Affiliate links (nofollow/sponsored).