Before your browser can connect to any website, it needs to resolve the domain name to an IP address. That resolution request goes to a DNS resolver — typically one operated by your ISP unless you've explicitly changed it. The request is a plaintext query: "what's the IP address for example.com?" Your ISP's resolver logs it, answers it, and in many jurisdictions is legally required to retain those logs.
When you connect to a VPN, the expectation is that your traffic — including DNS — routes through the VPN tunnel to the VPN provider's resolver, not your ISP's. In theory, your ISP sees only encrypted VPN traffic and knows nothing about what sites you're visiting. In practice, many VPN setups fail to capture DNS traffic inside the tunnel, and queries continue reaching your ISP's resolver. This is a DNS leak.
Why DNS Leaks Happen
DNS leaks aren't usually the result of broken VPN software. They're often caused by OS-level behavior that predates widespread VPN use and was never designed with privacy in mind.
Windows Smart Multi-Homed Name Resolution
Windows 8 introduced a feature called Smart Multi-Homed Name Resolution. Rather than querying DNS resolvers sequentially, Windows sends queries to all configured resolvers simultaneously and uses the fastest response. The intent was to improve resolution speed on networks with multiple interfaces. The effect is that even when a VPN is active and has configured its own resolver, Windows may also send the same queries to your ISP's resolver — and whichever answers first "wins." The VPN may log nothing abnormal while the ISP receives every query.
IPv6 Traffic Bypassing the Tunnel
Most consumer VPNs were built to tunnel IPv4 traffic. IPv6 — now supported by most major ISPs and many sites — often bypasses the VPN entirely. If your device makes a DNS query using IPv6 transport and your VPN doesn't route IPv6 through the tunnel, that query goes directly to your ISP. You may not notice because the site resolves and loads normally.
DHCP-Pushed DNS Servers
When you connect to a network, your router typically pushes a DNS server address via DHCP. Some VPN clients fail to override this with the VPN provider's resolver. Your device uses the network-assigned resolver — your ISP or the local router's upstream — even while your traffic is tunneled.
Split Tunneling Configuration
Split tunneling allows some traffic to bypass the VPN (useful for local network access or streaming services that block VPN IPs). If DNS queries are not explicitly included in the tunneled set, they may route outside the VPN depending on implementation.
DNS queries expose your browsing history to your ISP even when your connection is otherwise encrypted. They also expose it to any network operator on your path — relevant on public WiFi, corporate networks, and in countries where internet infrastructure is operated or monitored by state entities.
DNS over HTTPS Doesn't Solve the Leak Problem
DNS over HTTPS (DoH) encrypts DNS queries so they're indistinguishable from regular HTTPS traffic to network observers. This prevents passive eavesdropping on DNS traffic — your ISP can no longer see query contents even without a VPN.
But DoH doesn't prevent DNS leaks in the VPN context. If your DoH-encrypted queries are going to a resolver outside the VPN tunnel, the VPN provider's resolver still sees nothing — and the resolver you're using (possibly a major public resolver that logs queries) still sees everything. DoH and VPN-enforced DNS routing are complementary protections that address different threat models.
How to Test for a DNS Leak
Testing is straightforward. With your VPN connected, search for "DNS leak test" and use one of the dedicated testing services. These services return the IP address and organization of the DNS resolver that handled the lookup. If the result shows your ISP's resolver (rather than your VPN provider's resolver or a neutral resolver), you have a leak.
Run the test with the extended or full option if available — this performs multiple queries and can catch intermittent leaks caused by the multi-homed resolution behavior described above, where some queries go to the VPN resolver and others go to your ISP.
How to Fix a DNS Leak
| Platform | Common Cause | Fix |
|---|---|---|
| Windows | Smart Multi-Homed Name Resolution | Disable via Group Policy: Computer Config → Admin Templates → DNS Client → Turn off smart multi-homed name resolution. Or use a VPN client with DNS leak protection built in. |
| macOS | Network interface priority, DHCP-pushed DNS | VPN client should override DNS. Verify via Network Preferences → DNS after connecting. Some clients require "prevent DNS leaks" option explicitly enabled. |
| Linux | systemd-resolved, NetworkManager not handing off to VPN resolver | Configure NetworkManager with dns=none and manage /etc/resolv.conf manually, or use a VPN client that integrates with systemd-resolved via resolvectl. |
| All platforms | IPv6 not tunneled | Disable IPv6 on the physical interface while VPN is active, or use a VPN that explicitly tunnels IPv6. WireGuard-based VPNs typically handle this better than OpenVPN. |
The most reliable fix is a VPN client that explicitly routes all DNS through the tunnel and enforces this at the OS level — overriding DHCP-pushed resolvers, disabling multi-homed resolution, and blocking DNS traffic on non-VPN interfaces (sometimes called a "DNS firewall" or "kill switch for DNS"). Most reputable consumer VPN providers offer this as an option, but it may not be enabled by default.
The Relationship Between DNS Privacy and VPN Privacy
A VPN that leaks DNS provides a weaker privacy guarantee than it appears to. Your ISP cannot see your traffic contents or connection metadata — but they can build a detailed picture of your online activity from DNS logs alone. The domains you query, at what times, how often, and from what location constitute a near-complete browsing profile.
This matters differently depending on your threat model. For users primarily concerned with commercial tracking and ad targeting, a DNS leak to your ISP may be tolerable — most ad networks use JavaScript trackers rather than DNS correlation. For users with higher-stakes privacy concerns — including those in countries where ISP logs can be accessed by government agencies — a DNS leak effectively nullifies a significant part of what the VPN was supposed to provide.
The comparison between Tor and VPNs is also relevant here: Tor routes all traffic — including DNS — through the Tor network by design, making DNS leaks architecturally impossible. The trade-off is performance and the limitations of the exit node model.
Quick Checklist
- Enable "DNS leak protection" in your VPN client settings if available
- On Windows: disable Smart Multi-Homed Name Resolution via Group Policy
- Disable IPv6 on your physical interface if your VPN doesn't tunnel IPv6
- After connecting, verify via a DNS leak test that queries route to your VPN's resolver
- Consider DNS over HTTPS as an additional layer — it protects DNS even when the VPN is disconnected
- Re-test after system updates or VPN client updates, which can reset settings
A VPN with a DNS leak is not useless — it still encrypts your traffic content and masks your IP from destination servers. But it's materially weaker than a VPN without one, and the fix is usually a single setting change once you know where to look.