A DNS leak occurs when your device sends Domain Name System requests outside the encrypted tunnel created by your VPN or proxy service. Instead of routing through your VPN provider's secure servers, these requests go directly to your ISP's DNS servers or public DNS services, revealing your browsing activity.
Here's why it matters: when you type a website address into your browser, your device must translate that human-readable domain name into an IP address. This translation request (a DNS query) normally leaks your intended destination unless deliberately routed through your VPN. Your ISP, network administrator, or eavesdroppers can see exactly which websites you're trying to visit, even if the actual traffic is encrypted.
Common causes include:
- IPv6 DNS requests that bypass IPv4 VPN tunnels
- WebRTC leaks in browsers that expose your real IP address
- Incorrect VPN configuration that leaves DNS settings unchanged
- Operating system or application-level DNS requests outside the VPN
To check for DNS leaks, use online tools like DNS Leak Test or ipleak.net while connected to your VPN. These services show which DNS servers are actually handling your requests. A proper VPN should show only the VPN provider's DNS servers, not your ISP's.
To prevent leaks: ensure your VPN provider uses their own DNS servers, manually configure DNS settings to use your VPN's servers, enable protocol support for both IPv4 and IPv6, and choose a VPN client that actively blocks WebRTC leaks. Some VPN applications include built-in leak protection features that automatically detect and prevent this vulnerability.