Loading...
Skip to content
Security Advisor Hub Community Logo
Say Hello
Security Tool • Updated for 2026

DNS Leak Test Explained (2026)

What DNS leaks actually are, why they matter, and how to read DNS leak test results without panic.
Purpose: interpret Time: 2–3 minutes Watch: false alarms
Run a DNS check ↓ Methodology Affiliate Disclosure

A DNS leak happens when your device asks a DNS resolver (often your ISP) to look up websites outside your VPN tunnel — even though your web traffic is going through the VPN. In practice, that can reveal what domains you’re trying to visit to the wrong party. The good news: most DNS “fails” are either fixable settings issues or a misread test result. This page explains both.

What a DNS leak test checks (and what it doesn’t)

A DNS leak test can suggest
  • Which DNS resolvers appear to be answering your DNS queries.
  • Whether those resolvers look like your ISP (possible leak) or your VPN (good sign).
  • Whether your setup is consistent across networks (home vs travel Wi-Fi).
A DNS leak test cannot prove
  • Anonymity: DNS is one signal; tracking often persists via accounts/cookies/fingerprints.
  • No-logs claims: DNS tests don’t validate provider policies or internal handling.
  • All apps are protected: some apps may bypass system DNS (DoH/DoT/app-level).

Reality anchor: Passing one test ≠ total security. DNS tests reduce uncertainty — they don’t eliminate risk.

DNS check (guidance-first)

Not run yet

DNS “leak tests” usually require a server-backed resolver check. This panel helps you do a fast sanity check and interpret what’s typical vs suspicious.

Public IP (context)
If this is your ISP IP, your VPN may not be active for this browser.
Network label (best-effort)
Used to interpret results (not stored).
What to do next
Follow the interpretation blocks below.
Best next test
Server-backed DNS leak test
This page explains how to interpret results and fix issues.

Related tools: VPN Leak Test (IP, DNS, WebRTC) What is my IP address?

DNS in plain English: what’s happening

DNS is the internet’s “address book.” When you type a site like example.com, your device asks a DNS resolver: “What IP address should I connect to?” That lookup can be observed by whoever runs the resolver.

When a VPN is working as expected, DNS requests are typically routed through the VPN tunnel (or handled by DNS servers chosen by the VPN), so your ISP isn’t the default resolver seeing your lookups.

Simple boundary: A DNS leak is when your DNS lookups go to a resolver you didn’t intend (often your ISP) while you assume the VPN is protecting that traffic.

What DNS leak tests are good for (and not good for)

  • Good for: spotting obvious “VPN on but ISP DNS is used” misconfigurations.
  • Good for: confirming your setup after switching networks (hotel Wi-Fi, campus, work).
  • Not good for: proving a VPN provider is trustworthy.
  • Not good for: proving anonymity or stopping tracking.

If your main fear is tracking by websites, DNS is only part of the story — cookies, logins, and fingerprinting matter more.

How to read DNS leak test results

Result A: DNS resolvers look like your VPN (or a neutral resolver)

This is usually a good sign for everyday VPN use. It suggests your DNS path isn’t obviously leaking to your ISP. It still doesn’t guarantee anonymity — but it reduces a common exposure path.

Result B: DNS resolvers look like your ISP while VPN is ON

This could be a DNS leak — but it can also be a false alarm depending on how the VPN handles DNS, your browser settings, or your device’s “secure DNS” configuration. Treat it as a prompt to verify and adjust, not as instant proof your VPN is broken.

Result C: DNS results are mixed (multiple providers)

Mixed results are common. You may see a combination of VPN DNS, ISP DNS, and third-party resolvers when: you have browser DoH enabled, multiple network adapters, split tunneling, or OS-level secure DNS settings.

Common false alarms (don’t panic yet)

  1. Browser “Secure DNS” / DoH is enabled. Your browser may use a resolver like Cloudflare/Google regardless of VPN settings. That’s not necessarily a “leak” — it’s a different DNS path.
  2. Your VPN uses “smart DNS” or hybrid routing. Some VPNs route DNS differently for performance or compatibility. The question is whether the resolver is one you trust.
  3. Cached DNS results. DNS answers can be cached. Re-test after reconnecting the VPN, switching servers, or flushing DNS (advanced).
  4. Multiple network adapters. Ethernet + Wi-Fi + virtual adapters can create confusing results, especially on Windows.

What to do if you suspect a DNS leak

  • Step 1: Confirm the VPN is connected (disconnect/reconnect), then re-run the test.
  • Step 2: Check for split tunneling (make sure your browser is inside the tunnel).
  • Step 3: Review browser “Secure DNS” settings (Decide: keep it on intentionally, or align it with your VPN setup).
  • Step 4: Enable kill switch (prevents traffic escaping during brief drops).
  • Step 5: If available, set DNS to “VPN default” inside the VPN app (avoid custom DNS unless you understand the trade-off).

Related guides: How to test your VPN (DNS/IP/WebRTC) VPN not working? fixes that solve most problems

Recommended next steps

Limitations (important)

  • DNS testing often needs server support: many “DNS leak tests” rely on server-side logging of resolver IPs to be definitive.
  • DoH/DoT can override expectations: browser or OS secure DNS can change what you see.
  • Results vary by network: public Wi-Fi, captive portals, and corporate networks can behave differently.
  • Passing ≠ anonymity: DNS is one signal; identity often comes from logins/cookies/fingerprints.

FAQ

  • Is a DNS leak dangerous? It can be, because it may reveal what domains you’re visiting to the wrong resolver (often your ISP). Risk depends on your threat model.
  • Why do I see Cloudflare/Google in DNS tests? Many browsers/OSes use secure DNS (DoH) by default. That’s not automatically a leak — it’s a separate DNS path.
  • Does a DNS leak mean my VPN is useless? No. It usually means a configuration mismatch. Fixing DNS handling can restore expected behavior.
  • Should I disable secure DNS (DoH)? Not necessarily. The goal is consistency: understand whether DNS should go through your VPN or your chosen secure DNS resolver.
  • What’s the simplest “safe default”? For most users: keep VPN DNS set to default, avoid custom DNS unless needed, enable kill switch, and re-test after network changes.

Trust & disclosure

This page is educational and diagnostic. Results vary by provider, configuration, device, browser, and network. Learn more: Methodology Affiliate disclosure.