How to Perform a DNS Leak Test

A DNS leak is one of those problems that stays invisible until you test for it. You can be connected to a VPN, see a foreign IP address, and still be quietly handing the list of websites you visit to your internet provider. This guide explains what a DNS leak is, how to run a test in a couple of minutes, how to read the result, and how to fix a leak if you find one.

What a DNS Leak Is

DNS, the Domain Name System, is the internet’s address book. Every time you open a website, your device asks a DNS server to translate the name, like example.com, into the numeric IP address computers actually use. Normally your internet provider runs that lookup, which means your provider sees every site you request.

When you connect to a VPN, those DNS lookups are supposed to travel through the encrypted tunnel to the VPN’s own DNS servers, so nobody outside can see them. A DNS leak happens when the lookups slip outside the tunnel and go to your provider’s servers instead. The result is that your browsing content looks protected, but the record of which sites you visited leaks anyway.

The tricky part is that this can happen even when everything looks fine. Your public IP address can appear hidden and changed while your DNS requests still leak, because the two travel on separate paths. That is exactly why you test rather than assume.

How to Perform a DNS Leak Test

The test takes about two minutes and uses a free testing website.

1. First, get a baseline. With your VPN turned off, open a DNS leak test site such as dnsleaktest.com in your browser and run the standard test. Note the DNS servers and the provider name it shows, since this is your real internet provider’s DNS.
2. Now connect your VPN and wait for it to confirm it is connected.
3. Run the same test again on the same site. Many tools offer a standard test, which runs a handful of queries and is enough for a quick check, and an extended test, which runs many more for thoroughness.
4. Compare the two results.

How to Read the Results

The comparison tells you everything.

• If the second test, with the VPN on, shows DNS servers that belong to your VPN provider or a location matching your VPN, your DNS is staying inside the tunnel and you are fine.
• If the second test still shows your real internet provider’s name, your home city, or the same DNS servers as your baseline, your DNS is leaking. The VPN is hiding your IP but not your lookups, which means your provider can still see the sites you visit.

While you are testing, it is worth checking two related leaks that expose information the same way. An IPv6 leak happens when your VPN only protects IPv4 traffic and your IPv6 requests escape. A WebRTC leak is a browser feature that can reveal your real IP address to websites even through a VPN. Many leak-test sites check all three at once.

What Causes DNS Leaks

In most cases a leak is a side effect of how systems decide which network path to use, not a dramatic hack. The common causes in current setups are:

• A browser’s own secure DNS feature, which can route lookups to a third party outside the VPN tunnel.
• An operating system update that quietly reset your network settings.
• A public hotspot that forces its own DNS rules on connected devices.
• A manually configured VPN connection, which is more leak-prone than the provider’s official app.
• IPv6 traffic that the VPN does not route through the tunnel.
• Split tunneling, where you deliberately excluded some apps, and those apps then use the normal DNS path.
• Leftover static DNS entries set on your network adapter.

How to Fix a DNS Leak

Work through these in order, retesting after each change so you know what fixed it.

1. Turn on DNS leak protection and the kill switch in your VPN app. Most reputable VPNs include both. Using the provider’s official app rather than a manual setup eliminates many leaks on its own.
2. Disable secure DNS in your browser. In Chrome, go to Settings, then Privacy and security, then Security, and turn off Use secure DNS. Edge and Firefox have the same setting under their security or privacy menus. This stops the browser from doing its own lookups outside the tunnel.
3. Flush your DNS cache. On Windows, open Command Prompt and run ipconfig /flushdns. This clears stale entries that can point lookups the wrong way.
4. Remove custom or static DNS entries on your Wi-Fi or Ethernet adapter, so the VPN’s DNS is the only one in use while connected.
5. Address IPv6. If your VPN does not support IPv6, either disable IPv6 on your connection or switch to a VPN that handles it, so IPv6 lookups cannot escape.
6. Switch VPN server or protocol, then retest. Sometimes a single server or protocol misbehaves, and changing it resolves the leak.

If leaks persist despite all this, the VPN itself may be the weak point. Free VPNs in particular often lack proper DNS leak protection, so a reputable paid service with audited leak protection is worth considering.

Make Testing a Habit

Leaks are not a one-time event. They come back as conditions change: a new internet provider, a move, a public network, a router firmware update, or a system update that resets your settings. A quick check of your IP, DNS, IPv6, and WebRTC after any major update takes under ten minutes and saves you from silently leaking for weeks.

Conclusion

A DNS leak test is a simple, two-minute check that tells you whether your VPN is actually protecting the record of where you go online, not just your IP address. Test with the VPN off for a baseline, then on, and compare. If your real provider still shows up, work through the fixes one at a time, starting with your VPN’s leak protection and your browser’s secure DNS setting. Then make a habit of retesting after big updates, because leaks have a way of quietly returning.

This touches on online privacy, which matters most when you are relying on a VPN for a specific reason. If that is your situation, testing regularly is the only way to be sure the protection is working.