DNS leaks: what are they, should you be concerned and how to stop them

When shopping around for the best VPN you’ll no doubt have seen claims promising to prevent DNS leaks, which should be a relief if you value robust privacy online – and you know what a DNS leak actually is.

The 'DNS' part refers to Domain Name System, and you use it every time you visit a website. Yet this process can be prone to misconfiguration, causing personal details to bypass your secure VPN tunnel and expose them to your ISP instead.

DNS leaks may sound worrisome, but they’re easy to prevent. We’ll explain what they are below and how you can stop them from happening.

Exclusive deal

▶︎ Get up to 70% off Proton VPN with this deal

Switzerland-based Proton VPN offers a 30-day money-back guarantee with its VPN service. You can use it to unblock your usual streaming services when abroad and benefit from top-notch security and privacy and super fast connection speeds. Plus, all Proton VPN apps include DNS leak protection.

▶︎ Try Proton VPN risk-free for 30 days

View Deal

What is DNS?

Think of DNS as the internet’s digital address book.

Each web resource has its own easy-to-recall URL (e.g. www.techradar.com), and punching it into your browser prompts a request from a DNS server to retrieve its corresponding IP address – a machine-friendly string of numbers required to take you to your digital destination.

Multiple servers can be involved. Recursive DNS server are the first point of contact. If they haven't cached the address, it will contact the root nameserver, TLD nameserver, and lastly, the authoritative server, which holds an up-to-date record of its domains.

That process may sound exhaustive, but it all takes place in milliseconds. Want to know more? Our dedicated guide to DNS dives deep into its ins-and-outs.

While many internet users won't care who sees their DNS (it's a perfectly normal way for the web to operate), those who are particularly privacy-conscious or don't like the idea of being tracked online may prefer to hide it.

This has become a key reason for the rise in popularity of VPNs, with their encrypted tunnels able to shield DNS requests – in theory, at least...

What is a DNS leak?

A VPN connection should secure all web traffic between your device and the internet, allowing you to keep your online identity and activity on a 'need-to-know' only basis.

A DNS leak, however, means that your data has breached the VPN tunnel. Yes, even though your VPN was active, even if it operates its own DNS servers, your DNS query can be wrenched out of your VPN tunnel and routed to a third party server.

Typically this belongs to your ISP, who’ll then be able to see your IP address, location, and any web domains you’ve visited. It’s even possible that bad actors monitoring your network could spy these details, too – and that’s exactly what a VPN is designed to prevent.

These leaks are the outcome of various factors; outdated software and misconfigured settings among them. For instance, adding a custom DNS provider may seem like a good idea, but it can interfere with the security protocols your VPN has already put in place.

You’ll find that certain operating systems (e.g. Windows 11) override your VPN settings too, leading to DNS requests being routed from your secure tunnel for resolution on one of its own, preferred servers.

WebRTC applications can cause similar issues, and limited VPN support for IPv6 connections might see your DNS query abandon ship, deferring to your ISP’s server given that they take a dual-stack approach that will manage both IPv4 and 6 traffic.

Some VPNs, meanwhile, simply lack their own DNS servers.

You can quickly test if your data is being leaked free online (https://www.dnsleaktest.com), and that’s worth doing to be sure that your privacy isn’t unwittingly being undermined.

How worried should I be about DNS leaks?

At the least, DNS leaks can be seriously annoying: eroding trust in the anonymity claims of a VPN and transmitting your browsing history to your ISP and other onlookers.

For those who use their VPN for casual browsing or geo-unblocking content, the occasional leak shouldn’t cause too much alarm. Yet it’s undeniable that, in bypassing your VPN’s encrypted tunnel, the likelihood of being tracked by third parties increases.

A company with your IP address can profile your activity and inundate you with targeted ads. It’s also all the ammunition a hacker needs to carry out disruptive Denial-of-Service (DoS) and Man-in-the-Middle (MitM) attacks.

Those living under totalitarian governments, however, have the most cause for concern, as leaked evidence of prohibited web activity can lead to legal action.

It’s particularly prudent for journalists to be protected against DNS leaks. For example, China and Russia are two countries that implement strict internet surveillance, and issue fines in regards using unauthorised VPNs to access banned sites like Facebook.

How to prevent DNS leaks

Any VPN provider worth its salt will have DNS leak protection safeguards. How wide-ranging these are varies, but one of the most vital components is a VPN that operates its own DNS servers.

Proton VPN is pretty comprehensive in this regard. As one of the most secure VPNs, it runs its own DNS servers and gives users a suite of solutions to counteract privacy threats like leaks. There's a kill switch to keep your web traffic from being transmitted outside of your VPN tunnel, for example, and procedures to mitigate IPv6 and WebRTC-related vulnerabilities.

On top of that, some VPNs offer DNS filtering tools (e.g. NetShield) that can block malware capable of changing your network’s DNS so you’re rerouted to fraudulent websites.

You can tinker with your own DNS settings, which might include adopting a custom DNS resolver like Cloudflare (1.1.1.1), and manually changing your own settings across multiple systems. If you have the technical know-how, why not?

For novices, though, there’s a high possibility of misconfiguration that can hinder your VPN’s own leak prevention measures and result in DNS leaks to keep on happening.

Using a reputable VPN with DNS leak protection is often the easiest option – especially as many of them offer comprehensive privacy safeguards you can activate at the touch of a button.