What is a DNS leak? Where to find them, how to fix and more explained

Woman using a laptop in a coffeeshop
(Image credit: Shutterstock)

If you're interested in staying safe online than you've probably heard that DNS leaks are a real security risk. But what are they, exactly, and how can you protect yourself?

Every time you access a new website your system sends a DNS (Domain Name System) request to find the site's server. These requests aren't encrypted, which means your ISP, Wi-Fi hotspot owners, even snoopers hanging around your favorite coffeeshop might be able to log your browsing history.

Installing a VPN encrypts your connection, reducing the chance that hackers can watch what you're doing, but not all providers keep you DNS-leak-free. It's important to check that you're safe.

In this article we'll explain some DNS basics, how and where you're at risk. We'll talk about simple DNS leak tests which can highlight security holes in seconds, and if it turns out you're vulnerable, give you some useful ideas on what to do next.

What is DNS?

Accessing techradar.com looks easy, just enter its domain name in your browser - but there's a lot going on underneath.

In particular, for your browser to find TechRadar's server, it has to translate the techradar.com domain into the server's IP address.

The magic happens via the Domain Name System (DNS.) Your browser sends a request to a DNS server, asking it to look up techradar.com (or whatever other site you're trying to visit) and the server sends back the IP address.

It's a clever scheme, but has some privacy problems. For instance, devices normally use your ISP's DNS server, which means it's possible for the company to see and log where you're going online. 

Connect to public Wi-Fi and it gets worse. Even if you're accessing an encrypted https website, your DNS request is usually plain text, so other hotspot users might be able to spy on the sites you're visiting. And if that's not worrying enough, a malicious hotspot could force you to use its own DNS server, log your internet activities, maybe even redirect you to phishing or other fake sites. 

IPLeak.net provides detailed reports on a user's IP address, DNS and more

(Image credit: IPLeak.net)

What is a DNS leak?

Installing the best VPN allows your device to route its DNS requests (and all its other internet traffic) through a secure connection. Banking-grade encryption hides your web activities from your ISP, hotspot operators and others, as well as shielding you from pesky hotspot hackers.

Well, that's the theory. In reality, it's not always that simple. A 'DNS leak' happens when a VPN doesn't properly protect you, and your DNS queries, browsing history and maybe your device IP address are exposed to attackers.

The bad news is you'll probably have no idea any of this is happening. In fact, as you've installed a VPN, you'll probably think you're entirely safe.

The good news is testing for a DNS leak is easy, and you can check your system within a few seconds.

How do I know if I have a DNS leak?

There are plenty of free DNS leak testing websites around, and the best do a great job of pointing out any privacy problems.

With your VPN disconnected, go to dnsleaktest.com (opens in new tab) and tap Extended Test. Make a note of the DNS server IP addresses listed in the test report.

Connect to the VPN on the device you'll use most often and run the test again. If you see new DNS servers which don't belong to your ISP, the connection is secure. But if you still see some or all of your ISP DNS servers, you probably have a DNS leak.

To confirm this, check the same device at a couple of other testing sites. BrowserLeaks (opens in new tab), IPLeak (opens in new tab) and ipx (opens in new tab) are fast and deliver a stack of extra privacy details.

(Passing (or failing) a test on an iPhone doesn't mean you'll see the same result on a Windows laptop or an Android phone, so we'd also recommend repeating the same leak test on every device you'll connect to the network - whether that's via an Android VPN, iPhone VPN or something else.)

The IPVanish Windows app has privacy settings for DNS Leak and IPv6 leak protection

(Image credit: IPVanish.com)
(opens in new tab)

How can I fix a DNS leak?

It's hard to believe, but although most VPNs have some form of DNS leak protection, they don't always enable it by default. Open your app's Settings panel, look for an option like 'DNS leak protection' and make sure it's turned on. 

Enable 'IPv6 Leak Protection', too, if it's available, and look for and turn on any setting which forces the use of the VPN's own DNS servers. Search the VPN's support site for useful information.

As a last resort, you could try changing your VPN app's protocol (this is the method the VPN uses to connect to its servers.) Some protocols have their own versions of DNS leak protection, so if one fails, another might work. Go back to your app Settings panel and try a different protocol, if you have the option.

Flipping every possible app switch probably isn't a good idea, of course, so only make tweaks when they look promising. And whenever you change something, make a note, so you can restore the original setting if it doesn't work, or you notice other problems. (Changing protocol might fix a DNS leak but also slow you down, for instance.)

If none of this helps, maybe it's time to switch to a VPN which doesn't have a DNS leak. NordVPN and ExpressVPN always deliver leak-free results in our tests.

Our #1 top rated VPN is ExpressVPN (opens in new tab)

Our #1 top rated VPN is ExpressVPN (opens in new tab)
Of the 200+ VPNs that we've tested, it's ExpressVPN that tops the lot - it's speedy, secure, simple to use and superb for streaming! And if you're still not sure whether VPNs are for you, you can try ExpressVPN 100% risk free by taking advantage of its 30-day money back guarantee.

Read more:

Mike Williams
Lead security reviewer

Mike is a lead security reviewer at Future, where he stress-tests VPNs, antivirus and more to find out which services are sure to keep you safe, and which are best avoided. Mike began his career as a lead software developer in the engineering world, where his creations were used by big-name companies from Rolls Royce to British Nuclear Fuels and British Aerospace. The early PC viruses caught Mike's attention, and he developed an interest in analyzing malware, and learning the low-level technical details of how Windows and network security work under the hood.