|
|
Back to Blog
· OxidVPN Team

What Is a DNS Leak and How to Prevent It

Learn what DNS leaks are, why they expose your browsing activity even when using a VPN, and practical steps to detect and prevent them.

privacy dns vpn security

What Is DNS and Why Does It Matter?

Every time you visit a website, your device performs a DNS (Domain Name System) lookup. DNS is often called the “phone book of the internet” — it translates human-readable domain names like example.com into the IP addresses that computers use to communicate. Without DNS, you would need to memorize strings of numbers to visit any website.

Here is the problem: DNS queries are, by default, sent in plain text. Your internet service provider (ISP), network administrator, or anyone monitoring your connection can see every domain you look up. Even if the website itself uses HTTPS encryption, the DNS query that initiated the connection is fully visible. This means your entire browsing history is exposed at the DNS level.

How DNS Leaks Happen with a VPN

When you connect to a VPN, all your internet traffic should be routed through an encrypted tunnel to the VPN server. That includes DNS queries. The VPN server should handle DNS resolution on your behalf, so your ISP never sees which domains you are visiting.

A DNS leak occurs when some or all of your DNS queries bypass the VPN tunnel and are sent directly to your ISP’s DNS servers — or another third-party resolver — instead of through the VPN. This can happen for several reasons:

  • Misconfigured VPN client — The VPN software fails to override your operating system’s default DNS settings.
  • OS-level fallback behavior — Windows, in particular, has a feature called “Smart Multi-Homed Name Resolution” that sends DNS queries over all available network interfaces simultaneously, including ones outside the VPN tunnel.
  • IPv6 leaks — If the VPN only tunnels IPv4 traffic, DNS queries sent over IPv6 can leak to your ISP.
  • Manual DNS configuration — If you have manually set a DNS server (like Google’s 8.8.8.8), your system may continue using it even after the VPN connects.
  • Network changes — Switching from Wi-Fi to mobile data (or vice versa) can reset DNS settings and cause leaks until the VPN reconnects.

Why DNS Leaks Are a Serious Privacy Risk

A DNS leak effectively defeats one of the primary purposes of using a VPN. Even though your actual web traffic remains encrypted, the DNS queries reveal exactly which websites and services you are accessing. This information can be used for:

  • ISP surveillance — Your provider can log every site you visit and sell that data to advertisers or hand it over to authorities.
  • Targeted advertising — DNS data is valuable for building browsing profiles and serving targeted ads.
  • Censorship enforcement — In countries with internet censorship, leaked DNS queries can trigger blocks or draw attention from authorities.
  • Network-level attacks — An attacker on your local network can intercept leaked DNS queries and redirect you to malicious sites.

The worst part is that DNS leaks are silent. You will not receive any warning or error message. Your VPN will appear to be working normally while your browsing history is quietly being exposed.

How to Test for DNS Leaks

Testing for DNS leaks is straightforward. You can use our free DNS Leak Test tool to check whether your VPN is properly handling your DNS queries.

Here is how to run the test:

  1. Connect to your VPN and make sure the connection is active.
  2. Visit the OxidVPN DNS Leak Test page.
  3. Run the test and review the results.

If the test shows DNS servers belonging to your ISP (or any server other than your VPN provider’s DNS), you have a DNS leak. You should see only your VPN provider’s DNS servers in the results.

It is a good idea to run this test periodically — especially after updating your VPN software, changing networks, or modifying your system’s network settings.

How to Prevent DNS Leaks

There are several steps you can take to protect yourself:

Use a VPN with built-in DNS leak protection

The most effective solution is to use a VPN client that handles DNS correctly by default. Look for a VPN that operates its own DNS servers and forces all queries through the tunnel.

Disable Smart Multi-Homed Name Resolution on Windows

On Windows 10 and 11, open the Group Policy Editor and navigate to Computer Configuration > Administrative Templates > Network > DNS Client. Enable the “Turn off smart multi-homed name resolution” policy. This prevents Windows from sending DNS queries outside the VPN tunnel.

Block DNS traffic outside the tunnel

Configure your firewall to block all DNS traffic (port 53, as well as DNS-over-HTTPS on port 443 to known DoH providers) on all interfaces except the VPN tunnel interface.

Disable IPv6 if your VPN does not support it

If your VPN provider does not tunnel IPv6 traffic, disable IPv6 on your network adapter to prevent DNS queries from leaking over IPv6.

Avoid manually setting DNS servers

Let your VPN client manage DNS settings automatically. Manually configured DNS servers can persist across VPN connections and cause leaks.

How OxidVPN Prevents DNS Leaks

OxidVPN takes a defense-in-depth approach to DNS leak prevention. Our client applications are designed to eliminate DNS leaks at multiple levels:

  • Private DNS servers — Every OxidVPN server runs its own DNS resolver. Your queries never leave our encrypted infrastructure.
  • Automatic DNS configuration — When you connect, our client overrides your system’s DNS settings and restores them when you disconnect. No manual configuration is needed.
  • Kill switch with DNS protection — Our kill switch blocks all DNS traffic outside the VPN tunnel, even during brief reconnections.
  • Full IPv6 support — OxidVPN tunnels both IPv4 and IPv6 traffic, eliminating IPv6-based DNS leaks entirely.
  • Open-source protocol — Because our GhostWire protocol is open source, you can verify exactly how we handle DNS. No black boxes, no trust required.

Stay in Control of Your Privacy

DNS leaks are one of the most common — and most overlooked — threats to VPN users’ privacy. The good news is that they are entirely preventable with the right tools and configuration.

Start by running a DNS leak test to check your current setup. If you are looking for a VPN that handles DNS security correctly from the start, OxidVPN is built to keep your queries private by default — no extra configuration needed.

All Posts