What Is a DNS Leak? How to Test, Fix, and Prevent It (2026 Guide)

TL;DR — The Short Answer

A DNS leak happens when your device sends DNS requests — the lookups that turn website names into numbers — outside your VPN's encrypted tunnel. Your browsing activity becomes visible to your internet service provider even while you think the VPN is protecting it. To test: connect to your VPN, then visit a DNS leak test site like dnsleaktest.com. If the test shows only your VPN provider's DNS servers, you're safe. If it shows your ISP's servers, you have a leak. To prevent it for good: use a reputable VPN that handles DNS inside the encrypted tunnel by default, with an always-on kill switch. StandVPN does this automatically on every connection.

Jump to a section

What DNS actually does
What a DNS leak is
Why DNS leaks matter
What causes DNS leaks
How to test for a DNS leak
How to read the test results
How to fix a DNS leak
How to prevent leaks for good
DNS leak protection vs the kill switch
A note on IPv6 leaks
Your privacy checklist
How StandVPN handles DNS
Frequently asked questions

Most privacy stories on the internet are dramatic. A DNS leak is the opposite. It is the quiet, easy-to-miss way that a VPN you trust can still hand your browsing history to your internet provider — not because the VPN is malicious, but because of how the request for "where is this website" travels through your computer.

The good news: a DNS leak is one of the easiest privacy problems to test for, and one of the easiest to fix. This guide walks you through both, in plain English, the way we'd explain it over coffee.

What DNS actually does, in one paragraph

QUICK ANSWER DNS — the Domain Name System — translates human-readable website names like "standvpn.com" into the numeric IP addresses that computers use to communicate. Every time you visit a website, your device asks a DNS server for the right number. That request is what can leak.

Every website on the internet has a numeric address — something like 104.21.74.182. Humans don't memorize numbers, so we type names: standvpn.com, nytimes.com, your-bank.com. DNS — the Domain Name System — is the lookup service that turns the name you typed into the number your computer actually uses to connect.

Think of it as a phonebook for the internet. You ask, "Where is standvpn.com?" The DNS server answers with a number. Your computer then makes the connection to that number.

By default, your computer asks your internet service provider's DNS server for every lookup. Your provider sees the question — and therefore sees the list of websites you visit — even if it can't see the content of the pages once you load them. That's where the privacy problem starts.

What a DNS leak is, in plain English

QUICK ANSWER A DNS leak is when your device sends DNS lookups outside the encrypted VPN tunnel — to your internet provider instead of to your VPN's servers. The rest of your traffic might be private, but your DNS lookups reveal which sites you're visiting.

When you connect to a VPN, the expectation is straightforward: everything your device sends should go through the encrypted tunnel. Your internet provider sees that you're using a VPN, but it can't see what you do inside it.

A DNS leak is when that expectation breaks. Your VPN tunnel handles most of your traffic correctly, but your DNS lookups slip out through a side door — they get sent to your internet provider instead of to your VPN's servers. To your provider, the list of websites you visited still looks the same as it did before you turned the VPN on.

It's a small leak. But for the same reason a small drip ruins a basement, a DNS leak quietly undoes much of what a VPN is supposed to do.

Why DNS leaks matter (and when they don't)

QUICK ANSWER A DNS leak doesn't expose the content of your traffic — only which sites you're visiting. For most people that's a privacy concern. For journalists, activists, business travelers, and anyone in a restrictive network environment, it can be a serious one.

Let's be honest about scale. For a casual user reading the news from a coffee-shop Wi-Fi, a DNS leak is a privacy concern but rarely a crisis. Your internet provider seeing that you visited the BBC website is not the same as your internet provider reading your email.

Where DNS leaks matter more:

If your country restricts internet access, the list of sites you visited can have real consequences. A VPN that leaks DNS is not actually protecting you.
If you're a journalist or activist communicating with sources, the metadata — who you talked to, what sites you accessed — often matters more than the content of the conversations.
If you're a business traveler on a hotel or airport Wi-Fi, you probably don't want every site you visited on the trip stored by an opaque third-party network operator.
If you're at home and you simply value privacy, you don't want your internet provider building a profile of your habits to sell to advertising networks.

The best way to think about it: a DNS leak doesn't undo your VPN — but it dramatically narrows what your VPN is protecting.

What causes DNS leaks

QUICK ANSWER The most common causes are VPNs that don't handle DNS inside their own infrastructure, IPv6 traffic bypassing the tunnel, unexpected VPN disconnects without a kill switch, and operating-system misconfigurations. Choosing a VPN that handles DNS correctly by default removes most of the risk.

DNS leaks have a handful of common root causes. Most of them are unintentional — bugs in older VPN clients, oversights in operating-system networking, side effects of recent network changes.

The VPN doesn't run its own DNS

Some VPNs route the rest of your traffic through the tunnel but leave DNS lookups to your operating system, which routes them to your internet provider's resolver. Reputable VPNs run their own DNS infrastructure to prevent this.

IPv6 traffic bypasses an IPv4 tunnel

Many VPNs tunnel only IPv4 traffic. If your network has IPv6 enabled, those lookups can travel outside the tunnel without anything stopping them. The fix is a VPN that handles IPv6 (or one that disables it inside the tunnel by default).

The VPN disconnects unexpectedly

If your VPN drops for even a few seconds without a kill switch, your device falls back to your provider's network, including its DNS — and your in-progress browsing leaks. An always-on kill switch prevents this.

Operating-system misconfiguration

Windows in particular has historically had quirks around DNS resolution that can cause leaks even when the VPN itself is set up correctly. Modern VPN apps work around these quirks; older or simpler clients sometimes don't.

Custom DNS settings

If you've set a custom DNS server (like Google's 8.8.8.8 or Cloudflare's 1.1.1.1) at the operating-system level, some VPNs will respect that setting and route your DNS lookups to it instead of the VPN's own resolver. Whether this counts as a "leak" depends on how you feel about that third-party seeing your lookups.

Transparent DNS hijacking

A small number of internet providers intercept DNS requests at the network level and force them through their own resolvers, regardless of what the device asked for. A well-built VPN can route around this.

How to test for a DNS leak — the five-minute method

QUICK ANSWER Disconnect your VPN, visit a DNS leak test site to record a baseline, then reconnect to the VPN and run the test again. If the DNS servers shown change from your internet provider to your VPN provider, you're protected.

You don't need any technical knowledge to test for a DNS leak. Five minutes and a browser.

Disconnect from your VPN. Make sure the VPN app shows you're not connected. Open a browser and visit a DNS leak test site such as dnsleaktest.com or browserleaks.com/dns. Note the DNS servers shown — they belong to your internet provider and represent your baseline.
Connect to your VPN. Open your VPN app and connect to any server. Wait a few seconds for the connection to fully establish.
Run the test again. Reload the leak-test page or run the test fresh. The DNS servers shown should now be different — they should belong to your VPN provider, not your internet provider.
Run the extended test. Most leak-test sites offer a "standard" test and an "extended" test. The extended test makes more lookups and catches edge cases the standard test can miss. Run it.
Interpret the result. If the only DNS servers shown belong to your VPN provider, you have no DNS leak. If the test shows any of your internet provider's servers — alongside the VPN's or instead of them — you have a leak that needs fixing.

That's it. The whole test takes under five minutes and costs nothing. We recommend doing it once when you first install a VPN, and again any time you make a significant change to your network or operating system.

How to read the test results

A DNS leak test result usually shows a short table: IP address, hostname, ISP, and country. What you want to see depends on the VPN you're using, but the pattern is consistent.

The ISP column should match the company that operates your VPN, not your home or office internet provider. If it says "Comcast" or "BT" or "Airtel" while your VPN is on, that's a leak.
The country column should usually match the VPN server location you chose, not your real location. If you connected to a server in Germany but the DNS shows your real country, that's a leak.
The hostname column should contain something that visibly belongs to your VPN provider. If you see hostnames from your internet provider, that's a leak.

A clean test result looks consistent across all rows. A leaky one looks like a mix.

How to fix a DNS leak

QUICK ANSWER The most reliable fix is to use a VPN that handles DNS correctly out of the box. Other options include disabling IPv6 on your device, enabling your VPN's kill switch, manually setting a privacy-friendly DNS resolver, and updating your VPN app to the latest version.

If your test showed a leak, the fix depends on the cause. In order of how likely they are to resolve the problem:

Update your VPN app to the latest version. Many DNS-handling bugs have been fixed in newer releases. Open the VPN app and check for updates.
Enable your VPN's DNS leak protection setting. Most reputable VPN apps have this turned on by default, but some let you disable it. Make sure it's on.
Enable the kill switch. If a leak only appears during a disconnect, the kill switch will stop it. On most VPN apps this is in the main settings.
Disable IPv6 on your device if your VPN doesn't tunnel it. Windows, macOS, and Linux all let you do this in network settings. This is a workaround, not a permanent solution — choose a VPN that handles IPv6 instead.
Restart your network adapter after connecting the VPN. Sometimes Windows in particular gets confused about which DNS to use until the adapter is reset.
Switch to a VPN that handles DNS securely by default. If your current VPN persistently leaks despite the above, the problem is in the product. The simplest fix is changing products.

How to prevent DNS leaks for good

QUICK ANSWER Choose a VPN that handles DNS through its own infrastructure inside the encrypted tunnel by default, with an always-on kill switch and built-in IPv6 handling. Test once at setup, then trust the product.

The honest truth is that you shouldn't have to think about DNS leaks at all. A well-built modern VPN handles DNS correctly out of the box, and you should be able to install it, connect, and move on with your life.

What to look for in a VPN if you want to set it and forget it:

The VPN runs its own DNS resolver inside the encrypted tunnel. Not "uses a third-party public resolver." Not "lets you configure your own." Runs its own.
The kill switch is always on by default and ideally cannot be disabled. Privacy is not a setting you should be able to accidentally turn off.
IPv6 is handled inside the tunnel or disabled in the tunnel by default. Either is fine; what's not fine is letting IPv6 traffic slip out.
The VPN updates its app regularly. Networking edge cases get found and fixed over time. An app that hasn't updated in two years is more likely to leak than one that updates monthly.
The VPN passes its own DNS leak test. Test it yourself once, just to confirm. Then let it run.

DNS leak protection vs the kill switch — they're not the same thing

QUICK ANSWER A kill switch blocks all traffic during a VPN disconnect, preventing leaks that would happen in those brief moments. Built-in DNS leak protection prevents leaks while the VPN is connected. You want both — they protect against different failure modes.

One of the most common pieces of bad advice on the internet is "you just need a kill switch to prevent DNS leaks." That's only half right.

A kill switch stops all traffic when the VPN connection drops. If your VPN disconnects unexpectedly, the kill switch holds the door closed until the tunnel is back. That prevents leaks during disconnect events.

But a kill switch can't help with leaks that happen while the VPN is connected — which is when most DNS leaks actually occur. If your VPN routes the rest of your traffic correctly but sends DNS lookups to your internet provider, the kill switch sees nothing wrong because the tunnel is up. The leak happens anyway.

What you want is both: built-in DNS leak protection inside the tunnel, plus an always-on kill switch around the tunnel. They work together. They protect against different things.

A note on IPv6 leaks

IPv6 deserves its own mention because it's the source of more "I thought I was protected" VPN incidents than any other single cause.

Most VPNs were originally built for IPv4 — the older addressing system the internet has used for decades. When IPv6 — the newer system — became available on residential networks, many VPNs simply ignored it. The result: IPv4 traffic went through the tunnel, IPv6 traffic went around it. If your home network uses both, you had what's effectively a permanent partial leak.

Modern reputable VPNs handle IPv6 either by routing it through the tunnel or by disabling it inside the tunnel by default. Either is a valid approach. What's not valid is letting it leak.

When you run a DNS leak test, also check whether the site offers an IPv6 leak test — many do. Run both.

Your privacy checklist

The five-minute "no-leak" sanity check, once a year

Run a DNS leak test while connected to your VPN. Standard and extended.
Run an IPv6 leak test at the same time.
Run a WebRTC leak test from a browser. (Browsers sometimes leak real IPs through WebRTC even when the VPN is up.)
Verify the kill switch is enabled in your VPN app's settings.
Update your VPN app to the latest version.
Check that your operating system is up to date — Windows, macOS, and Linux release networking fixes regularly.

If all six come back clean, you can stop worrying about leaks for the rest of the year.

How StandVPN handles DNS — by default, without configuration

We built StandVPN to be the answer to the question "what should a modern privacy VPN do automatically?" When it comes to DNS, the answer is simple:

DNS requests stay inside the encrypted tunnel. Every lookup goes through StandVPN's own infrastructure. Your internet provider never sees the names of the sites you visit while connected.
The kill switch is always on. You can't accidentally disable it. If the tunnel ever drops, traffic stops until the tunnel is back.
IPv6 is handled by default. No partial leaks, no manual configuration.
No third-party DNS resolver in the loop. We don't hand your lookups to a public resolver and call it private. They go through us, inside the tunnel.
Post-quantum cryptography ready from day one. The same encryption that protects your traffic today is built to remain secure against future quantum computers — the "harvest now, decrypt later" concern explained in our comparison guide.

The result: if you run a DNS leak test while connected to StandVPN, the test should show only StandVPN's resolver. Every connection. Every time. There's nothing for you to configure.

Try StandVPN — the whole menu:

Lifetime free

$0 · 10 Mbps

Every country we serve. No time limits, no data caps, no ads. DNS leak protection and kill switch included by default.

Paid plan

$2 / month · 10 Gbps

Five devices on one account. Fast enough for gigabit home internet. Cheap enough that it isn't a decision.

You can try the free plan right now — no email, no card. Then run a DNS leak test and see for yourself.

Frequently asked questions

What is a DNS leak in simple terms?

A DNS leak happens when your device sends DNS requests — the lookups that turn "standvpn.com" into a numeric address — outside the encrypted VPN tunnel. Even though the rest of your traffic is private, the leaked DNS requests reveal which websites you're visiting to your internet service provider or another third party.

How do I check if my VPN is leaking DNS?

Connect to your VPN, then visit a DNS leak test site such as dnsleaktest.com or browserleaks.com/dns. Run the extended test. If the only DNS servers shown belong to your VPN provider, there is no leak. If the test shows your internet provider's servers, your VPN is leaking DNS.

Are DNS leaks dangerous?

DNS leaks don't expose the content of your traffic, but they do reveal which websites you're visiting. For most people that's a privacy concern rather than a security emergency. For journalists, activists, business travelers, and anyone in a restrictive network environment, the exposure can be significant.

What causes a DNS leak?

Common causes include a VPN that doesn't route DNS through its own servers, IPv6 traffic bypassing the IPv4 tunnel, an unexpected VPN disconnect (no kill switch), Windows or macOS misconfigurations, and using a public DNS resolver while connected to a VPN. The simplest fix is choosing a VPN that handles DNS securely by default.

Does a kill switch prevent DNS leaks?

A kill switch prevents leaks that happen during a VPN disconnect by blocking all traffic until the tunnel is back. It doesn't prevent leaks caused by a VPN that mishandles DNS in the first place. You want both: built-in DNS leak protection AND an always-on kill switch.

Do free VPNs leak DNS?

Some do, some don't. Many free VPNs use third-party DNS resolvers or fail to handle IPv6 traffic, which causes leaks. Reputable free options — including StandVPN's lifetime free plan — route DNS through their own infrastructure inside the tunnel by default.

Can I prevent DNS leaks without a VPN?

Partially. You can switch your device to use an encrypted DNS resolver such as Cloudflare's 1.1.1.1 or Quad9, which prevents your ISP from seeing your DNS lookups. This doesn't encrypt the rest of your traffic — for that you still need a VPN.

Is a DNS leak the same as an IP leak?

No. A DNS leak exposes which websites you visit. An IP leak exposes your real IP address. They're different issues with different causes, and a good VPN protects against both. Many test sites check for both at the same time.

How often should I test for DNS leaks?

Once when you first install a VPN, once after any major operating-system update, and once whenever you change network settings or switch between Wi-Fi and Ethernet on a new network. A reputable VPN handles DNS correctly out of the box, so frequent testing isn't usually necessary.

Does StandVPN protect against DNS leaks?

Yes. StandVPN routes all DNS requests inside the encrypted tunnel by default — there is nothing to configure. The kill switch is always on. The result: when you're connected to StandVPN, the DNS leak test should show only StandVPN's resolver, every time. Download free to try it.

Guide written and reviewed by the StandVPN team. Last updated 2026-05-16. We update privacy guides whenever the underlying landscape changes meaningfully.