TL;DR
Testing for a DNS leak takes 2 minutes: connect your VPN, open dnsleaktest.com and run the Extended Test, then check whether the DNS servers detected are your VPN's (not your ISP's). If the resolved DNS belongs to BT, Comcast, Verizon, Movistar — or whichever ISP you'd normally use without a VPN — that's a confirmed leak.
Three main causes: (1) VPN without "DNS Leak Protection" enabled, (2) Windows Smart Multi-Homed DNS bypassing the tunnel, (3) Browser with DoH enabled separately.
The fix takes 5 minutes depending on the case — detailed below by OS and browser. NordVPN, ExpressVPN, and Surfshark enable DNS Leak Protection by default since 2023 and pass leak tests in 99% of our audit sessions.
Why DNS leaks exist — 4 documented technical causes
A VPN encapsulates your traffic in an encrypted tunnel between your device and the remote VPN server. In theory, all requests — including DNS — go through this tunnel. In practice, several system configurations bypass the tunnel specifically for DNS requests. Understanding the four main causes lets you identify which one affects you and apply the right fix.
Cause #1 — Windows and Smart Multi-Homed DNS. Since Windows 8, Microsoft has implemented Smart Multi-Homed Name Resolution (SMHNR) which sends DNS queries to all active network adapters in parallel, keeping the first answer that arrives. When a VPN is connected, Windows sends the request both to the VPN DNS AND to the ISP DNS via the underlying Wi-Fi/Ethernet interface. If the ISP response arrives first (often the case on LAN), it's used — and the ISP has logged the request.
Cause #2 — Browsers with DoH enabled separately. Firefox enables DNS-over-HTTPS to Cloudflare 1.1.1.1 by default since 2020. Chrome offers the same. These DoH resolvers completely bypass the system DNS — including the VPN's — unless the browser specifically detects an active VPN.
Cause #3 — VPN without native DNS management. Some low-end VPNs don't declare their own DNS servers in the system configuration when the tunnel activates. The OS then continues using whatever DNS servers were set previously — typically the ones pushed by ISP DHCP.
Cause #4 — Unencrypted IPv6. Many VPNs only tunnel IPv4 traffic. IPv6 — yet active by default on modern ISPs and all current routers — exits directly outside the VPN.
How to test for a DNS leak — 3-tool method
The classic method involves visiting a service that tells you which DNS server actually resolved its query. These services work by generating a unique random subdomain (abc123xyz.dnsleaktest.com), triggering its resolution from your browser, and reading server-side which IP did the resolution. Three trusted third-party tools let you cross-verify results.
Tool #1 — DNSLeakTest.com. The reference test since 2008. Procedure: connect the VPN, open the URL, click "Extended Test" (not "Standard" which is insufficient), wait 10-20 seconds. The tool lists DNS servers that responded — typically 2 to 6 different resolvers (modern DNS servers use load-balanced architectures).
Tool #2 — BrowserLeaks DNS. Complementary test that cross-checks standard DNS, DNS-over-HTTPS, and resolvers detected via WebRTC. Particularly useful for identifying whether the leak comes from the browser (DoH enabled) rather than the system.
Tool #3 — AnonymFlow integrated tool. For WebRTC testing specifically (the most frequent leak cause browser-side in 2026), our in-house tool probes WebRTC ICE candidates from your browser and reveals your real IP if a leak exists at that level.
For all three, the verdict is binary: either the DNS servers detected match a trusted resolver (Cloudflare 1.1.1.1, Quad9 9.9.9.9, NordVPN AS136787, ExpressVPN's internal range...) — or they match your ISP's range, which means a leak.
How to fix depending on the detected cause
Case 1 — VPN with dormant "DNS Leak Protection" option
The most common and simplest case. On NordVPN, Surfshark, ExpressVPN, ProtonVPN, Mullvad, the anti-leak DNS protection option exists but may be disabled by default on older installations.
NordVPN procedure: Settings → Connection → Custom DNS Protection → enable "Auto DNS" or "NordVPN DNS".
Surfshark: Settings → Connection → Custom DNS → disable (let Surfshark manage).
ExpressVPN: Preferences → Advanced → DNS Network Lock → verify enabled.
After activation, restart the VPN (disconnect/reconnect), then re-run the DNSLeakTest. In 95% of cases, the leak disappears at this stage.
Case 2 — Windows Smart Multi-Homed DNS
If enabling VPN DNS Protection doesn't suffice and you're on Windows 10/11, the culprit is likely SMHNR. Manual disabling via PowerShell as administrator:
Set-DnsClientGlobalSetting -SmartMultiHomedNameResolution $false
This command completely disables SMHNR behaviour. To re-enable later:
Set-DnsClientGlobalSetting -SmartMultiHomedNameResolution $true
After disabling, reboot the computer. SMHNR won't reactivate until a major Windows update (check after each Windows feature update).
Case 3 — Browser DoH
On Firefox: about:config → network.trr.mode = 5 (disable TRR) OR set TRR resolver to your VPN's DoH endpoint.
On Chrome: Settings → Privacy and Security → Security → Use Secure DNS → choose "With" → enter your VPN's DoH endpoint OR turn off entirely.
Case 4 — IPv6 leak
The cleanest fix: enable the "Block IPv6 traffic" option in your VPN's settings. NordVPN supports IPv6 tunneling since 2024. If your VPN doesn't tunnel IPv6, blocking it entirely is the safest move.
Legal implications — what an ISP log actually contains
A DNS leak isn't a "your computer got hacked" event — it's a privacy slow leak: your ISP keeps the list of domains you visit (DNS resolution logs), which they can be compelled to share via legal process. In France, that means Hadopi 2.0 provisions and GDPR Article 4 obligations. In the US, the equivalent framework lives under the DMCA Section 512 and various subpoena provisions. In Spain it's LSSI and ePrivacy.
If you're using a VPN specifically for privacy protection, this matters: your domain history stays logged at the ISP despite the encrypted tunnel. No immediate hacking risk, but a long-term profiling leak.
What about WebRTC leaks (the related cousin)
WebRTC leaks deserve their own write-up — and we wrote one alongside this DNS leak guide. The methodology is similar: trigger a peer connection, parse the ICE candidates that come back, and check whether your real IP is being advertised to remote peers. We also published a single-HTML-file open source detector on GitHub (zero dependencies, runs in any browser, 200 lines auditable in 10 minutes).
For the deeper VPN security audit covering 9 different test vectors — kill switch, DNS leak, WebRTC, IPv6, audit history, jurisdiction, no-log enforcement — see our complete VPN security audit guide.
Companion tools
We've published two CLI tools on GitHub that automate the detection logic from this article:
- dns-leak-detector-cli — Python CLI, zero dependencies, ASN comparison, IPv6 + SMHNR detection
- webrtc-leak-detector — Single HTML file, browser-only, no tracking
Both are MIT licensed and runnable on a cron job for ongoing monitoring.
Originally published on AnonymFlow — independent VPN/privacy tooling and research. Read our full methodology and the 95-session VPN streaming study.
Top comments (0)