Skip to main content
Limp Secure VPN
Try it
All posts

DNS leak test and fix in 2026

DNS leak test and fix in 2026

TL;DR: A DNS leak is when your DNS queries (the list of sites you open) escape the VPN tunnel and go straight to your ISP, even though your IP address is hidden. To fix it you need a VPN that forces all DNS through the tunnel, blocks IPv6 and WebRTC leaks, and runs a kill switch. You can run a DNS leak test in under a minute on sites like dnsleaktest.com and browserleaks.com.

What DNS is and what a DNS leak is

DNS (Domain Name System) is the phonebook of the internet. When you type limpvpn.com, your device first asks a DNS resolver, 'what is the IP address of this domain?' and only then connects. The catch is that this query usually travels in plain text, and whoever handles it sees every domain you open.

A DNS leak happens when you are connected to a VPN but your DNS queries still go to your ISP's resolver instead of through the encrypted tunnel. The result: your IP address is hidden, but your browsing history of visited domains is not.

  • Resolver — the server that turns a domain name into an IP address; it is the one that sees your list of sites.
  • DNS query — a request to the resolver before each new connection to a domain.
  • ISP — by default your DNS resolver belongs to your ISP, so a leak points straight at them.
  • VPN tunnel — the encrypted channel; when configured correctly, DNS queries should travel only inside it.
  • The core problem — a hidden IP does not help if the domains still leak out.

Why DNS leaks even with a VPN on

Many people assume 'VPN on equals fully protected.' In reality there are several places where DNS traffic slips around the tunnel, especially with a sloppy client.

  • OS resolver — Windows can send parallel DNS queries across every network adapter at once (smart multi-homed name resolution), and some of them bypass the VPN.
  • IPv6 — if the VPN only tunnels IPv4 while your ISP has IPv6 enabled, IPv6 DNS and traffic leak out directly.
  • WebRTC — a browser technology for calls and video reveals your real local and public IP around the VPN, even without a separate DNS query.
  • Transparent DNS proxy — some ISPs intercept all DNS traffic on port 53 and substitute their own resolver no matter what you set.
  • A weak VPN client — a poor app fails to enforce its own DNS servers and leaves the system ones inherited from your ISP.

Basic diagnostics help you confirm whether the whole tunnel is doing its job — covered in detail in how to test that your VPN is working.

Why a DNS leak is dangerous for privacy

It may seem harmless that 'the ISP just sees domains.' But the list of domains is the most revealing part of your digital profile.

  • Browsing history — your ISP builds an interest profile: which services, forums, medical or financial sites you visit.
  • Logging and retention — in many countries operators are required to retain metadata, and DNS logs are part of that volume.
  • Timing and frequency — even without content, it is visible when and how often you reach specific resources.
  • Data sales — supposedly anonymized DNS logs sometimes become a product for advertising brokers.
  • Defeating the point of a VPN — you pay for privacy, but a leak reduces it to zero at the metadata level.

How exactly your ISP gathers this data and why you should shut it out is covered in how a VPN protects you from ISP tracking.

How to test for a DNS, IP and WebRTC leak

The check takes a couple of minutes and needs no software — it all happens in the browser. The key is to run it with your VPN on, otherwise you will simply see your ISP's data.

  • IP test — open a service like whatismyipaddress.com and confirm it shows the VPN server's IP and country, not your real ones.
  • DNS test — on dnsleaktest.com run the Extended test and look at which resolvers respond.
  • WebRTC test — on browserleaks.com/webrtc confirm that the Public IP fields do not contain your real address.
  • Owner check — in the DNS results, the organization (ISP) name should match your VPN provider, not your carrier.
  • Repeat without VPN — for contrast, run the same tests with the VPN off to see what a leaked result looks like.
  • IPv6 test — on test-ipv6.com check that your real IPv6 address does not answer around the tunnel.

How to fix a DNS leak

Good news: almost every leak is cured by correct VPN configuration and a couple of system toggles. Below, in order from most important to the details.

  • A VPN with its own DNS — the client must force all DNS queries through the tunnel to its own resolvers, not your ISP's.
  • Kill switch — this feature blocks all traffic if the tunnel drops, so queries cannot slip out directly during the gap.
  • Disable IPv6 — if the VPN does not tunnel IPv6, turn it off in your network settings so traffic does not escape.
  • Disable WebRTC — in the browser an extension or flag helps (for example media.peerconnection.enabled=false in Firefox).
  • WireGuard protocol — a modern protocol with clean DNS routing reduces leak risk compared with older implementations.
  • Restart and retest — after any change, always rerun the test to confirm the result.

Why DNS queries leak under a VPN — where to look

If tests still show a leak after configuration, the cause is almost always one of four places. Check them one at a time rather than changing everything at once.

  • Browser — DNS-over-HTTPS built into Chrome or Firefox may use its own resolver around the VPN; disable it temporarily for a clean test.
  • Operating system — on Windows the usual culprit is multi-homed resolution and leftover system DNS on the physical adapter.
  • Network adapter — statically configured DNS servers (such as 8.8.8.8) can override the VPN's settings.
  • Antivirus and firewall — some 'security' modules replace DNS with their own filtering resolver.
  • The VPN client itself — if the app has not been updated in a while, an update often closes known leaks.

DNS leaks on Windows vs router: what is the difference

Where you set up the VPN strongly affects where DNS can leak. The two most common scenarios — a VPN client on Windows and a VPN on the router — behave differently.

  • Windows client — here the main enemy is smart multi-homed name resolution: the OS queries several resolvers in parallel. A good client disables this itself.
  • VPN on the router — the tunnel runs at the network level, so DNS for every home device goes through the VPN; but if the router has the ISP's DNS set, the leak hits the whole network at once.
  • Mixed scenario — a VPN on the device on top of a router without VPN is usually safer than the reverse, thanks to tighter DNS control on the client.
  • IPv6 on the router — many home routers hand out IPv6 that the tunnel may not cover; it is worth disabling IPv6 on the router itself.
  • Transparent DNS at the ISP — at the router level it is especially nasty, and only encrypting DNS inside the tunnel gets around it.

If the tunnel stops coming up at all after your DNS tweaks, see the dedicated guide VPN not connecting: troubleshooting guide.

Why a good VPN prevents DNS leaks

A quality VPN service closes every gap listed above at the client level, so you do not have to hand-edit system settings.

  • Forced DNS in the tunnel — all queries go only to the VPN's DNS servers; ISP ones are ignored.
  • IPv6 leak protection — the client either tunnels IPv6 or cleanly blocks it for the session.
  • Kill switch by default — when the tunnel drops, traffic and DNS queries are blocked instead of escaping directly.
  • Strict no-logs policy — the service does not even store its own DNS queries, so there is no metadata to leak.
  • Modern protocol — WireGuard with proper routing minimizes the number of places a query can slip out.

FAQ

What is a DNS leak in simple terms?

It is when your IP address is hidden by the VPN, but your DNS queries (the list of domains you open) still go to your ISP's resolver. As a result your ISP sees which sites you visit, even though you think you are protected.

How do I run a DNS leak test for free?

Turn on your VPN and open dnsleaktest.com, then run the Extended test. If the results list your internet provider instead of the VPN service, you have a leak. Also check your IP and WebRTC on browserleaks.com.

Can DNS leak through WebRTC?

WebRTC leaks not so much DNS as your real IP address: the browser exposes it for calls and video around the VPN. It is a separate leak, and you should check it alongside DNS on browserleaks.com/webrtc.

Do I need to disable IPv6 to avoid a leak?

If your VPN does not tunnel IPv6, then yes — otherwise IPv6 traffic and DNS escape the tunnel straight to your ISP. Good clients do this automatically, but with a manual setup you should turn IPv6 off.

Why does DNS leak specifically on Windows?

The culprit is smart multi-homed name resolution: Windows queries DNS servers across all adapters in parallel, and some requests bypass the VPN. A quality VPN client disables this feature for the session.

Does a kill switch help against DNS leaks?

Yes, indirectly. A kill switch blocks all traffic the moment the tunnel drops, preventing queries from slipping to your ISP. But against a constant leak while the tunnel is up, it is forced DNS inside the VPN that saves you.

Why try Limp Secure VPN

Limp Secure VPN is built on the WireGuard protocol and by default routes all DNS traffic only through the encrypted tunnel to its own resolvers, leaving not a single query for your ISP. A built-in kill switch blocks traffic if the connection drops, and IPv6 leak protection is on from the start — with no manual editing of system settings.

  • Own DNS in the tunnel — your ISP sees none of the domains you open.
  • Kill switch — when the tunnel drops, DNS queries do not leak out.
  • Strict no-logs — the service does not store your DNS queries or connection history.
  • iOS, Android, Windows, Mac — one layer of protection across all devices for 100 ₽ a month.
  • WireGuard — a fast, modern protocol with clean DNS routing.

Conclusion

A DNS leak is an insidious problem: your IP is hidden, the VPN indicator is green, yet your ISP still sees the list of your sites. Fortunately it takes a minute to test and is fixed by the right VPN with forced DNS, a kill switch, and IPv6 and WebRTC protection. Run a DNS leak test right now on dnsleaktest.com and browserleaks.com and make sure the privacy you pay for actually works. Limp Secure VPN closes all of these gaps by default, so you never have to think about the settings.

All posts