DNS leak test
A DNS leak lets your internet provider see which sites you visit even when your traffic is going through a VPN. Here is what a leak looks like, how to test for one, and how to fix it.
Run the test in 4 steps
Connect to your VPN
If you are testing whether your VPN is leaking, make sure it is actually connected and pointing at the country you expect. If you are not on a VPN, skip to step 2 — the test will simply show your internet provider's resolvers.
Open a known-good DNS-leak test
Use dnsleaktest.com and choose the "extended test". The site fires lookups for many random subdomains it controls, then reports which DNS resolvers handled them.
Read the resolver list
If every resolver in the list belongs to your VPN provider (or to a privacy-focused resolver you intentionally configured, like Cloudflare 1.1.1.1), there is no leak. If you see your internet provider's name or your home country's ISPs while connected to a VPN in another country, your DNS is leaking.
Fix any leak you found
The reliable fix is to use a VPN that ships its own DNS and enforces routing in the app. Cheap or free VPNs are the most common cause. NordVPN, our recommended provider, includes a kill switch and DNS-leak protection in every app. See the FAQ below for manual fixes if you can't change provider.
More tools
Frequently asked questions
What is a DNS leak?
A DNS leak happens when your computer sends DNS queries — the lookups that turn "example.com" into an IP address — outside the encrypted tunnel of your VPN. Even if your traffic is encrypted, your internet provider (or whoever runs the DNS resolver you accidentally use) can still see the names of every site you visit. The fix is to ensure all DNS queries go through your VPN provider's own DNS servers.
How do I tell if my DNS is leaking?
Connect to your VPN and visit a DNS-leak test site. The tool issues lookups for many random subdomains; the resolvers that handle those lookups identify themselves to the test server. If any of the resolvers belong to your internet provider — or are not the ones your VPN claims to use — you have a leak. Step-by-step instructions are above.
Why do DNS leaks happen even with a VPN?
Three common reasons: 1) Your operating system is configured to use a specific DNS resolver and ignores the VPN's settings, 2) the VPN client does not enforce DNS routing through the tunnel, or 3) IPv6 traffic is leaking around an IPv4-only VPN. Modern VPN apps from reputable providers usually fix all three; older or free VPNs frequently leak.
Does a DNS leak reveal my real IP address?
Not directly — a DNS leak reveals the names of the sites you visit, plus the IP address of whichever resolver handled the query. That resolver is usually your internet provider, who knows who you are. So while your visible IP on the destination site may still be the VPN, the identity behind your browsing history is exposed to the resolver operator.
How do I fix a DNS leak?
The reliable fix is to use a VPN that ships its own DNS resolvers and enforces DNS routing in the app. NordVPN, for example, provides "Threat Protection" and a kill switch that block any traffic — including DNS — that does not go through the tunnel. If you cannot change VPNs, manually configuring a privacy-focused public resolver (Cloudflare 1.1.1.1, Quad9 9.9.9.9) reduces the exposure but does not fully close it.
Are DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT) the same as VPN DNS?
No. DoH and DoT encrypt your DNS queries between you and the resolver, which prevents your internet provider from logging or tampering with them. They do not change the resolver itself — if you are using your provider's DoH endpoint, your provider still sees every query. A VPN routes all queries to its own resolvers, which is a stronger guarantee against your provider seeing your browsing.