What Is a DNS Leak? How to Test (2026 Guide)

A DNS leak means your browser is sending "what website am I about to visit?" queries to your ISP even though the rest of your traffic goes through a VPN or proxy. Your ISP (and anyone with subpoena power over your ISP's logs) sees your full browsing list. The VPN hides the data on the pipe; the DNS leak leaks the destination.

This guide explains what's actually happening, how to test in 60 seconds, and how to plug the leak on every major operating system.

What DNS Actually Does

DNS (Domain Name System) is the internet's phone book. When you type example.com, your device first asks a DNS server "what IP address is example.com?" Only after getting the answer does it open a connection. Every website, app, and background service does this — typically hundreds of DNS queries per hour per device.

The question is which server you're asking. By default it's your ISP's. Comcast's DNS sees every site Comcast customers visit. T-Mobile's sees every site T-Mobile customers visit. This log is retained for months to years in many countries.

How a DNS Leak Happens (Even on a VPN)

A VPN encrypts your network traffic and routes it through a VPN server. If the VPN is configured correctly, your DNS queries also go through the tunnel — to the VPN provider's DNS server or a privacy-focused one like Cloudflare (1.1.1.1) or Quad9 (9.9.9.9).

A leak occurs when the DNS query bypasses the tunnel and goes to your ISP anyway. Common causes:

• The OS has a hard-coded DNS server — Windows 10/11 in particular sometimes sends queries to the adapter-configured DNS even on an active VPN. This is called "smart multi-homed name resolution" and it's on by default.
• IPv6 leak — The VPN tunnels IPv4 but not IPv6. Your device prefers IPv6 where available, so DNS (and the actual connections) go out over IPv6 directly to your ISP. Modern home internet is IPv6-enabled; this leak is common.
• WebRTC leak in the browser — Browsers can bypass system DNS using WebRTC's own STUN-based resolution. Your VPN can be perfect and the browser still leaks.
• Split tunneling misconfigured — "Only route this app through the VPN" configurations often leave DNS on the host OS's default server.
• Proxy without DNS routing — SOCKS5 proxies by default only forward TCP/UDP traffic; DNS resolution happens locally on your device before the connection. Unless you configure remote DNS (the -proxy-remote-dns flag in Chrome, or DNS_REMOTE in curl), your ISP still sees every hostname.
• Wi-Fi / LAN captive portal override — Hotel and airport networks inject their own DNS server via DHCP, and some VPN clients don't overwrite it.

Test Your Setup in 60 Seconds

The fastest check is a DNS leak test site. The best ones in 2026:

• SpyderProxy DNS Leak Test — checks IPv4 + IPv6, returns resolver ASN, labels it ISP/VPN/Cloudflare/Quad9
• dnsleaktest.com — the classic; run the "Extended test"
• browserleaks.com/dns — includes WebRTC leak testing

How to read the result:

• You should see one DNS server
• The ASN should match your VPN provider, Cloudflare, Google, or another privacy DNS — not your ISP
• If you see multiple servers and at least one is your ISP, you have a leak
• If the IPv6 result shows your ISP while IPv4 shows your VPN, you have an IPv6 leak

How to Fix a DNS Leak by Platform

Windows 11

1. Open Settings → Network & Internet → Advanced network settings → Hardware and connection properties
2. For your active adapter, set DNS server assignment to Manual
3. Enter IPv4 1.1.1.1 and 1.0.0.1 (Cloudflare) or 9.9.9.9 (Quad9)
4. Enable DNS over HTTPS ("Encrypted only")
5. Disable IPv6 on the adapter, or configure IPv6 DNS (2606:4700:4700::1111) to match
6. In PowerShell as admin: Set-NetDnsClientNrptRule -Namespace . -DnsSecEnable $false to suppress multi-homed DNS

macOS

1. System Settings → Network → select your interface → Details → DNS
2. Remove all entries, add 1.1.1.1 and 2606:4700:4700::1111
3. For VPN: ensure the VPN config has Send all traffic over VPN connection enabled

iOS 17+

1. Settings → General → VPN & Device Management → DNS
2. Install a DNS-over-HTTPS profile from Cloudflare or NextDNS
3. In the VPN app, enable "Block LAN traffic" if available

Android 9+

1. Settings → Network & internet → Private DNS
2. Select "Private DNS provider hostname" and enter 1dot1dot1dot1.cloudflare-dns.com or dns.quad9.net

Router / Whole-Home

Change your router's DNS to Cloudflare, Quad9, or NextDNS. This propagates to every device on the LAN and survives OS updates. Most home routers have the setting under WAN or Internet → Manual DNS.

Browser (Chrome/Edge)

1. chrome://settings/security
2. Enable Use secure DNS and pick a provider
3. For proxy users, add --proxy-server="socks5://proxy:port" with --proxy-bypass-list="<-loopback>" and ensure DNS uses the proxy (Chrome does this by default for SOCKS5 with the h suffix)

Browser (Firefox)

1. about:preferences#privacy → Enable DNS over HTTPS → Max Protection
2. For proxy: about:config → set network.proxy.socks_remote_dns to true

Special Case: SOCKS5 Proxies and Remote DNS

If you're using a SOCKS5 proxy (common with SpyderProxy, curl, and most scraping setups), DNS resolution is local by default. Every hostname you resolve goes to your ISP before the connection even opens. The fix is application-level:

• curl: use --socks5-hostname instead of --socks5
• Python requests + PySocks: proxies={"http": "socks5h://user:pass@proxy:port", "https": "socks5h://user:pass@proxy:port"} — the h suffix forces remote resolution
• Firefox: network.proxy.socks_remote_dns = true
• Chrome: use --proxy-server="socks5://..." with a SOCKS5 URL (Chrome remote-resolves by default)

IPv6 — The Easy-to-Miss Leak

Most consumer internet connections now carry IPv6 alongside IPv4. Apps prefer IPv6 when both are available. If your VPN only carries IPv4, every IPv6-capable service (Google, Facebook, Cloudflare-fronted sites) leaks over IPv6 directly.

Three fixes, best to worst:

1. Use a VPN or proxy that carries IPv6 as well as IPv4
2. Disable IPv6 on the adapter when connected to the VPN
3. Block IPv6 egress via firewall rules — last-resort but effective

Test the IPv6-specific leak at SpyderProxy IPv6 Checker.

DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT)

Classic DNS is unencrypted plaintext — even if you point it at 1.1.1.1 instead of your ISP, your ISP can still see the queries in flight (just not modify them). DNS-over-HTTPS and DNS-over-TLS encrypt the queries themselves, hiding them from the ISP entirely.

In 2026, every major OS and browser supports DoH. Enable it. It's the single biggest privacy upgrade that takes zero technical expertise.

DNS Leak vs WebRTC Leak vs IP Leak

Three distinct leaks often confused:

• IP leak — the target site sees your real public IP. Fix with VPN/proxy.
• DNS leak — your ISP sees a list of domains you visited, even through a VPN. Fix with encrypted DNS routed through the tunnel.
• WebRTC leak — the browser bypasses the VPN via a STUN-based side channel to reveal your real IP. Fix with a WebRTC-blocking extension or about:config disable.

A complete privacy posture needs all three plugged.

FAQs

What is a DNS leak in simple terms?

It's when your device secretly asks your ISP "what IP is example.com?" even though you're on a VPN. The VPN hides the traffic but the DNS question is already answered by your ISP — giving them a list of every site you visit.

How do I test for a DNS leak?

Run any DNS leak test site while connected to your VPN. If the server shown matches your ISP (Comcast, Verizon, etc.), you have a leak. If it matches your VPN provider, Cloudflare, or Quad9, you're fine.

Can a DNS leak reveal my identity?

Directly, no — DNS leaks reveal domains visited, not names. Combined with your ISP's customer records, it reveals your full browsing history tied to your real identity.

Does a VPN always prevent DNS leaks?

No. Many free and mid-tier VPNs don't push DNS through the tunnel, especially for IPv6. Test after connecting to confirm.

What's the best DNS server for privacy?

Cloudflare (1.1.1.1) has the best no-logging audit record. Quad9 (9.9.9.9) adds malware blocking. NextDNS lets you configure filters yourself. Avoid Google DNS (8.8.8.8) if privacy is the goal.

Do SOCKS5 proxies leak DNS?

By default, yes. SOCKS5 forwards the connection but local DNS resolution happens on your device first. Use socks5h:// URLs (the h means remote DNS) or set your app to resolve through the proxy.

Does my browser override my OS DNS?

Often, yes — modern browsers have their own DNS-over-HTTPS that can bypass OS settings. Check both your OS DNS config and your browser's secure-DNS setting.

Is a DNS leak more serious than an IP leak?

They reveal different things. IP leak = target site knows you. DNS leak = ISP knows all the sites you visit. Both are worth fixing.

Bottom Line

DNS leaks are the most common privacy gap on otherwise well-configured systems. Test once a month using SpyderProxy's DNS Leak Test, and keep DNS-over-HTTPS enabled on every device. If you're scraping or privacy-browsing through a SOCKS5 proxy, use the socks5h:// URL scheme so hostnames resolve remotely instead of through your ISP.

Related Resources

• DNS Leak Test Tool
• WebRTC Leak Test Tool
• IPv6 Readiness Checker
• What Can Someone Do With Your IP Address?
• Proxy vs VPN — The Complete Guide
• SpyderProxy Residential Proxies