▓▒░ /dns-leak-test ░▒▓

DNS Leak Test

Find out if your DNS queries are sneaking out of your VPN tunnel and being seen by your ISP.

★ isvpnworking.com - Live Status Window
_
×
⚡ live status check ⚡
checking . . .
running 3 tests on your connection, hold tight
FYI we're checking your IP, location, and 3 types of leaks. all in your browser, nothing sent to us.
visible IP →
they think you're in →
VPN brand detected →
tested at →
--:--:--
┌─ LEAK DETECTION RESULTS ─┐
▸ webrtc test peer-to-peer ip leak
running…
▸ dns test domain query leak
running…
▸ ipv6 test protocol exposure
running…
★ TOP PICKS ★

VPNs that actually don't leak.

tested by us · using our own tool · we're picky
#1 BEST
NordVPN
$3.39/mo
our paranoid friend uses this one
click me ↗
#2 CHEAP
Surfshark
$2.49/mo
unlimited devices, decent speed
click me ↗
#3 ANON
Mullvad
$5/mo
accepts cash. literal envelopes.
click me ↗
★ DNS leaks: the silent way VPNs fail
_
×

Quick version: HTTPS hides what's inside a website connection. DNS reveals which website you opened in the first place. If your DNS leaks, your ISP knows every site you visited - even if the actual page traffic was encrypted through a VPN.

What DNS does and why it matters

DNS - the Domain Name System - is the phone book of the internet. Every time you type nytimes.com, your computer asks a DNS server "what IP address goes with this name?" and the server replies with something like 151.101.193.164. Your browser then opens an HTTPS connection to that IP. The page contents are encrypted; your ISP can't read them.

But your ISP CAN see the original DNS question - "what's the IP for nytimes.com?" - because by default DNS is unencrypted UDP traffic on port 53. So even with HTTPS everywhere, your ISP can build a complete log of every site you visited just by watching DNS.

A VPN is supposed to fix this by routing DNS through the encrypted tunnel and answering the queries with the VPN provider's own DNS server. The ISP only sees encrypted traffic to the VPN's IP - no more domain logs.

Where DNS leaks come from

Multi-homed name resolution (Windows)

Windows tries to be clever. When you have multiple network interfaces (your Wi-Fi and your VPN's virtual adapter), Windows sends DNS queries out both simultaneously and uses whichever responds first. This is documented as "smart multi-homed name resolution". The VPN tunnel sees the query - good - but so does your ISP - bad.

The fix is a registry entry or Group Policy setting that disables this behavior. Reputable VPN clients do this for you on install. Free or sketchy VPNs often don't.

IPv6 fallback

If your VPN only routes IPv4 and your ISP supports IPv6, DNS-over-IPv6 queries go around the tunnel entirely. We test for this directly in the IPv6 leak row.

Hard-coded DNS in apps

Some apps - notably anti-virus, cloud-storage clients, and a few smart-home integrations - hard-code a DNS server (often 8.8.8.8) into the app rather than asking the OS. These queries can bypass the VPN tunnel even with everything else configured correctly. There's no clean fix short of blocking the app at the firewall.

Captive portal hijacks

Coffee-shop and hotel Wi-Fi often runs a "captive portal" that intercepts all DNS until you log in. If your VPN connects after the portal authenticates, fine. If something goes wrong and the captive portal's DNS handler stays active in the OS, you'll keep leaking until you reboot the network.

How DNS leak tests actually work

A real, strict DNS leak test - the kind dnsleaktest.com runs - does this:

  1. Generates a unique random subdomain (something like x7k3p9.dnsleaktest.com)
  2. Tells the browser to fetch that subdomain
  3. The browser asks the OS to resolve it; the OS asks DNS
  4. Whatever DNS server resolved it must contact the authoritative DNS server for dnsleaktest.com
  5. The authoritative server logs the IP that asked - that's the resolver your OS actually used
  6. The page polls back, finds the resolver IP, and tells you whether it belongs to your VPN or your ISP

This requires a controlled DNS server with logging - which we don't yet run as a static site. So our DNS row is informational rather than authoritative. For the strictest check, use dnsleaktest.com's "extended" test alongside our other signals.

Reading the results

Once you do run a strict DNS test, here's how to read it:

  • Multiple DNS servers from your VPN provider - safe, you're tunneling correctly
  • Cloudflare/Google DNS only - probably safe; many VPNs use these as upstream resolvers
  • One ISP-named server (Comcast, Verizon, etc.) - leaking, full stop
  • Mix of VPN and ISP servers - intermittent leak, often Windows multi-homed resolution
  • Servers in your home country when your VPN says you're abroad - DNS leak, even if the names don't match your ISP

Bottom line

DNS leaks are sneaky because everything looks fine from the user's perspective - the VPN is connected, websites think you're in the right country, HTTPS is green. But your ISP is still building a list of every domain you visit. Use a reputable VPN that handles DNS internally, run a strict test once on each new device, and you're done.

FAQ
What exactly leaks during a DNS leak? [+]

Every time you visit a website, your computer first asks a DNS server 'what's the IP address for this domain?'. If your VPN is configured properly, that question travels through the encrypted tunnel and is answered by the VPN's DNS server. If something goes wrong, the question goes to your ISP's DNS server unencrypted. Your ISP doesn't see the page contents (HTTPS protects that), but it sees every domain you visit - and that's enough to build a profile of your browsing.

Why does Windows leak DNS more than other systems? [+]

Windows has a 'feature' called smart multi-homed name resolution that sends DNS queries simultaneously out every active network interface, supposedly for speed. Your VPN tunnel gets the question, but so does your ISP. Killing this requires either registry edits, a Group Policy change, or - cleanest - a VPN client that disables it for you. NordVPN, ExpressVPN, ProtonVPN and Mullvad all handle this on Windows.

How do I run a DNS leak test manually? [+]

The classic approach is to visit dnsleaktest.com or our tool, run the standard test, and check whether the listed DNS servers belong to your VPN provider or your ISP. If you see Comcast, Verizon, AT&T, Deutsche Telekom or any consumer ISP name in the DNS results - you're leaking. If you see Cloudflare, Google, or a name like 'NordVPN DNS' - you're fine. The 'extended' test on dnsleaktest.com hammers many DNS servers in parallel and can catch leaks that a single query misses.

What's a 'transparent DNS proxy' leak? [+]

Some ISPs (especially in restrictive countries or budget mobile networks) intercept all outbound port-53 DNS traffic and redirect it to their own server, even if you specified a different DNS in your settings. Your VPN tunnel can mask this if it's configured to use port 53 only inside the tunnel - but if any query escapes the tunnel, the ISP grabs it. Solution: VPN with built-in DNS over the encrypted channel (any reputable provider) and DoH/DoT enabled in the browser as backup.

Is DoH (DNS over HTTPS) the same as VPN DNS? [+]

No. DoH encrypts your DNS queries between your browser and the DNS resolver (typically Cloudflare 1.1.1.1 or Google 8.8.8.8). That's good - your ISP can't see the queries. But DoH does NOT hide your IP from websites, and the DoH provider sees every domain you query. A VPN hides both your IP and your DNS lookups (assuming the VPN is configured to handle DNS internally). DoH is a partial solution; a VPN with built-in DNS is a full one.

What does 'safe' actually mean in this DNS test? [+]

Honestly: in our static-only browser-based version, the DNS test is a placeholder. A real DNS leak test requires a server we control that issues a unique subdomain per visitor and logs every DNS query to it - because the leak happens at the OS DNS resolution layer, not in JavaScript. We're shipping that as the next iteration. For now, treat the DNS row as 'no obvious leak detected' rather than a guarantee. The WebRTC and IPv6 tests are the strict checks.