eastbaycyber

What is DNS leaking and how do I stop it?

FAQs 6 min read
EC
East Bay Cyber Editorial Team Reviewed 2026-05-13
Short answer

A DNS leak means your device is sending DNS requests to the wrong resolver. This can expose the domains you visit and bypass the secure path you expected. The usual fixes are to force DNS through the intended resolver, review browser and operating system settings, and validate that your VPN handles DNS correctly.

A DNS leak happens when your device sends DNS queries to a resolver you did not intend to use, often outside your VPN or secure network path. If you are asking what is DNS leaking, the short version is that your browsing lookups may still be visible to your ISP, local network, or another DNS provider even when you think your traffic is protected. To stop DNS leaks, you need to verify VPN DNS behavior, OS resolver settings, browser DNS features, and split tunneling rules.

What DNS leaking means

DNS, or the Domain Name System, translates names like example.com into IP addresses. Before your browser connects to a site, it often performs a DNS lookup first.

A DNS leak occurs when that lookup goes somewhere unexpected, such as:

  • your ISP’s DNS servers
  • the local network’s resolver
  • a manually configured public DNS provider
  • a browser-level encrypted DNS service that bypasses system settings

That matters because DNS requests reveal a lot about what your device is trying to reach. Even if a website uses HTTPS, the DNS query may still expose the domain name.

If you need a primer first, see what is dns and how does it work.

Why DNS leaks matter

DNS leaks are often framed as a privacy problem, but they also affect security and operations.

Potential impacts include:

  • loss of privacy because your ISP or hotspot provider can still see domain lookups
  • policy bypass when enterprise DNS filtering or logging is skipped
  • misrouting if names resolve differently than expected
  • exposure of internal behavior when internal resource requests hit the wrong resolver
  • false security assumptions when users think all traffic is protected by the VPN

For home users, the main concern is usually DNS privacy. For businesses, DNS leaks can also break filtering policies, monitoring expectations, split-horizon DNS behavior, and internal access design.

Common causes of DNS leaks

Most DNS leaks happen because of configuration issues, not because DNS itself suddenly “fails.”

VPN does not force DNS through the tunnel

Some VPNs send general traffic through the tunnel but still let DNS use the local network or ISP resolver. In that case, the traffic path and the DNS path are not aligned.

This is one of the most common forms of a VPN DNS leak.

Split tunneling

With split tunneling, only some traffic goes through the VPN. If DNS is not designed carefully, queries may use the non-VPN path even when the destination traffic uses the tunnel.

That can create inconsistent behavior and reveal domains outside the protected route.

For more on that design issue, see what is split tunneling.

Operating system resolver behavior

Modern operating systems may choose DNS servers based on:

  • interface priority
  • fallback logic
  • active connection state
  • multiple network adapters

If Wi-Fi, Ethernet, virtual adapters, or security software are all present, the system may not always use the resolver you expected.

Browser secure DNS settings

Some browsers support DNS over HTTPS and may send queries to a browser-selected provider instead of the system resolver. That can improve privacy in some situations, but it can also create a DNS leak relative to your intended architecture.

The issue is not always that encrypted DNS is bad. The issue is whether the browser is bypassing the resolver path you actually meant to use.

IPv6 handling mismatches

If your VPN handles IPv4 well but not IPv6, DNS or related traffic may bypass the expected route. This is a common source of confusing leak behavior.

Manual DNS settings

Devices configured with static public DNS servers may continue using them even after joining a VPN or corporate network. That can override the DNS path your secure connection is trying to establish.

How to stop DNS leaks

The goal is simple: make sure DNS requests use the resolver and route you intended.

Use a VPN that enforces DNS settings

A well-designed VPN should:

  • push DNS settings when connected
  • route DNS through the tunnel
  • prevent fallback to local resolvers where appropriate
  • handle reconnects and interface changes cleanly

If you are choosing a consumer VPN for travel or public-network use, look for one with clear DNS leak protections and kill-switch behavior. Readers often compare NordVPN and Surfshark for this reason, but you should still test the endpoint rather than assume any provider is configured correctly by default.

Review or disable split tunneling

If split tunneling is enabled, confirm whether DNS should go:

  • fully through the VPN
  • only through the VPN for certain domains
  • directly for some apps and through the tunnel for others

Poor split tunneling design is a leading cause of DNS leaks.

Check operating system DNS settings

Review whether the device uses:

  • automatic DNS from the active interface
  • manually assigned DNS servers
  • enterprise-managed resolver settings
  • multiple network adapters with conflicting priority

Old settings, security tools, and virtual adapters can all interfere with expected behavior.

Review browser DNS behavior

Check whether your browser is using:

  • the system DNS resolver
  • a built-in DNS over HTTPS provider
  • an enterprise-approved encrypted DNS service

If the browser uses its own provider, that may bypass your VPN or corporate resolver design.

Handle IPv6 correctly

Do not ignore IPv6. Either:

  • ensure the VPN and network support it correctly, or
  • disable it if that matches your environment and policy

Partial IPv6 support often causes traffic to escape the intended secure path.

Test after making changes

Never assume a DNS fix worked without validation. After changing VPN, browser, or OS settings, confirm:

  • which resolver is actually answering queries
  • whether DNS stays inside the tunnel
  • whether browser behavior matches system behavior
  • whether internal and external names resolve as intended

Extra security practices that help

Stopping DNS leaks is only one part of protecting traffic on untrusted networks.

Useful supporting steps include:

  • keeping your OS and browser updated
  • using MFA on important accounts
  • avoiding sensitive admin work on public Wi-Fi
  • reducing unnecessary browser extensions
  • using a password manager to avoid credential reuse

If you are improving overall account hygiene alongside safer remote browsing, 1Password is one option readers may consider for managing unique passwords across devices.

Common misconceptions

“If I use HTTPS, DNS leaks do not matter”

False. HTTPS protects the web session content, but DNS queries can still reveal which domains you are accessing.

“A VPN automatically prevents all DNS leaks”

Not always. A VPN can reduce the risk only if DNS is pushed, routed, and enforced correctly.

“DNS leaks are only a privacy issue”

No. They can also affect enterprise filtering, monitoring, access to internal resources, and expected traffic routing.

“Public DNS is always safer than local DNS”

Not necessarily. Public DNS may be reliable, but it can still bypass your intended controls or conflict with internal architecture.

“Browser secure DNS always fixes DNS leaks”

It depends. Browser-level encrypted DNS may improve privacy on some networks, but it can also send DNS requests outside the resolver path your VPN or organization expects.

Final takeaway

If you are asking how to stop DNS leaks, the key is to verify where your DNS queries actually go, not just where you assume they go. A DNS leak means your name-resolution path does not match your privacy or security expectations. Fixing it usually requires aligning your VPN, operating system, browser, and network design so they all follow the same plan.

Disclaimer: This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.

Last verified: 2026-05-13

Disclaimer: This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.