What Is a DNS Leak? Why It Happens Even With a VPN

Your VPN is on, so you assume your browsing history is encrypted and hidden. But if a DNS leak occurs, which domains you visit can still be plainly visible to your network operator.

What DNS is

Every time you visit a site, the browser first translates the domain (e.g. example.com) into an IP address — a step handled by a DNS resolver. The catch: who performs that lookup, and whether it goes through an encrypted tunnel, determines whether your browsing list leaks.

How the leak happens

Ideally, with a VPN on, DNS queries also travel through the tunnel and are resolved by the VPN's resolver. But due to system configuration, network switching, or apps that bypass the tunnel, queries may still go to your local ISP's resolver. The result: your traffic content is encrypted, but the list of domains you looked up leaks to the ISP or a public DNS.

Why it matters

DNS query logs are effectively a "visit log" of your activity: which sites and services you used can be inferred. For people relying on a VPN for privacy, this is a commonly overlooked gap.

How to detect it

A proper DNS-leak test makes your browser resolve a batch of unique random subdomains, while an authoritative DNS server records which resolver did the lookup. If the resolver that appears is your local ISP rather than the VPN's, a leak occurred. (This is a planned phase-two feature on our site.)

How to protect yourself

• Use a VPN that forces DNS through the tunnel (enable its "DNS leak protection").
• Enable encrypted DNS (DoH/DoT) so the queries themselves are encrypted.
• Re-check after switching networks to confirm DNS still uses the tunnel.