Your VPN is on. You feel safe. Meanwhile your ISP is watching every domain you visit like they're reading your diary over your shoulder.
That's a DNS leak. And it's shockingly common.
First, What Even Is DNS
DNS stands for Domain Name System. It's the thing that turns "google.com" into an actual IP address your computer can connect to, because computers talk to each other using numbers, not names.
Think of it like a phone book. Except this phone book gets consulted millions of times per second, it's distributed across servers all over the world, and your computer hits it every single time you visit literally any website, send an email, load an app, or do basically anything on the internet.
When you type "reddit.com" into your browser, here's what actually happens. Your computer sends a query to a DNS server asking "hey, what's the IP address for reddit.com?" That DNS server either knows the answer or goes and finds it, then sends back something like 151.101.1.140. Your browser then connects to that IP address. The whole thing happens in milliseconds and you never think about it.
Normal operation. Nothing weird.
But here's what your ISP sees during that process: every single domain you look up. Not the content of the pages, necessarily, but the domains themselves. Which tells them you visited Reddit at 11pm on a Tuesday. Which tells them you searched for something on a medical site. Which tells them which news sites you read. The domain names alone are a pretty detailed map of your life.
What a DNS Leak Is Specifically
When you use a VPN, your DNS queries are supposed to go through the VPN's encrypted tunnel and reach the VPN provider's DNS servers. The whole point is that your ISP only sees encrypted traffic going to the VPN server and nothing else.
But sometimes that doesn't happen. Sometimes your computer sends DNS queries directly to your ISP's DNS servers, bypassing the VPN completely. The VPN is running, the tunnel is up, your browsing traffic is encrypted, and yet your DNS lookups are going out in the clear through your ISP.
Your ISP sees every domain you visit. As if the VPN wasn't even there.
That's the leak.
It can happen for a bunch of reasons. Windows has a feature called "Smart Multi-Homed Name Resolution" that can cause DNS queries to go to multiple resolvers simultaneously, including your ISP's. Your router might have its own DNS settings that override the VPN. Your operating system might fall back to default DNS servers if the VPN's DNS doesn't respond fast enough. Some VPN clients are just poorly implemented and don't handle DNS routing correctly.
Why Your ISP Actually Cares About Your DNS
Here's a slightly uncomfortable truth. ISPs in many countries are legally required to log DNS data or at least retain the ability to hand it over to authorities on request. In the US, ISPs can sell anonymized browsing data to advertisers. In the UK, ISPs have to retain browsing records. The specifics vary by country, but the general pattern is that ISPs have both the technical capability and often the legal obligation to keep records of DNS lookups.
Beyond the legal angle, they use it for network management, throttling specific services, and building advertising profiles. Your ISP knows which streaming services you use, which social media platforms you visit, and how often. That's valuable data.
So when you use a VPN and think you're hiding your browsing patterns, but you have a DNS leak, you're not hiding anything. You're just making yourself feel better.
How to Actually Test for a DNS Leak
Turn on your VPN first. Then go to the DNS Leak Test tool and run the test.
The tool makes a series of DNS requests and shows you which DNS servers responded to them. The results will show you the server names, IP addresses, and usually the organization they belong to.
Here's how to read what you see.
If the DNS servers showing up in the results belong to your VPN provider, you're fine. The queries are going where they're supposed to go.
If the DNS servers belong to your ISP, like Comcast, AT&T, Verizon, or whatever your local ISP is, that's a leak. Those queries are bypassing your VPN entirely and going straight to your provider.
If you see a mix, some VPN servers and some ISP servers, that's also a problem. Inconsistent DNS routing means some of your traffic is leaking even if not all of it is.
You can also run the test with your VPN turned off first, to see what your normal DNS servers look like. Then turn the VPN on and compare. If the same servers show up in both tests, you have a leak.
How to Fix a DNS Leak
Several approaches work, and you might need more than one depending on how bad the situation is.
Fix the VPN client settings first.
Most reputable VPN clients have a setting for DNS leak protection or something called "private DNS." Look in the settings panel. If it's there, turn it on. This tells the VPN client to force all DNS traffic through the tunnel and block any queries that try to go elsewhere.
NordVPN calls it "DNS Leak Protection." ExpressVPN uses its own DNS servers and claims to handle this by default. Mullvad is particularly aggressive about DNS and won't let queries escape the tunnel under normal circumstances. If your VPN has this option and it's off, turn it on before anything else.
Configure custom DNS manually.
Even if your VPN routes DNS correctly, you might want to use a specific DNS provider instead of your VPN provider's servers. Cloudflare runs DNS at 1.1.1.1, which is fast and has a decent privacy policy. Google runs public DNS at 8.8.8.8. Neither of these is your ISP.
You can set these in your operating system's network settings directly. On Windows: Network Settings, then Properties on your connection, then change the DNS server addresses. On Mac: System Preferences, Network, Advanced, DNS tab. On Linux: depends on your setup, but typically /etc/resolv.conf or your network manager.
The thing to know is that if you set DNS at the OS level but your VPN routes the actual queries, the DNS server you see in leak tests will reflect your VPN's handling, not necessarily the server you configured. It's complicated. Just configure both the VPN settings and the OS DNS settings and test afterward.
Change your router's DNS settings.
If you run your VPN at the router level rather than on individual devices, you might need to configure DNS there. Most routers have a DNS settings section in the admin panel (usually at 192.168.1.1 or similar). Change the DNS servers to something like 1.1.1.1 and 8.8.8.8 to avoid your ISP's default DNS.
Disable Windows Smart Multi-Homed Name Resolution.
If you're on Windows and you're still seeing leaks after configuring your VPN, this Windows feature might be the culprit. You can disable it through Group Policy (if you have Windows Pro or Enterprise) by going to Computer Configuration, Administrative Templates, Network, DNS Client, and setting "Turn off smart multi-homed name resolution" to Enabled.
Yes, that's a lot of menu navigation. Windows is Windows.
The Kill Switch Explanation
While we're talking about VPN reliability, let me mention kill switches because they're related.
A kill switch is a VPN feature that cuts your internet connection entirely if the VPN drops. Without a kill switch, if your VPN connection briefly disconnects, your traffic briefly goes through your normal ISP connection, in the clear, with your real IP and DNS. That's a leak too, just a different kind.
Most decent VPN clients have a kill switch option. Turn it on. The downside is that if your VPN goes down, you lose internet access instead of falling back to your real connection. The upside is that you don't accidentally expose yourself every time the VPN hiccups.
It's the right tradeoff if privacy is why you're using a VPN in the first place.
The Hierarchy of DNS Privacy
Worth understanding the landscape here. Using your ISP's DNS is the worst option from a privacy perspective. Using Google's 8.8.8.8 is better in that Google is not your ISP and doesn't have the same regional logging requirements, but Google still sees your queries. Using Cloudflare's 1.1.1.1 with their "privacy first" policy is better still. Using your VPN provider's DNS through an encrypted connection is generally the best option for VPN users.
Some VPNs support encrypted DNS protocols like DNS-over-HTTPS or DNS-over-TLS. These encrypt the DNS queries themselves as an additional layer on top of the VPN tunnel. Mullvad and ProtonVPN support this. If your VPN does, worth enabling it.
Running the Test Again After Fixing Things
Whatever fix you apply, run the DNS leak test again afterward. Don't assume it worked.
Test with the VPN on. Compare the DNS servers shown to the VPN provider's listed DNS servers. If they match, you're good. If you still see your ISP in the results, something else is overriding your settings and you need to dig deeper.
It's worth doing this periodically too, not just once. Software updates, router resets, or VPN client updates can sometimes change settings without warning.
The Simple Version
DNS is the phone book. When your VPN is on, your ISP shouldn't be reading that phone book. A DNS leak means they still are. Test it, find out, fix it.
Run the DNS Leak Test right now. Takes about thirty seconds. Either you're fine, or you find out something important you didn't know.