People today are aware of the dangers they face when browsing the internet without any protection. The efforts of people like Edward Snowden and other security experts have not entirely gone to waste as more and more people are using VPNs to protect their online privacy and anonymity. However, there’s one thing that might foil your efforts and enable your ISP to spy on your online activity even when you are connected to a VPN. This is called a DNS leak.

What is a DNS Leak?

DNS stands for domain name system. To understand DNS leaks, you have to understand the significance of DNS in the working of the internet. Each website on the internet is identified by a unique internet protocol (IP) address. Even your system is assigned an IP address every time you connect to the internet. To direct you to a website, the IP address of that website is required. But you don’t know that, and you don’t have to enter a string of digits separated by dots in your address bar. You only enter the name of the website and you are taken to it.

When you enter a URL, a DNS query is made. This is basically a lookup of the IP address for the URL you enter. This is done by DNS servers which are assigned by your ISP. So when you want to visit a website, you enter its name, the IP address is searched using the DNS servers, and you are directed to it once it is found.

Since DNS queries are made over servers assigned by your ISP, your ISP can see everything you do on the internet. You probably know that to prevent your ISP and anyone else from snooping on your online activity you can use a VPN. However, DNS leaks can occur even if you are using a VPN. DNS leaks happen when your system uses the default DNS servers for looking up IP addresses instead of the VPN’s assigned DNS servers. Ideally, all requests should go through the VPN’s DNS servers so that your ISP has no clue of your online activity. But all operating systems (mostly Windows) have a knack for using the default DNS servers quite often. When this happens, your DNS requests are visible to your ISP, and your online privacy goes down the drain even though you are using a VPN. This is called a DNS leak.

Testing for a DNS Leak

There’s a very simple method of testing for DNS leaks. All you have to do is visit If you see your system’s IP address and your true geographic location, then it means that your system is defaulting to the ISP DNS servers and your ISP can see your online activity.

Causes of DNS Leaks

1. The IPv4/IPv6 issue

With the number of internet users increasing at a rapid pace, there is one problem. The pool of IP addresses available under the IPv4 system is becoming short, and it’s only a matter of time before new addresses won’t be there. The issue is already being solved, with a newer class of IP addresses called IPv6. The transition to IPv6 will take time, and it is going on at a slow but constant pace.

The problem is that most VPNs do not support IPv6 as of now. This means that if your system sends a DNS query over IPv6, then your VPN has no way of supporting it, and the query goes through the default DNS servers. This obviously exposes you to DNS leak and your online activity is visible to your ISP.

2. ISP proxies

When you manually change the DNS server address to that of a public DNS address, your ISP knows that you are taking measures to hide from its eyes. Sometimes, your ISP can force a DNS leak. This depends on the regulation and data retention laws in your country and region. So if your ISP wants, it can use proxy servers to intercept the DNS requests and redirect them to its own servers. You might not know it yourself, but you can check it using a DNS leak test.

If you use OpenVPN’s latest version, you can solve this pretty easily. Look for your server’s .openvpn or .config file in C:\Program Files\OpenVPN\config. Open it in a text editor and add ‘block-outside-dns’ in the file.

3. Network configuration issue

Even when you use a VPN, you first connect to your local area network before you connect to the VPN. It might happen that your ISP automatically assigns a default DNS server before you connect to the VPN. While most VPNs handle this because they have their own DNS servers, many do not. They instead rely on public servers like Google Public servers and OpenDNS. If you want to fix this issue and your VPN does not have its own DNS servers, ask them for support, or you can change the DNS server address yourself. But you should always ask your VPN if it has its own DNS servers so that you can handle this issue.

Stopping DNS Leaks

Now that you know what a DNS leak is and how you can find out if you are a victim of it, you should learn how to fix the problem. There are a few ways you can solve the issue of DNS leaks.

1. Change your DNS servers

This is a simple method to make sure that your system does not use your ISP’s DNS servers anymore and your online privacy remains intact. You can change your DNS servers in the system so that this issue doesn’t come up again. If you are using a VPN, then you can simply ask your VPN vendor for the DNS server address. Usually, your VPN provides this information by itself. But you can always ask for it. If you don’t use a VPN (wake up, it’s high time to use one!), you can instead use a public DNS server that hides your activity from your ISP.

You can use public DNS servers that are offered by OpenDNS, Google Public DNS, or Comodo Secure DNS.

  1. OpenDNS servers:

Preferred server:

Alternate server:

  1. Google Public DNS servers:

Preferred server:

Alternate server:

  • Comodo Secure DNS servers:

Preferred server:

Alternate server:

Changing DNS servers is not only useful for hiding from your ISP. It can also bring speed benefits as some services are faster than others.

2. Use a VPN that offers DNS leak protection

VPNs know about DNS leaks. Since they always strive to protect your online privacy and provide you online anonymity, some VPNs help you fight DNS leaks. A few VPN services offer a DNS leak protection right within the client. As of now, ExpressVPN, NordVPN, PureVPN, etc. offer DNS leak protection. More and more VPNs are providing this security feature, so this is something you should check when looking for a new VPN service.

3. Use VPN monitoring software

Although VPNs offer privacy and anonymity, they can become victims of DNS leaks. There are dedicated software that monitors this all the time and fix the issue for you automatically. All you have to do is download and install these software and run them. You can use software like VPNCheck and OpenVPN Watchdog for this purpose.

DNS leaks are notorious for making holes in your online privacy even when you use a good VPN service. Although many of the trusted VPN services today take active steps to prevent DNS leaks, you can never be too careful. But you must understand that DNS leak prevention only helps you stay hidden from your ISP. In fact, nobody but your ISP can see your activity using the DNS queries.

Dilip Prashad
Dilip is a technology journalist and blogger, with an intuitive understanding of what makes a great piece of consumer software. He may speak tech as a first language, but he’s also an expert at breaking down even the most complex concepts in a way that anyone can understand.
Choose your avatar