What Is a DNS Leak & How to Fix It in 2024

Defining a DNS

A Domain Name System (DNS) translates domain names into IPs. Because this name is comprised of words and letters, it is easier to understand and remember than an Internet Protocol address (IP address), which is made up of a string of numbers.

Your Internet Service Provider (ISP) is typically the one that translates a domain name into an IP with the use of a DNS server. Because none of us want to remember a string of numbers each time we want to access a site, the job of the DNS service is extremely important.

Each time the sender enters an address in the search bar, this site’s domain name travels to the DNS server, which, in turn, finds the IP that corresponds to the domain name, and returns the IP address to your browser.

When the IP address is sent to the server you are trying to reach, you are finally able to load your webpage.

What Is a DNS Leak?

If you are using a VPN connection, all of your online traffic is encrypted, including your DNS requests. VPN connections ensure that your activity is kept away from your ISP or hackers — and that only your VPN can see your activity.

If you are using a reputable service, like ExpressVPN, any DNS request made is sent through your VPN tunnel and secured with military-grade encryption. The problem is just like a pipe springing a leak, your VPN can also experience leaks from time to time, which can reveal your DNS queries to parties outside of your encrypted VPN tunnel. This can happen, for example, when you switch from one network interface to another, like from WiFi to a data network.

When you experience a leak, your Internet traffic is sent through your ISP instead of through your preferred DNS server, and your IP addresses, activity, and location are visible online.

How to Test if Your DNS Leaks

Just like plumbers have methods of detecting leaks, there are some pretty simple ways to detect if you have a DNS leak.

There are free sites online that will tell you in seconds if you have a DNS leak. IPLeak.net is my go-to DNS leak-checker site, and I actually just used it to perform a DNS leak test a few minutes ago.

To test for leaks most efficiently, go to IPLeak.net before you connect to your VPN service so you can see what your IP address is.

After you connect to your VPN, do another DNS leak test to see if IPLeak.net puts you in a different location with a different IP. Using my VPN, it now appears to IPleak.net that I am in Chicago, while I am actually 5,000 miles away.

Based on this, my VPN is doing its job, and that I do not have a DNS leak.

If your DNS server addresses from your pre-VPN test and post—VPN test had not changed, that could be an indication of a DNS leak.

Another way to test for any leaks is if you perform a leak test using the command prompt. This command prompt method is a little more involved, so we recommend sticking to the first technique.

How to Fix DNS Leaks

Here are some of the quickest ways to fix (or prevent) a DNS leak:

1. Switch DNS Servers and Get a Static IP:

If you change your DNS server address in your DNS settings, this is one way to ensure that your ISP can’t have its eyes on you. Many VPN services will hand over their own DNS server details, or you can even choose to send your queries through any public DNS server, like Google’s.

With a static IP address, your DNS queries will always be sent to this IP instead of a different IP using dynamic host configuration protocol (DHCP).

To update your network DNS on Windows:

1. First, change the network adapter settings. From the Control Panel, to change network settings, go to the Network and Sharing Center, choose “Change Adapter Settings,” and right-click on your connection and “properties.”
2. Find IPv4 or IPv6 from the list and click “Properties.”
3. Click on the “Use the following DNS server addresses” button, type in a relevant address, and click “OK.” You can also use Google DNS server addresses.
4. Restart your connection, and your network configuration should be changed to your preferred DNS servers.

Go ahead and clear any of the DNS servers, excluding those from your VPN adaptor.

You can also use a batch file script to change IPs.

2. Configure your Windows Firewall or VPN to block non-VPN traffic:

Some VPNs let users configure their settings to block non-VPN DNS requests.

In ExpressVPN, this kill-switch feature is called Network Lock. If you go to ExpressVPN preferences, you can enable Network Lock to “kill” all of your Internet traffic if ExpressVPN’s secure connection cuts out.

You can also go to your Windows settings and adjust your firewall so that traffic is only allowed through a VPN.

3. Windows built-in Teredo Feature:

Teredo is a feature that is meant to help IPv6 and IPv4 exist together without issue.

Unfortunately, Teredo causes a lot of leaks. To fix this, open the Command Prompt and type: netsh interface teredo set state disabled.

4. Smart Multi-Homed Name Resolution:

The Smart Multi-Homed Name Resolution helps improve browsing speed by sending requests to any DNS servers available and accepting return responses from the first to respond.

Because this causes DNS leaks, it needs to be disabled in order to prevent DNS leaks from happening. Since this is built into Windows, shutting off this Homed Name Resolution Feature means installing a free OpenVPN plugin.

5. Transparent DNS:

If your ISP detects that you are changing DNS settings, it may use transparent proxies to direct your intercepted traffic back to your DNS servers.

To fix this using OpenVPN, find the .ovpn or .conf file option, open it, and type: block–outside–dns.

To fix this, using your VPN providers’ app, enable any option to make sure your VPN providers’ servers are used.

6. Unsupported IPv6 Addresses:

Internet protocol version 4 (IPv4) addresses are made up of four groupings of digits. Because IPv4 sequences are scarce, there are now IPv6 addresses that are made up of a longer sequence.

Since VPNs have not all transitioned to IPv6, not all IPv6 requests are supported, which leads to these requests being sent outside the tunnel and leaking.

To fix these leaks, look in your VPN’s advanced settings and block IPv6 traffic.

Best 3 VPNs with Built-in DNS Leak Protection

If you plan on using a VPN provider to prevent leaks, these are our 3 favorites:

1. ExpressVPN

ExpressVPN is the top VPN provider that we trust to hide user IPs in 2024.

ExpressVPN has top privacy features, including AES 256-bit encryption, a no-logs policy, OpenVPN, IP, and DNS leak protection, and Network Lock to cut your connection if your private tunnel cuts out suddenly.

ExpressVPN has more than 3,000 servers in 94 countries, and allows 5 simultaneous device connections, all of which will be protected from leaks.

If there is ever a problem that comes up, you can use ExpressVPN’s 24/7 live-chat support to get an answer in seconds.

2. NordVPN

NordVPN is one of the best VPN providers on the market for preventing leaks.

NordVPN has over 5,300 severs in more than 59 countries and offers AES 256-bit encryption, OpenVPN protocols, a no-logs policy, and a Kill Switch to make sure your activity is not leaked if your secure connection cuts out.

NordVPN is compatible with Windows, Mac, Android, and iOS, and you can use up to 6 devices simultaneously.

3. Surfshark

With over 3,200 servers in 65 countries around the globe, Surfshark passes all the tests for security features with its AES 256-bit encryption, a no-logs policy, split tunneling, double encryption, and Kill Switch to make sure your private traffic and IP are never leaked.

Surfshark lets users connect unlimited devices to a single account; and it has apps for Windows, Android, Mac, and iOS, and it offers a 30-day refund guarantee.

FAQs

Conclusion

VPN users connect to VPNs in the first place because they value their privacy. The simplest way to prevent leaks and make sure your connection is always private is to connect to a VPN that has leak protection features, like ExpressVPN.