A VPN encrypts your traffic and routes it through a remote server, masking your public IP address. However, if your DNS queries bypass the VPN tunnel and go directly to your ISP’s resolver, you are experiencing a DNS leak.
This undermines the privacy guarantees of your VPN.
What Is DNS?
The Domain Name System (DNS) translates human-readable domain names (e.g., example.com) into IP addresses. When you visit a website:
- Your system queries a DNS resolver.
- The resolver returns the IP address.
- Your browser connects to that IP.
If this DNS query goes outside the encrypted VPN tunnel, your ISP (or any observer) can see:
- The domains you are accessing
- Your real IP address
- Your approximate geographic location
Even if the actual HTTP/HTTPS traffic is tunneled.
How a DNS Leak Reveals Your Location
Suppose:
- Your VPN endpoint is in Switzerland.
- Your real location is Texas.
- Your system uses your ISP’s DNS (e.g., AT&T or Spectrum).
Even though your browser traffic exits via Switzerland, your DNS requests still go to your Texas-based ISP resolver.
This creates a metadata correlation:
- DNS query from Texas IP
- Traffic shortly after from Swiss VPN exit node
DNS servers often log:
- Client IP
- Query timestamp
- Queried domains
This is sufficient to infer your true location.
Why DNS Leaks Happen
Common causes:
- OS configured to use ISP DNS statically
- VPN client not pushing DNS settings
- Split tunneling enabled
- IPv6 not tunneled by VPN
- Systemd-resolved or NetworkManager overriding VPN DNS
How to Test for a DNS Leak
Method 1: Web-based Test
Visit:
If you see your ISP’s DNS servers instead of your VPN provider’s DNS servers — you are leaking.
Method 2: Command-Line Test
Run:
dig +short myip.opendns.com @resolver1.opendns.com
Then check which DNS server is being used:
cat /etc/resolv.conf
Or:
nmcli dev show | grep DNS
If DNS servers belong to your ISP — you are leaking.
How to Prevent DNS Leaks
The goal is:
Force all DNS queries through the VPN tunnel and prevent fallback to ISP DNS.
Linux (NetworkManager + systemd-resolved)
Step 1: Force VPN to Push DNS
If using OpenVPN:
Edit your .ovpn file and add:
block-outside-dns
dhcp-option DNS 10.8.0.1
(Use your VPN’s internal DNS server.)
Step 2: Prevent systemd from Using ISP DNS
Edit:
sudo nano /etc/systemd/resolved.conf
Set:
DNS=
FallbackDNS=
Then restart:
sudo systemctl restart systemd-resolved
Step 3: Lock DNS to VPN Interface Only
Using nmcli:
List connections:
nmcli connection show
Modify your VPN connection:
nmcli connection modify <vpn-name> ipv4.ignore-auto-dns yes
nmcli connection modify <vpn-name> ipv4.dns "10.8.0.1"
nmcli connection modify <vpn-name> ipv6.ignore-auto-dns yes
Bring connection down/up:
nmcli connection down <vpn-name>
nmcli connection up <vpn-name>
Optional: Block Non-VPN DNS with Firewall
sudo iptables -A OUTPUT ! -o tun0 -p udp --dport 53 -j DROP
sudo iptables -A OUTPUT ! -o tun0 -p tcp --dport 53 -j DROP
This ensures DNS cannot exit outside tun0.
Windows 10 / 11
Step 1: Disable ISP DNS
Open:
Control Panel → Network and Internet → Network Connections
Right-click your physical adapter → Properties
Select:
Internet Protocol Version 4 (TCP/IPv4)
Click Properties → Advanced → DNS tab
Uncheck:
Register this connection's addresses in DNS
Step 2: Force VPN DNS
After VPN is connected:
Open PowerShell as Administrator:
Get-DnsClientServerAddress
If wrong DNS servers appear, set VPN interface DNS manually:
Set-DnsClientServerAddress -InterfaceAlias "VPN" -ServerAddresses 10.8.0.1
Step 3: Disable Smart Multi-Homed Name Resolution
Windows may leak DNS via parallel queries.
Run:
Set-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\Windows NT\DNSClient" -Name DisableSmartNameResolution -Value 1
Reboot.
macOS
macOS frequently overrides VPN DNS unless forced.
Step 1: Check Current DNS
scutil --dns
Step 2: Set DNS on VPN Interface
List services:
networksetup -listallnetworkservices
Assume VPN is named “VPN”.
Set DNS:
sudo networksetup -setdnsservers "VPN" 10.8.0.1
Step 3: Prevent Wi-Fi from Using ISP DNS
sudo networksetup -setdnsservers Wi-Fi empty
Step 4: Flush DNS Cache
sudo dscacheutil -flushcache
sudo killall -HUP mDNSResponder
Advanced: Disable IPv6 (Optional)
Many VPNs do not tunnel IPv6.
Linux:
sudo sysctl -w net.ipv6.conf.all.disable_ipv6=1
Windows:
Disable-NetAdapterBinding -Name "Ethernet" -ComponentID ms_tcpip6
macOS:
networksetup -setv6off Wi-Fi
Final Verification
After applying fixes:
- Reconnect VPN
- Visit https://dnsleaktest.com
- Confirm:
- DNS servers belong to VPN provider
- No ISP DNS visible
Also verify:
dig example.com
Ensure DNS server shown is VPN internal.
Summary
A DNS leak defeats the core privacy promise of a VPN. It exposes:
- Your real IP
- Your ISP
- Your geographic region
- Your browsing metadata
The solution is straightforward:
- Force VPN DNS servers
- Disable ISP fallback DNS
- Block DNS traffic outside VPN interface
- Disable Smart DNS features
- Consider disabling IPv6 if unsupported
Once configured correctly, your DNS resolution becomes fully encapsulated inside the encrypted tunnel — restoring actual anonymity rather than just encrypted transport.
If desired, I can also provide a hardened configuration checklist suitable for enterprise Linux deployments.
