DNS Leaks Explained: How Your Location Is Exposed Even Behind a VPN — and How to Restore Your Privacy

A VPN encrypts your traffic and routes it through a remote server, masking your public IP address. However, if your DNS queries bypass the VPN tunnel and go directly to your ISP’s resolver, you are experiencing a DNS leak.

This undermines the privacy guarantees of your VPN.

What Is DNS?

The Domain Name System (DNS) translates human-readable domain names (e.g., example.com) into IP addresses. When you visit a website:

1. Your system queries a DNS resolver.
2. The resolver returns the IP address.
3. Your browser connects to that IP.

If this DNS query goes outside the encrypted VPN tunnel, your ISP (or any observer) can see:

• The domains you are accessing
• Your real IP address
• Your approximate geographic location

Even if the actual HTTP/HTTPS traffic is tunneled.

How a DNS Leak Reveals Your Location

Suppose:

• Your VPN endpoint is in Switzerland.
• Your real location is Texas.
• Your system uses your ISP’s DNS (e.g., AT&T or Spectrum).

Even though your browser traffic exits via Switzerland, your DNS requests still go to your Texas-based ISP resolver.

This creates a metadata correlation:

• DNS query from Texas IP
• Traffic shortly after from Swiss VPN exit node

DNS servers often log:

• Client IP
• Query timestamp
• Queried domains

This is sufficient to infer your true location.

Why DNS Leaks Happen

Common causes:

• OS configured to use ISP DNS statically
• VPN client not pushing DNS settings
• Split tunneling enabled
• IPv6 not tunneled by VPN
• Systemd-resolved or NetworkManager overriding VPN DNS

How to Test for a DNS Leak

Method 1: Web-based Test

Visit:

• https://dnsleaktest.com
• https://ipleak.net

If you see your ISP’s DNS servers instead of your VPN provider’s DNS servers — you are leaking.

Method 2: Command-Line Test

Run:

dig +short myip.opendns.com @resolver1.opendns.com

Then check which DNS server is being used:

cat /etc/resolv.conf

Or:

nmcli dev show | grep DNS

If DNS servers belong to your ISP — you are leaking.

How to Prevent DNS Leaks

The goal is:

Force all DNS queries through the VPN tunnel and prevent fallback to ISP DNS.

Linux (NetworkManager + systemd-resolved)

Step 1: Force VPN to Push DNS

If using OpenVPN:

Edit your .ovpn file and add:

block-outside-dns

dhcp-option DNS 10.8.0.1

(Use your VPN’s internal DNS server.)

Step 2: Prevent systemd from Using ISP DNS

Edit:

sudo nano /etc/systemd/resolved.conf

Set:

DNS=

FallbackDNS=

Then restart:

sudo systemctl restart systemd-resolved

Step 3: Lock DNS to VPN Interface Only

Using nmcli:

List connections:

nmcli connection show

Modify your VPN connection:

nmcli connection modify <vpn-name> ipv4.ignore-auto-dns yes

nmcli connection modify <vpn-name> ipv4.dns "10.8.0.1"

nmcli connection modify <vpn-name> ipv6.ignore-auto-dns yes

Bring connection down/up:

nmcli connection down <vpn-name>

nmcli connection up <vpn-name>

Optional: Block Non-VPN DNS with Firewall

sudo iptables -A OUTPUT ! -o tun0 -p udp --dport 53 -j DROP

sudo iptables -A OUTPUT ! -o tun0 -p tcp --dport 53 -j DROP

This ensures DNS cannot exit outside tun0.

Windows 10 / 11

Step 1: Disable ISP DNS

Open:

Control Panel → Network and Internet → Network Connections

Right-click your physical adapter → Properties
Select:

Internet Protocol Version 4 (TCP/IPv4)

Click Properties → Advanced → DNS tab

Uncheck:

Register this connection's addresses in DNS

Step 2: Force VPN DNS

After VPN is connected:

Open PowerShell as Administrator:

Get-DnsClientServerAddress

If wrong DNS servers appear, set VPN interface DNS manually:

Set-DnsClientServerAddress -InterfaceAlias "VPN" -ServerAddresses 10.8.0.1

Step 3: Disable Smart Multi-Homed Name Resolution

Windows may leak DNS via parallel queries.

Run:

Set-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\Windows NT\DNSClient" -Name DisableSmartNameResolution -Value 1

Reboot.

macOS

macOS frequently overrides VPN DNS unless forced.

Step 1: Check Current DNS

scutil --dns

Step 2: Set DNS on VPN Interface

List services:

networksetup -listallnetworkservices

Assume VPN is named “VPN”.

Set DNS:

sudo networksetup -setdnsservers "VPN" 10.8.0.1

Step 3: Prevent Wi-Fi from Using ISP DNS

sudo networksetup -setdnsservers Wi-Fi empty

Step 4: Flush DNS Cache

sudo dscacheutil -flushcache

sudo killall -HUP mDNSResponder

Advanced: Disable IPv6 (Optional)

Many VPNs do not tunnel IPv6.

Linux:

sudo sysctl -w net.ipv6.conf.all.disable_ipv6=1

Windows:

Disable-NetAdapterBinding -Name "Ethernet" -ComponentID ms_tcpip6

macOS:

networksetup -setv6off Wi-Fi

Final Verification

After applying fixes:

1. Reconnect VPN
2. Visit https://dnsleaktest.com
3. Confirm:
• DNS servers belong to VPN provider
• No ISP DNS visible

Also verify:

dig example.com

Ensure DNS server shown is VPN internal.

Summary

A DNS leak defeats the core privacy promise of a VPN. It exposes:

• Your real IP
• Your ISP
• Your geographic region
• Your browsing metadata

The solution is straightforward:

• Force VPN DNS servers
• Disable ISP fallback DNS
• Block DNS traffic outside VPN interface
• Disable Smart DNS features
• Consider disabling IPv6 if unsupported

Once configured correctly, your DNS resolution becomes fully encapsulated inside the encrypted tunnel — restoring actual anonymity rather than just encrypted transport.

If desired, I can also provide a hardened configuration checklist suitable for enterprise Linux deployments.