How DNS Leaks Can Destroy Anonymity When Using a VPN, And How to Stop Them

Dann Albright 14-05-2015

When you’re trying to stay anonymous online, a VPN is the simplest solution—with a click or two, your IP address, service provider, and location will be masked from any site that you go to and anyone trying to spy on your connection. But a DNS leak can totally undermine the purpose of a VPN. Here’s how to keep that from happening.


(A quick note before we go on: a DNS leak is only a privacy concern if you’re worried about your ISP monitoring your browsing. It has nothing to do with NSA surveillance Your Interest in Privacy Will Ensure You're Targeted by the NSA Yes, that's right. If you care about privacy, you may be added to a list. Read More or other forms Could These NSA Cyber-Espionage Techniques Be Used Against You? If the NSA can track you – and we know it can – so can cybercriminals. Here's how government-made tools will be used against you later. Read More of digital snooping.)

What’s a DNS Leak?

The domain name system (DNS) is a system for linking URLs (like and IP addresses ( When you use your browser to go to a website, it sends a request to a DNS server with the URL that you typed in, and it’s pointed to the correct IP address. This is a crucial piece of how the Internet works; see our introduction to DNS servers for more info.


Usually, DNS servers are assigned by your internet service provider (ISP), which means that they can monitor and record your online activities whenever you send a request to the server. When you use a virtual private network What Is The Definition Of A Virtual Private Network Virtual private networks are more important now than ever before. But do you know what they are? Here's what you need to know. Read More (VPN), the DNS request should be directed to an anonymous DNS server through your VPN, and not directly from your browser; this keeps your ISP from monitoring your connection.

Unfortunately, sometimes your browser will just ignore that you have a VPN set up and will send the DNS request straight to your ISP. That’s called a DNS leak. This can lead to you think that you’ve stayed anonymous and that you’re safe from online surveillance, but you won’t be protected.


Obviously this is not good. So let’s take a look at diagnosing and stopping it.

Diagnosing the Leak

If your computer is using its default settings and not routing DNS requests through the VPN’s DNS server, it’s not going to be obvious; you’ll need to use a leak test. Fortunately, there’s an easy one to remember:


Just go to the site and click the “Standard test” button (if you’re really concerned about surveillance, you can click “Extended test”—it’s slightly more comprehensive, but takes a bit longer). If you see your own country and ISP listed on the results page, you’ll know that your ISP can monitor your connection. That’s not good.


Stopping the Leak

Okay, so we’ve diagnosed the leak. Now what? There are a few steps you can take to stop your DNS leak and prevent future ones. We’ll start with the simplest one.

Change DNS Servers

If your default DNS server is one that was assigned by your ISP, one of the easiest ways to keep them from seeing what you’re doing online is to change your DNS server. Even if you aren’t worried about DNS leaks, changing your default DNS server might be a good idea, as it might result in faster Internet speeds Find the Fastest DNS to Optimize Your Internet Speed Other DNS servers can be faster than your ISP's DNS servers. Find the best DNS settings for your connection with these tools. Read More .


The following DNS servers are well-maintained and will provide you with high performance and security:

  • Open DNS (preferred:, alternate:
  • Comodo Secure DNS (preferred:, alternate:
  • Google Public DNS (preferred:, alternate:

To learn how to change the DNS settings on your computer, check out Danny’s article, “How To Change Your DNS Servers & Improve Internet Security How To Change Your DNS Servers & Improve Internet Security Imagine this - you wake up one beautiful morning, pour yourself a cup of coffee, and then sit down at your computer to get started with your work for the day. Before you actually get... Read More .”

Use a VPN with DNS Leak Protection

Some VPNs come with a feature that will monitor your DNS requests to make sure that they’re going through the VPN instead of directly to your ISP. To see if your VPN has this protection, open the settings; you should see an option that will check for and prevent DNS leaks.

So which VPNs include DNS leak protection? According to, Private Internet Access, TorGuard (both of which made it to our best VPNs list The Best VPN Services We've compiled a list of what we consider to be the best Virtual Private Network (VPN) service providers, grouped by premium, free, and torrent-friendly. Read More ), VPNArea, PureVPN, ExpressVPN, VPN.AC, and LiquidVPN all provide protection. If you’re using one of these VPNs, make sure your settings are set correctly. If you’re not, and you’re concerned about ISP surveillance, you might want to consider switching.

Using VPN Monitoring Software

Some VPN monitoring software also includes support for fixing DNS leaks. The pro version of VPNCheck will do this for you, as will OpenVPN Watchdog (if you’re using OpenVPN).



Because the options for fixing a leak this way are only with premium software, this likely won’t be the go-to strategy for many people, unless you’re already using VPN monitoring software to make sure your VPN connection is totally secure.

Disable Teredo

Teredo is a Windows-based techology that, in essence, allows communication across two IP protocols: IPv4 and IPv6. Both are present on the Internet, and in some cases, you’ll need to use something like Teredo to allow them to communicate (the specifics are pretty complicated, but you can learn more at the Teredo tunneling Wikipedia page). However, Teredo can sometimes cause DNS leaks, so you may want to disable it.

To disable Teredo, open the command line and type the following command:

netsh interface teredo set state disabled

If you need to re-enable Teredo at some point, you can use this command:

netsh interface teredo set state type=default

Plug Those Leaks

If you’re using a VPN, a DNS leak could be revealing more information than you’re aware of—so take the steps above to make sure that you’re not leaking information and, if you are, plug the leak.

Have you used any of the above strategies for diagnosing or stopping DNS leaks? Do you have any other recommendations? Share your best tips below!

Image credits: Leaky faucet (edited), United States network night map, Various connections implying a world map, Businesswoman with magnifier glass via Shutterstock.

Related topics: DNS, Online Privacy, Online Security, VPN.

Affiliate Disclosure: By buying the products we recommend, you help keep the site alive. Read more.

Whatsapp Pinterest

Leave a Reply

Your email address will not be published. Required fields are marked *

  1. Tom Green
    July 5, 2018 at 1:26 pm

    All these tools are web sites. How about checking dns leak in terminal environment (I mean linux or even windows). I found out that command line is more useful for such a test

  2. Eric Clark
    December 19, 2017 at 8:05 am

    Double check your IP address for the Open DNS alternate. It should be

  3. armtAdm
    December 3, 2016 at 11:53 pm

    Express VPN Leaks IPv6 and DNS information. I have been a customer for over two months. I found a way to plug it however it is not through their software. I informed them as well. They told me that they didn't support IPv6 thus I should have disabled it. This might or might not have been hidden in their troubleshooting section (at least I didn't see it) however, I have not seen this stated anywhere in their advertising. Nonetheless, with or without blocking the IPv6, DNS is still leaking and their advertisements about privacy are not entirely accurate.
    They do have however a great customer service, security, server speed/relaibility/availibility/bandwidth. But a compromised privacy.

    • Dann Albright
      December 10, 2016 at 12:17 am

      Thanks for pointing that out! Always glad to hear about people's experiences, especially if it's with a service that isn't performing up to standard.

  4. Richard
    January 14, 2016 at 11:26 pm

    Hmmm be careful. is not very good. I had a leak and it wasn't detected. Went to There it was. Leaking all over the place. That's after a number of checking web sites said everything was ok.

    • Dann Albright
      January 17, 2016 at 9:26 pm

      Thanks for pointing this out! I'll keep that in mind when I'm writing another tutorial on DNS issues.

      • brother m
        August 8, 2016 at 11:11 pm

        WOT gives bad scores. Apparently the test is inaccurate and only tries to sell you their own VPN.

        • Dann Albright
          August 16, 2016 at 2:09 pm

          Hm. Maybe there are fewer reputable sites than I realized.

  5. Lean
    December 6, 2015 at 10:52 am

    Yes, absolutely agree. DNS leaks are so often overlooked, but it's a very common issue. Another one that most people do not consider is browser fingerprints Obviously, fingerprints are not as bad as DNS leaks, but when this info is tied together it can lead to a much faster identification of a particular user.

    I'm not sure the VPN companies mentioned here have the best protection, though. Neither expressvpn nor PIA have dns leak protection or any other anti-tracking features in their software. They are great providers, of course. But it seems that if we consider some more advanced features, Cyberghost and maybe ZenMate have more tracking protection that most of the other VPN providers.

  6. Anonymous
    September 18, 2015 at 11:22 am

    Do not forget that if you connect to a free service like gmail, pinterest, facebook... with or without cookies, you are still leaving tracks...

    Privacy & Security Conscious Browsing:

    See also browser fingerprint:
    [Broken URL Removed]
    To force usage of HTTPS, see

    You can get also very good information and tools: - IP and DNS Resolver IP.

    Private search engines - do not track you

    For lots of deals, redeems for software, web services and VPN subscription go to

  7. Fouga4
    May 22, 2015 at 1:52 pm

    Doesn't work for me. Installed the addon to disable WebRTC. The media.peerconnection. enable now shows "false" but still sees all my DNS addresses.

  8. Ernesto Colina
    May 19, 2015 at 6:05 pm

    Have you forgotten the WebRTC leak ?

    Try it with Chrome or Opera and even with a VPN they can trace you.

    • Kannon Y
      May 21, 2015 at 3:37 am

      Thanks for bringing up WebRTC Ernesto. It appears that Firefox doesn't suffer from the bug. I think the best advice is to, well, use Firefox when using a VPN. Are there any other options?

    • Dann Albright
      May 21, 2015 at 7:17 am

      Using Firefox with a VPN, at least for now, is probably your best bet. Thanks for pointing this out, Ernesto!

      • Richard
        January 14, 2016 at 11:52 pm

        Firefox, seriously? The guys who use WebRTC. Try Iceweasel. Linux wouldn't hurt either.

    • Ernesto Colina
      May 21, 2015 at 3:47 pm

      Curiously, IE is not vulnerable to WebRTC, but only because it doesn't support it, for the moment. Some people recommend using "Pale Moon", but I cannot tell you if this is true. And about FireFox, to be sure, to disable WebRTC in Firefox, go to about:config and toggle media.peerconnection.enabled to false or use the addon "Disable WebRTC"

      However, some sites like Amazon don't like this solution. So, I have no choice but to use FireFox for my regular browsing and Chrome exclusively for Amazon.

  9. Alex.
    May 19, 2015 at 7:51 am

    Hello Dan,

    Thank you very much for this article.It just goes to sure,you can NEVER stop learning !

    • Dann Albright
      May 21, 2015 at 7:16 am

      There's always more to learn, especially when it comes to privacy and anonymity.

      Keep reading! :-)

  10. Godel
    May 18, 2015 at 10:16 pm

    Thanks, good to know.

    • Dann Albright
      May 19, 2015 at 6:49 am

      Always glad to be helpful!

  11. Mr P.
    May 18, 2015 at 1:46 am

    Just to be sure to understand : you want to preserve anonymity, but you suggest to use google dns. I know that your anonymity will be somehow preserve, but telling to the biggest activity monitoring company the whole use you do of the internet, is it wise ? (sorry for my probably bad english :-) !)

    • Dann Albright
      May 19, 2015 at 6:49 am

      I had that thought too, but Google DNS has come pretty highly recommended. Worrying about a DNS leak really only makes sense if you're trying to hide your activity from your ISP anyway. If you're worried about other sorts of anonymity, there are a lot of other concerns that you'll have to take into account—like if you should use Google DNS.

  12. ReadandShare
    May 15, 2015 at 4:45 am

    Thanks for the article and the link to Good to know that I hail from "Romania" when I clicked over with my VPN.

    • Dann Albright
      May 16, 2015 at 7:49 am

      Glad you liked the article! DNSleaktest is a fantastic website, and it's a great tool for people who use VPNs. Hopefully this article helps get the word out that it's out there.

  13. dood
    May 14, 2015 at 8:37 pm

    If you are using OpenDNS you might want to check out dnscrypt-proxy on Github for an easy way to change your dns and have it run as a Service.

    [Broken Link Removed]

    When used in combination with the dnsfix instructions at
    you can ensure that even your non-VPN traffic does not use your isp dns servers.