DNS Leaking Outside VPN Tunnel

Beginner VPN & Routing

While connected to a VPN, DNS queries are bypassing the encrypted tunnel and reaching the ISP's default resolver, exposing the websites you visit to your ISP and other network observers. This defeats a key privacy goal of using a VPN, because even though your HTTP/HTTPS traffic is tunneled, the DNS resolution that precedes each connection reveals your browsing destinations.

Symptoms

⚠ DNS leak test at dnsleaktest.com or ipleak.net shows ISP or local router DNS servers
⚠ VPN provider's IP appears in IP checks but their DNS servers do not appear in DNS tests
⚠ WebRTC leak test reveals your real local or public IP address
⚠ nslookup or dig from the VPN-connected machine resolves via a non-VPN resolver
⚠ Incognito mode or different browser still leaks DNS to ISP resolver
⚠ Leak only occurs on Windows — not observed on the same VPN profile on macOS or Linux

Possible Root Causes

• VPN client not overriding the system DNS resolver, allowing the OS to use the LAN gateway's DNS
• Windows DNS Client service sending parallel DNS queries over all interfaces (Smart Multi-Homed Name Resolution)
• Split-tunnel configuration routing DNS queries outside the tunnel by default
• IPv6 DNS resolver configured on the interface when the VPN only tunnels IPv4
• Browser using its own DNS-over-HTTPS (DoH) resolver independent of the OS resolver

Diagnosis Steps

Step 1: Run a DNS Leak Test

While connected to your VPN, visit https://dnsleaktest.com and click "Extended test". Note the resolver IPs listed. If they belong to your ISP rather than your VPN provider, DNS is leaking.

Step 2: Check the Active DNS Resolver from CLI

# macOS / Linux
cat /etc/resolv.conf
# Should show VPN provider's DNS (e.g., 10.8.0.1) not your router (e.g., 192.168.1.1)

# Linux with systemd-resolved
resolvectl status
# Check DNS Servers line for the active interface

# Windows (PowerShell)
Get-DnsClientServerAddress
# Should list VPN-assigned DNS, not LAN gateway

Step 3: Trace a DNS Query

# Verify which server actually answers
dig +short whoami.ds.akahelp.net TXT
# Returns the IP of the resolver that answered — compare with VPN provider's published DNS IPs

# Alternative: query with explicit server
dig @8.8.8.8 example.com   # Forces Google DNS — bypasses VPN DNS
dig @10.8.0.1 example.com  # Forces VPN's internal DNS

Step 4: Check Routing Table

# Linux / macOS
ip route show   # or: netstat -rn
# Look for a default route (0.0.0.0/0) pointing to the VPN tunnel interface (tun0, wg0, utun*)

# Windows
route print
# Default route should use VPN adapter, not physical NIC

Step 5: Check for WebRTC Leaks

Open https://browserleaks.com/webrtc and check if your real IP appears under "Local IP" or "Public IP" while on the VPN. If it does, WebRTC STUN requests are escaping the tunnel.

Solution

Fix 1: Force DNS Through the VPN Tunnel

WireGuard: In the [Interface] section of the client config, set the VPN's internal DNS:

[Interface]
PrivateKey = <your-private-key>
Address = 10.8.0.2/24
DNS = 10.8.0.1          # VPN gateway's DNS resolver

OpenVPN: Add to the client config file:

dhcp-option DNS 10.8.0.1
block-outside-dns       # Windows-only: prevents DNS outside tunnel

Fix 2: Disable Smart Multi-Homed Name Resolution (Windows)

# Open Group Policy Editor (gpedit.msc):
# Computer Configuration > Administrative Templates > Network > DNS Client
# Set "Turn off smart multi-homed name resolution" to Enabled

# Or via registry:
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient" `
  -Name "DisableSmartNameResolution" -Value 1

Fix 3: Disable IPv6 If the VPN Doesn't Tunnel It

# Linux: disable IPv6 on the physical interface
sudo sysctl -w net.ipv6.conf.eth0.disable_ipv6=1
sudo sysctl -w net.ipv6.conf.all.disable_ipv6=1

# Windows: uncheck IPv6 in Network Adapter Properties

Fix 4: Disable Browser DoH

In Firefox: Settings → Privacy & Security → DNS over HTTPS → set to "Off" In Chrome: Settings → Privacy → Use secure DNS → toggle Off

Prevention

Choose a VPN client that sets a kill switch and forces all DNS through the tunnel by default
After connecting, always verify DNS resolution with dig +short whoami.ds.akahelp.net TXT and compare to VPN provider's published resolver IPs
Use the dns-leak-test tool in this site after any OS or VPN client update
Disable IPv6 system-wide if your VPN only tunnels IPv4 to close the IPv6 DNS leak vector
Enable the VPN's kill switch feature to block all traffic if the tunnel drops, preventing fallback to cleartext DNS

Related Protocols

DNS WIREGUARD OPENVPN DOH UDP

Related Terms

dns-leak vpn-tunnel dns-resolver webrtc-leak split-tunneling

More in VPN & Routing

Asymmetric Routing with Stateful Firewall Dropping Packets Advanced IPsec Phase Negotiation Failure (IKEv1/IKEv2) Advanced Missing Default Route After Network Change Beginner OSPF Adjacency Not Forming Between Neighbors Advanced Routing Loop Causing TTL Exceeded Errors Intermediate Split-Tunnel VPN Routing Misconfiguration Intermediate

Scenario Info

Difficulty Beginner

Category VPN & Routing

Diagnostic Tools

dns-leak-test webrtc-leak-test dns-lookup

Quick Links

All Scenarios Threat Profiles Glossary