A "DNS leak" is when your DNS queries — the lookups that turn example.com into an IP address — go outside the encrypted tunnel you're relying on for privacy (a VPN, Tor, or your ISP's secure DNS resolver). Even if the rest of your traffic is hidden, leaked DNS queries can reveal every domain you visit to your ISP or local network.
Quick check
A full DNS leak test needs an out-of-band server that records which resolver asked it the question. We're rolling that into Finn's toolkit — for now, use these external testers and compare what they show against the VPN you expect:
- dnsleaktest.com — the canonical reference.
- Extended test — runs multiple lookups to catch sporadic leaks.
How leaks happen
- Your operating system bypasses the VPN's resolver and sends DNS to whatever the network DHCP said (common on Windows with split-tunnel VPNs).
- IPv6 traffic isn't tunneled — your v6 DNS goes direct. (See the IPv6 test.)
- Browser-level DNS-over-HTTPS bypasses the system resolver entirely.
Fixes
- Enable your VPN's "DNS leak protection" setting.
- Force IPv6 over the VPN, or disable IPv6 if your VPN doesn't support it.
- Use the VPN's own resolver explicitly in your OS network settings.
- For Tor, use the Tor Browser bundle rather than rolling your own.