Skip to content
Athenian Tech

Cyber Threat Landscape

DNS Leaks: What They Are and How to Close Them

4 min read985 words

A DNS leak is one of those privacy failures that hides in plain sight. You do everything right — you turn on a VPN, you see the little “connected” icon, you assume your browsing is now private — and yet the record of every site you visit is still being handed to your internet provider. The encryption is working. The tunnel is up. But the questions your computer asks about where to find websites are escaping around the side of it. That escape is the leak.

To see why it happens, it helps to remember what DNS actually does.

The Name Lookup Nobody Sees

Every time you type an address like example.com, your device has to translate that human-friendly name into a numeric IP address before it can connect to anything. That translation is the job of the Domain Name System. Your device sends the name to a resolver — usually one run by your internet provider — and the resolver answers with the address.

Here is the important part for privacy: that lookup is a separate conversation from the actual web traffic. You can encrypt the page you load, but if the lookup for that page goes out in the clear to your provider’s resolver, then your provider — and anyone able to watch that resolver — knows exactly which sites you asked for, in what order, and when. The content is hidden; the intent is not.

A VPN is supposed to pull those lookups inside the encrypted tunnel along with everything else, so they go to the VPN’s own resolver instead of your provider’s. A DNS leak is any situation where the lookup slips out of the tunnel and goes to the provider’s resolver anyway.

Why Lookups Escape the Tunnel

There is rarely a single villain. Leaks come from a handful of predictable gaps:

  • The operating system’s own resolver logic. Windows in particular has historically sent DNS queries to every configured network interface at once and used whichever answered first — a feature meant for speed that happily bypasses the tunnel. If your provider’s resolver replies before the VPN’s does, that reply wins.
  • IPv6 falling through. Many VPNs were built to tunnel IPv4 and quietly ignore IPv6. If your network hands you an IPv6 address, those lookups can travel outside the tunnel entirely because the VPN never claimed them.
  • Split tunneling and misconfiguration. Some setups deliberately route only some traffic through the VPN. If DNS isn’t explicitly included, it leaks by design.
  • Transparent DNS interception. A few ISPs redirect any DNS traffic on port 53 back to their own servers regardless of where you addressed it. Even a correctly configured client can be overridden by the network itself.
  • Dropped connections without a kill switch. If the tunnel drops for a second and there’s no kill switch to freeze traffic, your device silently reverts to the default resolver and keeps browsing — leaking until the tunnel comes back.

How to Know If You’re Leaking

The test is conceptually simple: connect your VPN, then check which resolver the internet thinks you’re using. If it’s one belonging to your VPN provider, you’re contained. If it’s your ISP’s resolver — or one geographically sitting at your real location — traffic is escaping.

Public DNS-leak test pages automate this by loading resources from many uniquely named test domains and reporting back which resolvers requested them. A less obvious but telling symptom is a geolocation mismatch: your IP appears to be in one country while your DNS resolver reports another. That split almost always means the two are traveling by different routes, which is exactly what a leak looks like.

Closing the Leak

Most fixes fall into three buckets — pick a tool that doesn’t leak, force the operating system to behave, and remove the fallback paths.

  1. Choose a VPN that owns its DNS. The cleanest solution is a client that runs its own resolvers, routes every lookup through them, blocks IPv6 (or tunnels it properly), and includes a kill switch. If the tool is doing its job, there is nothing left for you to patch.
  2. Pin your resolver at the OS level. Manually set your system or router to a trusted public resolver rather than “automatic.” This removes the ISP resolver as the default your device silently falls back to.
  3. Disable IPv6 if your VPN can’t handle it. Until the client tunnels IPv6, turning it off closes an entire category of leak. It’s a blunt fix, but effective.
  4. Turn on the kill switch. This freezes traffic the instant the tunnel drops, so a momentary reconnection can’t expose a burst of lookups.
  5. Flush the DNS cache after changes. Old cached answers can keep pointing at the wrong resolver; clearing the cache forces fresh, correct lookups.
  6. Consider encrypted DNS. DNS-over-HTTPS or DNS-over-TLS encrypts the lookup itself, so even a lookup that travels outside the tunnel is unreadable to an eavesdropper. It’s a strong second layer, though it doesn’t replace fixing the routing.

Why It’s Worth Caring About

A DNS leak rarely exposes the contents of what you do online. What it exposes is the map — the full list of where you went. For most people that’s a privacy problem. For a journalist protecting a source, an activist under a hostile government, or anyone whose browsing pattern is itself sensitive, that map is the whole risk. The lookups are the part of your traffic most likely to betray you precisely because they feel like plumbing rather than data.

The reassuring news is that a leak is almost always a configuration problem, not a fundamental one. Test your setup, fix the routing, remove the fallbacks, and verify again. Once the lookups are genuinely inside the tunnel, the leak is closed — and unlike many privacy problems, you can confirm the fix in about thirty seconds.