Understanding the Role of DNS
DNS (Domain Name System) is often described as the "phone book of the internet." When you type "kakunin-san.com" into your browser, a DNS server translates that domain name into the corresponding IP address and brokers the connection to the target server.
This name resolution process runs silently every time you open a web page. By default, DNS requests are sent to the DNS server provided by your ISP - which means your ISP can see exactly which websites you are trying to visit through those DNS requests.
Understanding how DNS works is the first step toward protecting your privacy. On the IP Check-san homepage, you can check which DNS server your connection is currently using. Start by finding out which DNS server your environment relies on.
What Is a DNS Leak?
A DNS leak occurs when DNS requests bypass the VPN tunnel and reach your ISP's DNS server, despite the fact that you are using a VPN or proxy.
One of the primary reasons for using a VPN is to prevent your ISP and other third parties from seeing your browsing history. However, when a DNS leak occurs, even though the content of your traffic is encrypted, the information about which websites you visit is exposed to your ISP. This is a critical issue that fundamentally undermines the protection a VPN is supposed to provide.
A common misconception is that connecting to a VPN automatically protects your DNS queries. In reality, depending on the VPN implementation and your OS settings, DNS requests may still travel outside the VPN tunnel. Do not assume you are safe just because you are using a VPN - regularly verify whether DNS leaks are occurring.
Why Do DNS Leaks Happen?
OS DNS Configuration Conflicts
Even after connecting to a VPN, the operating system may retain its original DNS settings. This is particularly common on Windows, where DNS settings sometimes fail to switch properly when a VPN connection is established. Windows' Smart Multi-Homed Name Resolution feature can send DNS queries to servers outside the VPN tunnel in parallel, contributing to the problem.
IPv6 Traffic Leakage
If a VPN only tunnels IPv4 traffic and does not handle IPv6, DNS requests sent over IPv6 can leak outside the VPN tunnel. As IPv6 adoption continues to grow, this issue is becoming increasingly serious.
WebRTC Leakage
The browser's WebRTC feature can bypass the VPN and expose local IP addresses or DNS information to external parties. This issue is covered in detail in our WebRTC leak guide.
Split Tunneling Misconfiguration
Some VPNs offer a "split tunneling" feature that routes only certain traffic through the VPN. If this is misconfigured, DNS requests may travel outside the VPN tunnel.
Temporary Leaks During Network Switching
When switching from Wi-Fi to mobile data, or moving between different Wi-Fi networks, the VPN connection may briefly drop, allowing DNS requests to reach your ISP's DNS server during that window. Configuring your firewall to block DNS traffic outside the VPN can help mitigate this issue.
Risks Posed by DNS Leaks
- Your ISP can see your browsing history
- Unencrypted DNS requests can be intercepted by third parties on the network
- The effectiveness of your VPN is significantly diminished
- Attempts to bypass geo-restrictions may fail
- You become more vulnerable to DNS hijacking and cache poisoning attacks
On public Wi-Fi networks in particular, unencrypted DNS requests are at heightened risk of interception and tampering through man-in-the-middle (MITM) attacks. Attackers who forge DNS responses to redirect users to phishing sites remain a widespread threat today.
How to Detect DNS Leaks
IP Check-san provides a DNS leak test. Here is how the test works:
- A DNS request is issued for a unique test subdomain
- The IP address of the DNS resolver that handled the request is recorded
- The resolver's location and ISP information are analyzed
- The results are checked for responses from servers other than your VPN provider's DNS
If your ISP's DNS server or a server in an unexpected region is detected while you are using a VPN, a DNS leak is occurring.
Step-by-Step Verification
- Connect to your VPN and visit IP Check-san to confirm that the displayed IP address belongs to your VPN server
- Run the DNS leak test and check the ISP name and location of the detected DNS servers
- If the detected servers belong to your VPN provider, you are safe. If your own ISP name appears, a DNS leak is occurring
- Run the test multiple times to confirm consistent results (pay special attention right after network switches)
How to Prevent DNS Leaks
Enable Your VPN's DNS Leak Protection
Many VPN services include a built-in DNS leak protection feature. Check your VPN client's settings to make sure this feature is enabled. It is also recommended to enable the kill switch (a feature that blocks all traffic when the VPN disconnects).
Manually Configure Your DNS Server
Replacing your ISP's DNS server with a privacy-focused alternative is another effective measure. Cloudflare's 1.1.1.1 and Google Public DNS (8.8.8.8) are popular choices. Note, however, that using these public DNS servers does not encrypt the DNS requests themselves.
Disable IPv6
If your VPN does not support IPv6, disabling IPv6 in your OS network settings can prevent DNS leaks over IPv6.
Control WebRTC
Browser settings or extensions like WebRTC Leak Prevent can be used to block information leakage via WebRTC.
Adopt DNS over HTTPS (DoH) / DNS over TLS (DoT)
DoH encrypts DNS requests by sending them over HTTPS, while DoT encrypts them over TLS. As of 2024, all major browsers - Firefox, Chrome, Edge, and Safari - support DoH. For a comprehensive overview of these protocols, books on DNS security protocols are a valuable resource.
DoH and DoT each have their trade-offs. DoH uses port 443, making it indistinguishable from regular HTTPS traffic and difficult for network administrators to block. DoT uses port 853, which allows network administrators to identify and control DNS traffic more easily. Enterprise networks tend to prefer DoT, while DoH is more convenient for personal use.
As of 2025, technologies like Apple's iCloud Private Relay and Google's Encrypted Client Hello (ECH) are pushing DNS encryption even further. DNS privacy protection is a rapidly evolving field.
Comparing DNS Security Protocols
Multiple technologies exist to strengthen DNS security, each protecting a different scope and serving a different purpose. When considering DNS leak countermeasures, it is important to understand the characteristics of each protocol.
DNSSEC (DNS Security Extensions)
DNSSEC adds digital signatures to DNS responses, enabling detection of response tampering. While effective against DNS cache poisoning, it does not encrypt the content of DNS requests themselves. This means that even with DNSSEC in place, ISPs and network administrators can still see which domains you are querying. DNSSEC guarantees "response authenticity" and is complementary to DoH and DoT, which provide "communication confidentiality."
Choosing Between DoH and DoT
DoH (DNS over HTTPS) and DoT (DNS over TLS) both encrypt DNS requests, but they differ in operational characteristics. DoH uses port 443 and is indistinguishable from regular web traffic, making it effective at bypassing censorship and filtering. However, this can be problematic when enterprise security policies require monitoring and controlling DNS traffic. DoT uses port 853, making it easier for network administrators to identify DNS traffic, which makes it better suited for enterprise environments.
Oblivious DoH (ODoH) and DNS over QUIC (DoQ)
From 2024 into 2025, next-generation DNS privacy technologies are reaching practical deployment. ODoH places a proxy between the DNS resolver and the client, allowing name resolution without the resolver knowing the client's IP address. Jointly promoted by Cloudflare and Apple, it serves as the underlying technology for iCloud Private Relay. DoQ encrypts DNS over the QUIC protocol, offering faster connection establishment than TCP-based DoT. Some providers, such as AdGuard DNS, have begun supporting it.
By combining these technologies, the risk of DNS leaks can be reduced across multiple layers. Those seeking deeper knowledge will find a network security fundamentals book helpful for understanding these layered defenses. However, regardless of which technology you adopt, proper firewall configuration remains essential, and it is recommended to use rules that block DNS traffic outside the VPN tunnel.
DNS Leaks and Other Privacy Risks
DNS leaks do not occur in isolation - they are closely related to other privacy risks. Even when using a VPN, if a DNS leak occurs, your ISP can see which sites you visit, and GeoIP-based location estimation may reveal your actual location. Because DNS requests contain the destination domain name, ISPs and intermediaries can build a detailed picture of your browsing patterns.
From 2024 into 2025, the landscape surrounding DNS privacy is changing rapidly. Standardization of Encrypted Client Hello (ECH) is progressing, and the server name (SNI) during TLS handshakes is increasingly being encrypted. By combining DNS over HTTPS with ECH, it becomes significantly harder for ISPs and network administrators to determine which sites you visit. On the other hand, some countries are moving to regulate these encryption technologies, and the balance between privacy and regulation is being actively debated.
Actions You Can Take Now
DNS leaks are an often-overlooked privacy risk that can occur even when you are using a VPN. Follow these steps to verify your environment right now:
- Visit the IP Check-san homepage and check your IP address and DNS server information while connected to a VPN
- Run the DNS leak test and confirm that the detected DNS servers belong to your VPN provider
- If your own ISP name appears, enable the DNS leak protection feature in your VPN client
- Enable DoH (DNS over HTTPS) in your browser settings and verify that DNS requests are encrypted
- Run the test immediately after switching between Wi-Fi and mobile data to check for temporary leaks
- Repeat tests regularly and verify that DNS leaks do not occur after VPN setting changes or OS updates