Understanding the Role of DNS
DNS (Domain Name System) is often described as the "phone book of the internet." When you type "kakunin-san.com" into your browser, a DNS server translates that domain name into the corresponding IP address and brokers the connection to the target server.
This name resolution process runs silently every time you open a web page. By default, DNS requests are sent to the DNS server provided by your ISP — which means your ISP can see exactly which websites you are trying to visit through those DNS requests.
What Is a DNS Leak?
A DNS leak occurs when DNS requests bypass the VPN tunnel and reach your ISP's DNS server, despite the fact that you are using a VPN or proxy.
One of the primary reasons for using a VPN is to prevent your ISP and other third parties from seeing your browsing history. However, when a DNS leak occurs, even though the content of your traffic is encrypted, the information about which websites you visit is exposed to your ISP. This is a critical issue that fundamentally undermines the protection a VPN is supposed to provide.
Why Do DNS Leaks Happen?
OS DNS Configuration Conflicts
Even after connecting to a VPN, the operating system may retain its original DNS settings. This is particularly common on Windows, where DNS settings sometimes fail to switch properly when a VPN connection is established.
IPv6 Traffic Leakage
If a VPN only tunnels IPv4 traffic and does not handle IPv6, DNS requests sent over IPv6 can leak outside the VPN tunnel.
WebRTC Leakage
The browser's WebRTC feature can bypass the VPN and expose local IP addresses or DNS information to external parties. This issue is covered in detail in our WebRTC leak guide.
Split Tunneling Misconfiguration
Some VPNs offer a "split tunneling" feature that routes only certain traffic through the VPN. If this is misconfigured, DNS requests may travel outside the VPN tunnel.
Risks Posed by DNS Leaks
- Your ISP can see your browsing history
- Unencrypted DNS requests can be intercepted by third parties on the network
- The effectiveness of your VPN is significantly diminished
- Attempts to bypass geo-restrictions may fail
How to Detect DNS Leaks
Kakunin-san provides a DNS leak test. Here is how the test works:
- A DNS request is issued for a unique test subdomain
- The IP address of the DNS resolver that handled the request is recorded
- The resolver's location and ISP information are analyzed
- The results are checked for responses from servers other than your VPN provider's DNS
If your ISP's DNS server or a server in an unexpected region is detected while you are using a VPN, a DNS leak is occurring.
How to Prevent DNS Leaks
Enable Your VPN's DNS Leak Protection
Many VPN services include a built-in DNS leak protection feature. Check your VPN client's settings to make sure this feature is enabled.
Manually Configure Your DNS Server
Replacing your ISP's DNS server with a privacy-focused alternative is another effective measure. Cloudflare's 1.1.1.1 and Google Public DNS (8.8.8.8) are popular choices.
Disable IPv6
If your VPN does not support IPv6, disabling IPv6 in your OS network settings can prevent DNS leaks over IPv6.
Control WebRTC
Browser settings or extensions like WebRTC Leak Prevent can be used to block information leakage via WebRTC.
Adopt DNS over HTTPS (DoH)
DoH encrypts DNS requests by sending them over HTTPS. Major browsers including Firefox, Chrome, and Edge support DoH, making it an effective way to prevent DNS request eavesdropping.
Summary
DNS leaks are an often-overlooked privacy risk that can occur even when you are using a VPN. Regular testing and reviewing your VPN settings are essential. Use the Kakunin-san DNS leak test to verify your setup right now.