DNS Leak
What is DNS Leak?
DNS LeakA privacy failure in which DNS queries bypass a VPN or Tor tunnel and are sent to the user's ISP or default resolver in cleartext.
A DNS leak happens when name-resolution traffic escapes the encrypted tunnel that should carry it, exposing every domain a user visits to their ISP, public Wi-Fi, or DNS provider. Typical causes are split-tunnel configurations, IPv6 enabled while the VPN handles only IPv4, Windows multihomed-resolution sending parallel queries to all interfaces, or operating-system smart-resolution features. Even when web traffic is encrypted with HTTPS, DNS metadata reveals browsing patterns and can be used for censorship or tracking. Defences include forcing all DNS through the tunnel, blocking the system resolver at the firewall, disabling IPv6 when unsupported, and using DoH or DoT to the VPN's resolver.
● Examples
- 01
A VPN client routing IPv4 DNS through the tunnel but letting IPv6 queries go to the ISP resolver.
- 02
Windows sending parallel DNS lookups on both Ethernet and VPN adapters, exposing visited domains.
● Frequently asked questions
What is DNS Leak?
A privacy failure in which DNS queries bypass a VPN or Tor tunnel and are sent to the user's ISP or default resolver in cleartext. It belongs to the Privacy & Data Protection category of cybersecurity.
What does DNS Leak mean?
A privacy failure in which DNS queries bypass a VPN or Tor tunnel and are sent to the user's ISP or default resolver in cleartext.
How does DNS Leak work?
A DNS leak happens when name-resolution traffic escapes the encrypted tunnel that should carry it, exposing every domain a user visits to their ISP, public Wi-Fi, or DNS provider. Typical causes are split-tunnel configurations, IPv6 enabled while the VPN handles only IPv4, Windows multihomed-resolution sending parallel queries to all interfaces, or operating-system smart-resolution features. Even when web traffic is encrypted with HTTPS, DNS metadata reveals browsing patterns and can be used for censorship or tracking. Defences include forcing all DNS through the tunnel, blocking the system resolver at the firewall, disabling IPv6 when unsupported, and using DoH or DoT to the VPN's resolver.
How do you defend against DNS Leak?
Defences for DNS Leak typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for DNS Leak?
Common alternative names include: DNS bypass, Resolver leak.
● Related terms
- privacy№ 1214
VPN Leak
A failure of a VPN tunnel that lets identifying traffic — IP, DNS, IPv6, or WebRTC — escape outside the encrypted channel.
- privacy№ 1231
WebRTC IP Leak
A browser-side leak in which WebRTC's STUN/ICE machinery exposes a user's real local and public IP addresses, even when a VPN or proxy is active.
- network-security№ 340
DNS over HTTPS (DoH)
A protocol that encrypts DNS queries by transporting them inside HTTPS, preventing on-path observers from reading or modifying lookups.
- network-security№ 341
DNS over TLS (DoT)
A protocol that encrypts DNS queries inside a dedicated TLS session, protecting them from eavesdropping and tampering on the wire.
● See also
- № 1215VPN Split Tunneling
- № 1213VPN Kill Switch