πŸŒ™ LATE NIGHT MODE ACTIVATED β€” THE CLOWN IS WATCHING πŸŒ™
Home β†’ Resources β†’ Security β†’ DNS Leaks

DNS Leaks
Explained.

Your VPN encrypts your traffic. But if your DNS queries sneak out around the tunnel, your ISP still sees every site you visit. That's a DNS leak.

⚑ The one-paragraph version

DNS is how your device translates "example.com" into a server IP. Normally that translation happens at your ISP's DNS resolver. When you connect to a VPN, those queries should go through the encrypted tunnel to the VPN provider's DNS β€” but sometimes they don't, and your ISP keeps seeing them. That's a DNS leak. It defeats most of the privacy reason you installed the VPN.

What DNS actually does

Every domain you visit needs to resolve to an IP address before your device can connect. When you type reddit.com, your device asks a DNS resolver "what's the IP for reddit.com?" and the resolver answers (something like 151.101.0.140). Then the actual connection happens against that IP.

By default, your device uses the DNS resolver assigned by your ISP. That resolver sees every domain you query β€” a complete record of every site you've ever visited, in plain text, sitting on your ISP's servers.

When a VPN works correctly, all DNS queries are routed through the encrypted tunnel to a DNS resolver run by (or for) the VPN provider. Your ISP sees encrypted traffic to one endpoint and nothing about which domains you queried.

What a DNS leak looks like

A leak means one or more DNS queries went to your ISP's resolver (or some other resolver outside the tunnel) instead of through the VPN's resolver. The actual page content is still encrypted by HTTPS, but the domain names are exposed. A few practical examples:

  • You connect to a VPN, then visit your bank. Your bank's HTTPS traffic is encrypted end-to-end. But if DNS leaks, your ISP has a record that you went to bankofamerica.com at 9:47 AM.
  • You're using a VPN to look up something sensitive. The content of the page is encrypted, but the leak tells your ISP you visited healthcare.gov or aa.org.
  • You're streaming a service. The streaming itself is encrypted, but the leak exposes which service you're using (which can interest both your ISP, which sometimes throttles streaming, and other observers).

The fix is unambiguous: stop the leak. The privacy goal of the VPN doesn't work if DNS leaks.

What causes DNS leaks

1. OS-level DNS configuration

Windows has a feature called "Smart Multi-Homed Name Resolution" that sends DNS queries to multiple resolvers simultaneously and uses whichever answers first. Even with a VPN active, this can cause queries to leak to the ISP's resolver because the ISP resolver often responds faster (it's geographically closer).

macOS and Linux are generally better-behaved, but per-interface DNS configurations can still cause issues. Android (after version 9) has stronger guarantees about routing DNS through the active VPN β€” but bugs and edge cases exist.

2. IPv6 leaks

If your VPN only tunnels IPv4 (most do, ours included), but your device has IPv6 enabled and your network supports it, your IPv6 DNS queries can leak. The fix: either tunnel IPv6 too (some providers do), or disable IPv6 on the device while the VPN is active (what we do on Android).

3. Application-level DNS bypass

Some applications hardcode their own DNS resolver and bypass the system DNS configuration entirely. Chrome's DNS-over-HTTPS implementation, certain enterprise apps, and some VPN-aware software can do this. These bypasses are usually less harmful (the queries go to Cloudflare or Google's DoH, not your ISP), but they still escape the VPN tunnel.

4. Transparent DNS proxies

Some ISPs run transparent DNS proxies that intercept outgoing DNS queries at the network level. Even if your device is configured to use a different resolver, the packets get hijacked. This is less common in 2026 than it used to be, but it still happens, particularly on cellular networks in some countries.

5. Misconfigured VPN client

The VPN client is supposed to push its DNS settings to your device. If the client is buggy, partially configured, or shipping in test mode, DNS may not be properly captured. Reputable, well-maintained VPN clients handle this correctly; sketchy free VPNs often don't.

How to detect a DNS leak

  1. Connect to your VPN.
  2. Visit our DNS leak test: /tools/dns-leak-test/. It shows which DNS resolver your queries went through.
  3. Look at the results. If you see your ISP's name (Comcast, Verizon, AT&T, Spectrum, etc.) β€” leak. If you see Cloudflare, Google Public DNS, your VPN provider's resolver, or something else not your ISP β€” you're probably fine.
  4. Cross-check. Run the test on dnsleaktest.com (extended test) and browserleaks.com. If two of three agree, trust them.

How to fix a DNS leak

  1. Use a VPN with DNS leak protection. ClownVPN handles this on Android. Other reputable providers (Mullvad, ProtonVPN, IVPN) do too. Many free VPNs don't.
  2. Disable IPv6 on your device if your VPN doesn't tunnel it. (On modern Windows: Network Adapter Properties β†’ uncheck IPv6.)
  3. Force a specific DNS resolver at the OS level β€” Cloudflare's 1.1.1.1, Quad9's 9.9.9.9, or NextDNS. This doesn't prevent leaks per se, but ensures the leaked queries go somewhere safer than your ISP.
  4. Use a kill switch. If the VPN drops, a kill switch blocks all traffic β€” including DNS β€” until the VPN reconnects.
  5. If on Windows, disable Smart Multi-Homed Name Resolution. Group Policy or a registry edit. Search for instructions specific to your Windows version.

Related reading

πŸŽͺ FAQ

How do I check if I have a DNS leak right now?
Connect to your VPN, then visit our free DNS leak test at /tools/dns-leak-test/. It shows which DNS resolver your queries are going through. If you see your ISP's resolver (Comcast, Verizon, AT&T, etc.) instead of the VPN provider's resolver β€” you have a leak. Cross-check with dnsleaktest.com or browserleaks.com for a second opinion.
Why does my VPN show as connected but DNS still leaks?
Three common causes. (1) The OS is using a hardcoded DNS resolver that bypasses the VPN β€” Windows in particular has 'Smart Multi-Homed Name Resolution' that can do this. (2) IPv6 is enabled but the VPN only tunnels IPv4 β€” your IPv6 DNS queries leak. (3) Apps that hardcode their own DNS (Chrome's DoH if you've enabled it, some VPN-aware apps) might bypass the system DNS. ClownVPN handles all three correctly on Android, but third-party VPNs vary.
Are DNS leaks dangerous, or just a privacy issue?
Mostly a privacy issue. A DNS leak means your ISP (or whoever runs your local DNS) can see every domain you visit, even though the rest of your traffic is encrypted. They don't see what you do on those sites β€” but the list of domains is often enough to profile your activity. The traffic itself remains encrypted; it's the metadata that leaks.
Can I fix a DNS leak without a VPN?
Partially. You can switch to encrypted DNS (DoH or DoT) using Cloudflare 1.1.1.1, Quad9, or NextDNS β€” this hides your DNS queries from your ISP. It doesn't hide your destination IPs (those still leak in normal packet routing), so it's a partial defense. A VPN closes both layers at once.
Does ClownVPN have DNS leak protection?
Yes. Our Android app routes all DNS through the encrypted tunnel and the resolvers we operate. We also block direct DNS to your ISP at the system level while the tunnel is active. We don't currently support IPv6 servers, so we disable IPv6 on the device for the duration of the connection to prevent IPv6 DNS leaks. You can verify by running our DNS leak test while connected.

πŸŽͺ Test Your Setup

Run our DNS leak test. Confirm what's actually happening.

🌐 DNS Leak Test