DNS leak test
Check what your browser and connection actually expose — your public IP, network, WebRTC address, and encrypted-DNS reachability. Runs in your browser, stores nothing, and tells you exactly what it can and can't see.
DNS Leak Test
Checks what your browser and connection actually expose — public IP, WebRTC, and encrypted-DNS reachability. Nothing is stored.
Tip: if you use a VPN, run this with the VPN on. Your connection below should show your VPN provider and country — not your home ISP.
What is a DNS leak?
DNS leak
A DNS leak is when your device's DNS lookups reach a resolver outside your intended private path — usually your ISP's resolver instead of your VPN's — so someone can see the sites you visit even though you expected privacy.
People most often care about DNS leaks when using a VPN. The point of the VPN is that nobody between you and the sites you visit — including your internet provider — can watch your activity. But if DNS lookups slip outside the tunnel, your ISP can still log every domain you request, quietly undoing a large part of what the VPN is for.
What this test can and can't detect
We hold this tool to the same honesty as the rest of the site: it reports only what a browser can genuinely measure, and never invents a result. Here's the exact scope.
What it checks
- Your public IP address for this connection, as the sites you visit over it see you.
- Your ISP / network operator and its ASN.
- Your approximate location (country, region, city) from that IP.
- Whether WebRTC exposes a public IP — and if it differs from your connection (a real leak).
- Whether your browser can reach encrypted DNS (DNS-over-HTTPS) at all.
What it can't (from a browser)
- The identity of your recursive DNS resolver — the classic “VPN DNS leak.”
- Whether your DNS queries are travelling through your VPN tunnel or your ISP.
- A transparent DNS proxy silently rewriting your lookups, with certainty.
How to read your results
- Your connection. This is your public IP and the network it belongs to. On a VPN, it should show your VPN provider and chosen country — not your home ISP. If it shows your real ISP, your traffic isn't going through the tunnel at all.
- WebRTC exposure. If you're on a VPN and WebRTC reveals a public IP that differs from the one above, your real address is escaping through WebRTC — a genuine leak worth fixing (an IP leak rather than a DNS one). If you're not on a VPN, a different IP here is normal on mobile and CGNAT networks and isn't a leak.
- Encrypted DNS. If your browser can't reach any encrypted DNS endpoint, a network filter or transparent proxy may be intercepting DNS — a common way lookups end up somewhere you didn't choose.
How to fix a DNS leak
-
Use a VPN with built-in DNS leak protection
A trustworthy VPN routes DNS through its own resolvers inside the encrypted tunnel and blocks queries from escaping to your ISP. Check that “DNS leak protection” (and a kill switch) is enabled in its settings.
-
Turn on encrypted DNS (DoH or DoT)
Encrypted DNS-over-HTTPS or DNS-over-TLS stops others on your network from seeing or rewriting your lookups. Most modern browsers and operating systems support it in their network or privacy settings.
-
Switch to a private resolver
Point your device or router at a resolver that keeps no personal logs. Run our test to find a fast one, then follow a setup guide for your device.
-
Close the WebRTC hole
If the test above flags a WebRTC leak, disable WebRTC or install a WebRTC-blocking extension in your browser, or rely on a VPN that filters WebRTC. This stops your real IP from escaping even when the rest of your traffic is tunnelled.
-
Watch for transparent DNS proxies
Some ISPs and public Wi-Fi networks intercept all DNS on port 53 regardless of your settings. Encrypted DNS (step 2) is the reliable defence, because it can't be silently redirected the way plain DNS can.
DNS leak test — frequently asked questions
What is a DNS leak?
A DNS leak happens when your device sends DNS lookups to a resolver outside your intended private path — typically your ISP's resolver instead of your VPN's — while you believe your browsing is private. Because every site you visit starts with a DNS lookup, a leak lets whoever runs that resolver see your browsing, even over a VPN.
How do I test for a DNS leak?
Run the test at the top of this page with your VPN turned on. It shows your public IP, ISP, and location as the internet sees you, checks whether WebRTC exposes a different public IP, and confirms whether encrypted DNS is reachable. If your connection shows your VPN's provider and country rather than your home ISP, and no WebRTC mismatch appears, the browser-visible signals look clean.
Does this test show which DNS resolver I'm using?
Not the recursive resolver's identity. A browser can't see which resolver your system used — that requires an authoritative test server that logs the resolver's IP when it looks up unique hostnames. We're transparent about this: this test covers the IP, WebRTC, and encrypted-DNS-reachability signals a browser can measure honestly, and never fabricates a resolver result.
What is a WebRTC leak, and how is it different from a DNS leak?
WebRTC is a browser feature for real-time audio and video. It can reveal your real public IP address directly to a site, bypassing a VPN, even if your DNS is perfectly private. That's an IP leak rather than a DNS leak, but it undermines the same goal — staying anonymous — so this test checks for it too.
Does a VPN stop DNS leaks?
A well-configured VPN should route DNS through its own resolvers inside the tunnel, which prevents leaks. But misconfiguration, a dropped connection without a kill switch, IPv6 traffic the VPN doesn't handle, or WebRTC can still leak. Testing with the VPN on is the only way to confirm your specific setup.
Is a DNS leak dangerous?
It won't damage your device, but it's a privacy problem. A leak means your ISP or another party can log which sites you look up despite your VPN, defeating much of the reason you're using one. Fixing it is quick — see the steps above.
Does changing my DNS server prevent leaks?
Switching to a private, encrypted resolver reduces who can see your lookups and is worth doing, but on its own it doesn't guarantee no leaks — your VPN and browser settings matter too. Combine a private encrypted resolver with a leak-protected VPN and WebRTC hardening for the strongest result.