How to Test for DNS Leaks: A Step-by-Step Guide

What a DNS leak is, why it can expose your browsing even with a VPN active, and exactly how to test for and fix DNS leaks on any device.

Enable DNS-over-HTTPS → Guide to Secure Browsing
DNS leak test guide
1What Is a DNS Leak

What Is a DNS Leak and Why It Matters

A DNS leak occurs when your device sends DNS queries outside the encrypted VPN tunnel, exposing the domains you are visiting to your ISP or another network observer even though you believe your traffic is protected by a VPN. DNS leaks typically happen due to misconfigured VPN software, operating system DNS handling quirks, or specific browser DNS settings that bypass the VPN's DNS resolver. The result is that while your IP address may appear to originate from the VPN server, your DNS queries reveal which sites you are actually visiting to your real ISP.

DNS leaks are particularly common on Windows systems, where a feature called Smart Multi-Homed Name Resolution (SMHNR) causes Windows to send DNS queries to all available network interfaces simultaneously and use whichever responds first. When a VPN is active, this means DNS queries may be answered by your ISP's DNS server rather than the VPN's DNS resolver, causing a leak. macOS and iOS are less prone to this issue but are not immune — certain VPN configurations on Apple devices can also result in DNS queries bypassing the VPN tunnel during connection establishment or reconnection.

Browser-level DNS leaks are a distinct issue. When browsers have DNS-over-HTTPS enabled with a specific provider, they may continue sending DNS queries directly to that DoH provider even when a VPN is active, bypassing the VPN's DNS server. Whether this constitutes a "leak" depends on your threat model — if you trust your DoH provider (e.g., Cloudflare) more than your VPN's DNS server, this may actually be preferable. However, if the goal is to have all DNS traffic routed through the VPN, browser-level DoH settings may need to be disabled or configured to use the VPN's own DNS resolver.

  • DNS queries escape the VPN tunnel: Your ISP sees which domains you visit even though your IP is masked by the VPN.
  • Windows SMHNR: A common cause of DNS leaks on Windows — queries sent to all interfaces simultaneously.
  • VPN misconfiguration: Poorly configured VPN clients may not properly route DNS through the tunnel.
  • Browser DoH override: Browser DNS-over-HTTPS settings can bypass the VPN's DNS handling.
  • Reconnection leaks: Brief DNS leaks can occur when a VPN connection drops and reconnects.
  • IPv6 leaks: VPNs that only tunnel IPv4 traffic may allow IPv6 DNS queries to leak to the ISP.
What is a DNS leak
2Running the Test

How to Run a DNS Leak Test Step by Step

Testing for DNS leaks is straightforward using free online tools. The most widely used is dnsleaktest.com, which displays the DNS servers your device Hong Kong?">is using and identifies which ISP or service they belong to. To run the test: first, connect to your VPN and confirm it shows as connected. Then navigate to dnsleaktest.com and click "Extended Test." The extended test sends a larger number of DNS queries to reveal all DNS servers your device uses, including any that may only appear occasionally due to race conditions or load balancing.

Interpret the results as follows: if you see only DNS servers belonging to your VPN provider or your chosen secure DNS provider (Cloudflare, Quad9, NextDNS), there is no DNS leak. If you see servers belonging to your Hong Kong ISP (such as HKT, SmarTone, or CMHK) or any other unexpected provider, your DNS queries are leaking outside the VPN tunnel. Run the test multiple times, including immediately after connecting the VPN and after the VPN has been connected for several minutes, as some leaks only occur during connection establishment.

Additional testing tools include ipleak.net, which tests DNS, IP, and WebRTC leaks simultaneously in a single page, and browserleaks.com/dns, which provides more detailed DNS resolution testing including detection of split tunnelling configurations. For VPN users on mobile devices, the same tests work from your phone's browser — simply connect to your VPN app, then visit these test sites from your mobile browser. Many reputable VPN providers also include their own built-in leak tests accessible from within the app, which can be used for quick self-checks.

  • dnsleaktest.com: The standard DNS leak testing tool — run the Extended Test for comprehensive results.
  • Expected result: Only your VPN provider's or secure DoH provider's DNS servers should appear.
  • Leak indicator: Seeing your HK ISP's DNS servers means your queries are leaking outside the VPN tunnel.
  • ipleak.net: Tests DNS, IP address, and WebRTC leaks together in one comprehensive check.
  • Test multiple times: Run tests immediately after connection and after several minutes to catch intermittent leaks.
  • Mobile testing: Visit test sites from your phone's browser with VPN app active to verify mobile VPN DNS protection.
How to run a DNS leak test
3Fixing DNS Leaks

How to Fix a DNS Leak on Windows, Mac, and Mobile

On Windows, the most effective fix for DNS leaks is to enable the DNS Leak Protection or DNS Kill Switch feature in your VPN client's settings. Most reputable VPN providers (ExpressVPN, NordVPN, Mullvad, ProtonVPN) include this as a configurable option. If your VPN client lacks this feature, you can manually fix Windows SMHNR leaks by disabling Smart Multi-Homed Name Resolution through the Windows Registry or Group Policy — search for "SMHNR DNS leak fix" for the specific registry path. Alternatively, setting your VPN adapter's DNS to your preferred DNS provider and using the highest priority metric ensures Windows queries that DNS server first.

On macOS, DNS leaks are less common but can occur in specific VPN configurations. The recommended fix is to use a VPN client that manages macOS DNS settings directly rather than relying on the system's automatic DNS configuration. Mullvad, ProtonVPN, and ExpressVPN all manage DNS on macOS correctly by default. If using OpenVPN or WireGuard configuration files manually, ensure the DNS push option is properly configured in the client settings. For additional protection, enable DNS-over-HTTPS at the system level using Cloudflare's 1.1.1.1 app, which works alongside the VPN tunnel.

On iOS and Android, reputable VPN apps are generally well-configured to prevent DNS leaks out of the box. If you discover a leak on mobile, the most common fix is to check that the VPN app has permission to modify DNS settings and that "DNS Leak Prevention" is enabled in the app's settings. On Android, enabling "Always-on VPN" and "Block connections without VPN" in the network settings provides the strongest DNS leak protection at the OS level, ensuring that DNS queries can only travel through the VPN tunnel. This setting is accessible in Settings > Network & Internet > VPN on most Android devices.

  • VPN DNS Leak Protection: Enable this setting in your VPN client — available in ExpressVPN, NordVPN, Mullvad, ProtonVPN.
  • Windows SMHNR fix: Disable Smart Multi-Homed Name Resolution via registry edit or Group Policy.
  • Use full-featured VPN clients: Avoid manual OpenVPN/WireGuard configs unless you understand DNS configuration requirements.
  • Android Always-on VPN: Settings > Network > VPN > Block connections without VPN — forces all DNS through the VPN.
  • macOS DNS management: Use VPN clients that handle macOS DNS directly — Mullvad and ProtonVPN do this correctly.
  • Enable IPv6 leak protection: Ensure your VPN client blocks IPv6 traffic or tunnels it alongside IPv4 to prevent IPv6 DNS leaks.
Fixing DNS leaks on all devices
4Permanent Prevention

Preventing DNS Leaks Permanently: Best Practices

The most reliable way to prevent DNS leaks permanently is to use a reputable VPN provider that handles DNS securely by design, combined with DNS-over-HTTPS at the system or browser level. Mullvad VPN is widely regarded as having the most robust DNS leak prevention of any consumer VPN — it uses its own DNS servers, blocks all DNS traffic outside the tunnel at the firewall level, and includes comprehensive IPv6 leak protection. ExpressVPN and ProtonVPN are also strong choices with verified DNS leak protection included in their apps.

DNS-over-HTTPS provides an additional layer of protection even without a VPN. When DoH is enabled in your browser, your DNS queries are encrypted regardless of whether your VPN connection is active, preventing ISP DNS logging even during VPN gaps or on networks where a VPN is not used. Combining a VPN with browser-level DoH provides defence in depth: the VPN tunnels all traffic while DoH ensures DNS queries are encrypted even in the brief window between OS startup and VPN connection establishment.

Periodically re-testing your DNS leak status is a good security habit, particularly after OS updates, VPN app updates, or when changing networks. Running a quick test on dnsleaktest.com takes under a minute and confirms your protection is working as expected. For Hong Kong users who rely on VPN protection for privacy-sensitive activities, adding DNS leak testing to a monthly security checklist — along with checking for VPN app updates and reviewing browser privacy settings — ensures your protection remains effective as the underlying technologies evolve.

  • Choose Mullvad, ExpressVPN, or ProtonVPN: These providers have the strongest verified DNS leak prevention implementations.
  • Layer VPN with DoH: Browser-level DNS-over-HTTPS protects DNS even during VPN connection gaps.
  • Use kill switch: VPN kill switches block internet access when the VPN drops, preventing exposure during reconnection.
  • Test monthly: Run dnsleaktest.com after OS updates and VPN app updates to confirm protection remains intact.
  • Block IPv6 if VPN doesn't tunnel it: Many older VPN configurations only protect IPv4 — ensure IPv6 is blocked or tunnelled.
  • Router-level VPN: Installing VPN on your home router protects all devices and eliminates per-device DNS configuration concerns.
Preventing DNS leaks permanently

Test Your DNS Leak Status Right Now

Visit dnsleaktest.com with your VPN active — then fix any leaks with DNS-over-HTTPS and your VPN's built-in leak protection settings.

Enable DNS-over-HTTPS → Best secure DNS providers

Related VPN Articles

What Is a VPN?

The complete beginners guide to VPN technology.

How Does a VPN Work?

Encryption, IP masking and data tunnelling explained.

VPN Protocols Explained

OpenVPN, WireGuard, IKEv2 - which should you use?

Best VPNs for Hong Kong

Top-rated VPNs tested for HK users.

VPN for Streaming

Unblock Netflix, Disney+ and more from Hong Kong.

VPN on Public WiFi

Why public hotspots are dangerous and how VPN helps.

Free vs Paid VPN

What you sacrifice with a free VPN.

VPN for Gaming

Reduce lag and access geo-locked games.

VPN for Remote Work

Secure your home office connections.