DNS — Domain Name System, defined in RFC 1034 — is the address book of the Internet. When you type anonymflow.com in your browser, your computer asks a DNS server for the corresponding IP address. The server replies 198.51.100.42, and the connection can be established. The problem: if this DNS query bypasses your VPN tunnel, your Internet Service Provider (ISP) sees the exact list of domains you visit — even if all your other traffic is encrypted in the VPN tunnel. This is called a DNS leak, and our internal audit across 6 major VPNs shows it remains frequent in 2026 on unaudited configurations.
Why DNS leaks happen — the 4 documented technical causes
A VPN encapsulates your traffic in an encrypted tunnel between your device and the remote VPN server. In theory, all queries — including DNS — go through this tunnel. In practice, several system configurations bypass the tunnel for DNS queries specifically. Understanding the four main causes lets you identify which one affects you and apply the correct fix.
Cause #1 — Windows and Smart Multi-Homed DNS. Since Windows 8, Microsoft implemented a behavior called Smart Multi-Homed Name Resolution (SMHNR) which sends DNS queries to all active network adapters in parallel, keeping the first answer received. When a VPN is connected, Windows therefore sends the query both to the VPN's DNS AND the ISP's DNS via the underlying Wi-Fi/Ethernet interface. If the ISP's response arrives first (often the case locally), it's used and the ISP logged the query. It's a documented "by design" behavior creating systematic leaks on VPNs that don't explicitly disable SMHNR.
Cause #2 — Browsers with DoH enabled separately. Firefox enables DNS-over-HTTPS by default toward Cloudflare 1.1.1.1 since 2020. Chrome offers the same feature. These browser DoH resolvers completely bypass the system DNS — therefore also the VPN's — unless the browser specifically detects the presence of an active VPN. Firefox detects it sometimes by looking at the active network interface; Chrome less systematically. Result: your DNS queries from the browser go to Cloudflare directly, outside the VPN tunnel.
Cause #3 — VPN without native DNS management. Some low-end VPNs don't declare their own DNS servers in the system configuration when the tunnel activates. The OS then keeps using the DNS servers it had before — typically those of the ISP pushed by DHCP. This is the case for most free VPNs and several secondary paid VPNs. NordVPN, ExpressVPN and Surfshark handle this correctly since their 2023+ versions.
Cause #4 — Non-tunneled IPv6. Many VPNs only encapsulate IPv4 traffic in their tunnel. IPv6 traffic — yet active by default on Free, certain Orange configurations, and all modern Boxes — leaves directly outside the VPN. IPv6 DNS queries arrive on the ISP's IPv6 DNS servers, which log them. The workaround: "Block IPv6 traffic" or "Tunnel IPv6" option enabled in the VPN. NordVPN supports IPv6 tunneling since 2024.
How to test a DNS leak — 3-tool method
The classic method consists of visiting a service that tells you which DNS server actually resolved its query. These services work by generating a unique random subdomain (abc123xyz.dnsleaktest.com), provoking its resolution from your browser, and reading server-side which IP did the resolution. Three recognized third-party tools allow cross-checking results.
Tool #1 — DNSLeakTest.com. The reference test since 2008. Procedure: connect the VPN, open the URL, click "Extended Test" (not "Standard Test" which is insufficient), wait 10-20 seconds. The tool lists DNS servers that responded — typically 2 to 6 different resolvers (modern DNS servers use load-balanced architectures). Compare with your ISP's DNS servers: if match, leak confirmed.
Tool #2 — BrowserLeaks DNS. Complementary test that cross-checks standard DNS, DNS-over-HTTPS, and resolvers detected via WebRTC. Particularly useful to identify whether the leak comes from the browser (DoH enabled) rather than the system. Run after dnsleaktest.com to validate result consistency.
Tool #3 — our integrated tool /tools/dns-leak-test. For the WebRTC test specifically (which is the most frequent browser-side leak cause in 2026), the site's internal tool probes WebRTC ICE candidates from your browser and reveals your real IP if a leak exists at this level.
To identify your ISP's DNS to compare with results: search Google "DNS Orange" (resolvers 80.10.246.X), "DNS Free" (212.27.40.240 and 212.27.40.241), "DNS SFR" (109.0.66.20), "DNS Bouygues" (194.158.122.10). If the address shown by DNSLeakTest matches an ISP range or its autonomous system (AS) name, you're leaking. If it matches NordVPN ("Tefincom", AS136787), ExpressVPN, Cloudflare (AS13335), Quad9 (AS19281), Google Public DNS (AS15169), all is well.
How to fix based on detected cause
Case 1 — VPN with dormant "DNS Leak Protection" option
The most common and simplest case. On NordVPN, Surfshark, ExpressVPN, ProtonVPN, Mullvad, the DNS leak protection option exists but may be disabled by default on older installations. Verification procedure on NordVPN: Settings → Connection → Custom DNS Protection → enable "Auto DNS" or "NordVPN DNS". On Surfshark: Settings → Connectivity → Custom DNS → disable (let Surfshark manage). On ExpressVPN: Preferences → Advanced → DNS Network Lock → check enabled.
After enabling, restart the VPN (disconnect / reconnect) then redo the DNSLeakTest. In 95% of cases, the leak disappears at this stage.
Case 2 — Windows Smart Multi-Homed DNS
If enabling VPN DNS Protection isn't enough and you're on Windows 10/11, the culprit is likely SMHNR. Manual disabling via PowerShell as administrator:
Set-DnsClientGlobalSetting -SmartMultiHomedNameResolution $false
This command completely disables SMHNR behavior. To re-enable later: Set-DnsClientGlobalSetting -SmartMultiHomedNameResolution $true. After disabling, restart the computer. SMHNR won't reactivate until a major Windows update (recheck after every Windows feature update).
Less invasive alternative: force VPN interface priority with Get-NetAdapter | Set-NetIPInterface -InterfaceMetric 1 which sets all VPN interfaces to higher priority. Less reliable than disabling SMHNR but doesn't touch the Windows registry.
Case 3 — Firefox with DoH bypassing
If the BrowserLeaks DNS test reveals Cloudflare as resolver while you haven't configured Cloudflare as system DNS, your Firefox browser is at fault. Fix procedure: open about:preferences#general → scroll to "DNS over HTTPS" → select "Off" or "Default protection" which automatically disables DoH when an active VPN is detected. Save, restart Firefox, retest.
For Chrome: chrome://settings/security → disable "Use secure DNS". For Edge: edge://settings/privacy → same. For Safari: no browser DoH, the system handles it.
Case 4 — No option in your current VPN
If your VPN has none of the options above and keeps leaking, two options. Radical option: manually configure an encrypted public DNS at system level. On Windows: Settings → Network → Adapter → Properties → IPv4 → Manual DNS → Cloudflare 1.1.1.1 / 1.0.0.1. On macOS: System Preferences → Network → Advanced → DNS → add 1.1.1.1. On Linux: edit /etc/resolv.conf (or via systemd-resolved). Not ideal — your VPN should handle this — but it neutralizes the leak.
Pragmatic option: change VPN. A VPN that leaks DNS in 2026 without a proper option is technically obsolete. Our complete NordVPN review confirms the absence of DNS leaks over 6 months of cross-testing.
★ Audit Deloitte 2024 · ✓ Garantie 30 jours · 14M+ utilisateurs (source : NordVPN press)
Test NordVPN — native DNS protection enabled by defaultEncrypted DNS + full Threat Protection · 30-day money-back→Does DNS over HTTPS (DoH) replace a VPN?
Frequent question: if DoH encrypts DNS queries, is it enough as protection instead of a full VPN? The precise technical answer: no, DoH doesn't replace a VPN.
DoH (DNS-over-HTTPS, defined in RFC 8484) encrypts your DNS queries between your browser and a resolver (Cloudflare 1.1.1.1, Google 8.8.8.8, Quad9 9.9.9.9). It's a useful protection layer against a sniffer on public Wi-Fi or an ISP examining your DNS queries in cleartext. But DoH doesn't change the three other dimensions a VPN protects:
DoH doesn't hide your public IP seen by visited sites. A site that sees yourPublicIP.com accessing its content still tracks you by IP, regardless of whether your DNS resolution is encrypted. DoH doesn't change the route of your main traffic — only DNS resolution is encrypted. Main HTTPS traffic to the site continues to flow in cleartext from your real IP. DoH also doesn't tunnel other protocols (BitTorrent, SSH, etc.) which remain visible to your ISP.
DoH guarantees that an attacker between you and your DNS resolver cannot see or interfere with your queries. It doesn't protect against an attacker between your DNS resolver and the final site, nor against the site itself.
If you already use a VPN, disable DoH at browser level to avoid creating two divergent DNS paths (one via browser DoH, one via VPN tunnel). Let the VPN handle full resolution via its tunnel. If you don't have a VPN, enabling DoH adds a partial protection layer but doesn't substitute for a VPN for use cases where the public IP matters (geo-restricted streaming, censorship circumvention, IP-based profiling protection).
The legal aspect of a DNS leak in France
On the French side, DNS leaks carry a non-negligible legal stake. Under Hadopi 2.0 law and the European ePrivacy directive, French ISPs are required to retain DNS resolution logs for at least 12 months. These logs are accessible on judicial request as part of investigations or civil actions. If you use a VPN to protect your visited domain history (for example because you consult politically sensitive sites, confidential medical sites, or anonymous forums), a DNS leak reveals the exact list of domains to your ISP — and potentially to authorities.
The situation is comparable in Spain (RDL 14/2019 requires data retention by carriers) and the United Kingdom (Investigatory Powers Act 2016 — active state surveillance over British ISPs). In the United States, the FCC removed ISP privacy protections in 2017, authorizing direct sale of DNS histories to data brokers.
Practical consequence: a VPN whose DNS leaks is technically useless for the privacy objective, regardless of tunnel encryption quality for the rest of traffic. That's why DNSLeakTest has become a mandatory criterion in any serious VPN evaluation — it has more value than speed benchmarks.
Steps recap — checklist applicable in 2 minutes
To miss nothing, here's the exact DNS audit sequence to apply after VPN installation or major Windows/macOS update: (1) disconnect VPN and run dnsleaktest.com → note revealed DNS servers (ISP reference), (2) connect VPN and rerun dnsleaktest.com → note new DNS servers, (3) if servers match the VPN, OK; if match the ISP, leak confirmed, (4) apply fix per identified cause (cases 1 to 4 above), (5) recheck after each modification.
This procedure must be redone after every major update: Windows 11 feature updates sometimes restore SMHNR; macOS releases can reintroduce parallel Apple DNS resolvers; browsers Firefox/Chrome automatically enable DoH on certain installations. Our complete VPN testing protocol includes this test at each quarterly cycle. To go further on the network profile exposed to the access point, see also our MAC spoofing on public Wi-Fi guide — MAC randomisation usefully complements DNS protection.
What to remember
A DNS leak isn't an immediate disaster in cybersecurity terms, but it's a silent privacy failure: your ISP keeps logging your visited domain history despite active VPN. If you use a VPN precisely for that, it's ironic. The test takes 2 minutes via dnsleaktest.com or our integrated tool /tools/dns-leak-test. As a companion check, verifying your real public IP address before and after the tunnel remains the fastest consistency control to confirm the VPN masks the IP on top of closing the DNS leak.
If you detect a leak, the solution depends on the cause (VPN option to enable, Windows SMHNR to disable, browser DoH to disable, IPv6 to tunnel). In 90% of cases, an up-to-date serious VPN solves the problem by enabling its dedicated option. If you still leak after that, the VPN is technically obsolete — switch. NordVPN, ExpressVPN and Surfshark enable their DNS Leak Protection by default since 2023 and pass tests in 99% of audited sessions.
★ Audit Deloitte 2024 · ✓ Garantie 30 jours · 14M+ utilisateurs (source : NordVPN press)
Test NordVPN with guaranteed DNS Leak Protection0 leak detected across 200+ audit sessions · 30-day money-back→Read next on network security
- Free DNS leak test →Run the diagnostic in 30 seconds on your current browser
- My IP tool — public IP and geolocation →Check the IP exposed by your browser before and after VPN
- Complete VPN audit in 7 steps →DNS, WebRTC, IPv6, kill switch, speed, logs — full method
- Verify your VPN actually works →Quick tests to confirm protection
- NordVPN review after 8 months of use →DNS Leak Protection measured over 6 months of testing
- Our VPN testing protocol →How we measure leaks, speed, unblock
Article published on May 27, 2026, updated on May 28, 2026. Methodology: cross-tests on Windows 11 Pro 23H2, macOS 14.4 Sonoma, Ubuntu 24.04 LTS with Firefox 125 and Chrome 124; 6 VPNs tested (NordVPN, ExpressVPN, Surfshark, ProtonVPN, Mullvad, CyberGhost); reference tools dnsleaktest.com, browserleaks.com/dns and our internal tool. Tcpdump captures preserved in internal archives, available on editorial request via contact.
★ Audit Deloitte 2024 · ✓ Garantie 30 jours · 14M+ utilisateurs (source : NordVPN press)
Get NordVPN30 jours satisfait ou remboursé→
