How DNS leaks actually work (and how to fix them)
A DNS leak is when your DNS queries — the lookups that translate domain names into IP addresses — go to a DNS server other than the one your VPN routes you through. The result: even though your VPN is active, the entity controlling that DNS server (typically your ISP) can see every domain you visit.
DNS leaks are common. They happen even with reputable VPN clients, often invisibly to the user, and can completely undermine the privacy benefit of VPN use. Here is the technical version of why and how to fix.
What DNS does and why it matters
When you type example.com, your computer asks a DNS server for the IP address. The DNS query is plaintext (with rare exceptions covered below). Whoever serves your DNS sees the domain you are trying to reach.
Without a VPN, DNS queries typically go to your ISP's DNS server. Your ISP sees every domain you look up — often the most privacy-sensitive metadata about your internet activity.
With a VPN active and configured correctly, DNS queries should route through the VPN tunnel and resolve at the VPN provider's DNS server. Your ISP sees an encrypted tunnel to the VPN provider; they cannot see what domains you are looking up.
DNS leaks happen when something causes some queries to bypass the VPN tunnel and go to a different resolver — usually your ISP's. The ISP gets the same visibility as if the VPN were not there.
How DNS leaks happen
Several technical mechanisms:
1. Windows SMHNR (Smart Multi-Homed Name Resolution). Windows has a feature where it sends DNS queries to multiple network interfaces in parallel and uses whichever responds first. If you have a VPN active and a regular network interface, Windows may send DNS queries to BOTH simultaneously. The ISP's DNS responds first because it is closer; Windows uses that answer. The VPN's DNS sees the same query but provides a redundant answer. The ISP has seen the query.
This is the most common cause of DNS leaks on Windows. SMHNR is on by default. VPN clients have to actively disable it, ideally at the WFP (Windows Filtering Platform) level.
2. IPv6 DNS leaks. Many VPN clients tunnel IPv4 traffic but do not handle IPv6 properly. If your network supports IPv6 and your VPN does not tunnel IPv6, IPv6 DNS queries go to the ISP. Your IPv4 traffic is private; your IPv6 DNS leaks the same domain information.
3. NRPT (Name Resolution Policy Table). Windows feature that routes specific domain queries to specific DNS servers. Some VPN clients use NRPT to direct traffic; if misconfigured, some queries leak.
4. Cached DNS records. Your OS maintains a DNS cache. When you connect to a VPN, the cache still contains entries from before the VPN connected. Subsequent queries for those cached domains do not generate new lookups; the OS uses the cached response. The cache itself is not a leak, but the timing matters — if you visited a site before connecting VPN, that visit was visible.
5. Application-level DNS. Some applications (Chrome, Firefox with DoH enabled) do their own DNS lookups bypassing the OS DNS resolver. If the application's DNS goes through a different path than the OS, it may leak.
6. WebRTC IP leaks (related but different). WebRTC enables peer-to-peer connections in browsers. WebRTC can reveal your real IP through STUN/TURN even when traffic is VPN-routed. Not strictly a DNS leak but commonly conflated.
Detecting DNS leaks
The standard test:
- Connect your VPN
- Visit a DNS leak test site (Fexyn's tool at /tools/dns-leak-test or third-party tools like dnsleaktest.com)
- Run the extended test
- Check the resolvers shown in the result
If the resolvers belong to your VPN provider, no leak. If any resolver belongs to your ISP, your home ISP, your operating system's DNS provider, or any party other than your VPN, you have a leak.
For IPv6 leaks specifically, ensure the test covers IPv6 (some older tools only check IPv4). Fexyn's tool covers both.
Fixing DNS leaks
The actual fixes, by VPN client:
Modern VPN clients (Fexyn, ProtonVPN, Mullvad, NordVPN, ExpressVPN). These actively prevent DNS leaks via:
- WFP filters that block DNS queries on non-tunnel interfaces
- Disabling SMHNR through Windows registry / NRPT configuration
- IPv6 leak protection (block IPv6 entirely or tunnel it)
- Forcing all DNS queries through the VPN's resolvers
If you are using one of these clients and still seeing leaks, something is broken — file a support ticket. The leak should not happen.
Older or simpler VPN clients. Often missing one or more of the above. The user-side fix:
- Manually configure your network adapter's DNS to a privacy-respecting resolver (Cloudflare 1.1.1.1, Quad9 9.9.9.9) instead of automatic
- Disable IPv6 on your network adapter entirely if your VPN does not handle it
- Use the OS firewall to block DNS queries to anywhere except your VPN's DNS server
Application-level DNS. Browser DoH settings that bypass OS DNS: disable DoH if you want all DNS to route through VPN. Or configure DoH to use your VPN provider's DoH endpoint if available.
How Fexyn prevents DNS leaks
Several layers:
1. WFP filters block DNS to non-tunnel. When the VPN tunnel is up, our WFP rules block UDP port 53 to anywhere except the VPN's DNS server. Even Windows SMHNR cannot leak because the rules apply at the kernel level.
2. SMHNR explicitly disabled. Our installer modifies the registry entry that controls SMHNR. Re-enabled when you uninstall.
3. IPv6 handled. Either tunnelled (when the user's VPN configuration supports it) or blocked (when the configuration is IPv4-only). Either way, no plaintext IPv6 queries leak.
4. Tunnel-internal DNS. All DNS queries inside the tunnel resolve at our DNS servers, not at any external resolver.
5. Boot-time persistence (optional). WFP rules persist across reboots, so DNS does not leak even during the boot window before the VPN client starts.
DoH and DoT — encrypted DNS
DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT) are protocols that encrypt DNS queries between your client and the resolver. Useful in two scenarios:
Without VPN. Encrypted DNS prevents your ISP from seeing your DNS queries. The DNS resolver still sees them; you have shifted trust from ISP to DNS resolver. Cloudflare 1.1.1.1 with DoH is a common configuration.
With VPN. Belt-and-suspenders. The VPN already encrypts the tunnel; DoH inside the tunnel adds redundant encryption that prevents the VPN's DNS from being readable to the VPN provider in case of provider-side log compromise. Most users do not need this layered approach.
With encrypted DNS but no VPN. Encrypted DNS hides query content from your ISP; the ISP still sees connection-level metadata (which DNS resolver you are using, when, how often). Mostly useful if you want some DNS privacy without the VPN overhead.
For users who want maximum DNS privacy: VPN + DoH inside the tunnel + a no-logs VPN provider that uses encrypted upstream DNS. This stacks privacy layers; it is not necessary for most users.
Frequently asked
How do I know if my VPN leaks DNS?
Run a DNS leak test (Fexyn's at /tools/dns-leak-test or third-party). If the resolvers shown belong to your VPN provider, no leak. If anything else appears, leak.
Why does my VPN leak DNS?
Most common: Windows SMHNR sending queries to multiple interfaces. Less common: IPv6 leak, application-level DNS, misconfigured VPN client.
Will a DNS leak give my ISP my browsing history?
Yes for the leaked queries. ISPs see the domain names you look up. A DNS leak gives them the same visibility they would have without a VPN.
Is encrypted DNS enough by itself?
Encrypted DNS hides DNS content from your ISP. It does not encrypt your other traffic. The destination IP is still visible to your ISP through other means (SNI in TLS handshakes, traffic routing). A VPN is a stronger overall privacy tool.
Should I use my router's DNS settings?
If your router can be configured to use a privacy-respecting DNS (Cloudflare, Quad9), yes. This applies to all devices on your network. Better when combined with VPN at the device level for full encryption.
Does Fexyn use its own DNS or third-party?
Fexyn uses its own DNS resolvers inside the tunnel. The resolvers themselves do not log queries. We do not currently use upstream encrypted DNS (DoH/DoT to upstream); the resolution is direct to root and TLD servers from our resolvers.
Try Fexyn free for 7 days — WFP-based DNS leak prevention, IPv6 leak protection, kernel-level kill switch. Test for DNS leaks at our DNS leak test tool. Kill switch explained covers the WFP architecture.
Last reviewed 2026-05-09.