Fexyn
Fexyn

Glossary

What is DNS

The system that translates domain names like fexyn.com into the IP addresses computers actually use to connect.

DNS, the Domain Name System, is the phonebook of the internet. Computers route packets using IP addresses (104.21.5.42), but humans use names (fexyn.com). DNS does the translation.

When you type fexyn.com into your browser, your computer sends a DNS query to a resolver, asks "what's the IP for fexyn.com?", and the resolver answers. Then your browser opens a TCP connection to that IP. Every page load starts with at least one DNS lookup; modern pages often trigger 20-50 across all the third-party domains they pull from.

Why DNS matters for privacy

Standard DNS queries travel in plain text. Anyone on the path between you and the resolver sees the domain name. That includes your ISP, the coffee shop's Wi-Fi router, and any equipment in between.

Even with HTTPS hiding the contents of every page you visit, DNS queries reveal what sites you visited. ISPs log them. Some governments mandate retention. Marketing companies buy them. The TLS SNI field leaks the same information at a different layer, but DNS leaks first.

DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT) encrypt the query so your ISP can't read it. They help — but only if your browser or OS is configured to use them, and only if the resolver itself can be trusted with the data.

How a VPN changes DNS

A properly configured VPN tunnels your DNS queries through the VPN. Your ISP sees one encrypted blob to the VPN server; it can't tell what domain you asked for. The VPN's resolver answers, and the answer comes back through the tunnel.

This only works if every query takes that path. Windows in particular has several side-channels — Smart Multi-Homed Name Resolution, IPv6 fallback, application-level DoH — that can sneak queries past the tunnel. Those are DNS leaks, and they make the VPN partially pointless: your traffic is encrypted, but the destinations you visit still leak.

How to test DNS yourself

Run Fexyn's DNS leak test with the VPN connected. The result should show only resolvers operated by the VPN. If your ISP's name appears anywhere, your DNS is leaking even though the tunnel is up.

Two checks matter:

  • Standard test — single batch of queries, catches consistent leaks.
  • Extended test — repeated queries over time, catches intermittent leaks from race conditions in Windows DNS resolution.

The extended test catches the worst category, which is "passes once, leaks under real load."

What this means in practice

DNS is the layer most VPN providers either get right or fail at silently. The tunnel can be perfect and DNS can still leak through OS-level shortcuts. Fexyn locks DNS resolution to the tunnel via NRPT rules at the OS level, plus per-protocol DNS configuration, plus IPv6 null-routing while the tunnel is up — which closes the standard leak paths.

Try Fexyn free for 7 days and verify with the leak test on your own connection.

Related terms

Try Fexyn free for 7 days

Windows app available now in Beta. WireGuard, VLESS Reality, and OpenVPN with no browsing-history, DNS-query, or traffic-content logs.

See pricing
What is DNS — What It Is and Why It Matters | Fexyn VPN