What is a DNS leak

A DNS leak is when your VPN is connected, your traffic is encrypted, but your DNS queries bypass the tunnel and reach your ISP anyway. The VPN looks fine. Your ISP still sees the domains you visit. Most users never notice.

The mechanism: the VPN tunnels packets to its server, but DNS lookups happen at a different layer of the OS. If that layer isn't locked to the tunnel, queries leak through whatever DNS resolver Windows or your router has configured — usually your ISP's.

The four common leak paths

1. Smart Multi-Homed Name Resolution (SMHNR)

Windows 8 introduced SMHNR. It sends DNS queries simultaneously to every available DNS server and uses whichever response comes back first. With a VPN connected, that means queries go to both the VPN's resolver and your ISP's resolver in parallel. Your ISP sees them regardless of who wins the race.

Windows 10 changed this slightly to prefer the VPN tunnel, but the behaviour depends on adapter metric ordering and Network Connectivity Status Indicator (NCSI). Leaks are intermittent — pass once, leak under real load.

2. IPv6 fall-through

Most VPN protocols only tunnel IPv4. If your ISP gives you IPv6 and your machine prefers IPv6, DNS queries take the IPv6 path. They go out your real interface, hit your ISP's IPv6 DNS, and your ISP sees them.

3. Browser DNS-over-HTTPS

Chrome, Firefox, Edge, and Brave can do DNS-over-HTTPS to a public resolver. When DoH is on, the browser bypasses the system DNS layer entirely. Whether this is a "leak" depends on your threat model — DoH to Cloudflare is more private than your ISP, but if you wanted everything to go through the VPN, DoH disrupts that.

4. Application-level resolvers

Some apps embed their own DNS (Tailscale, Cloudflare WARP, certain corporate VPNs). They install competing system rules that fight with the VPN's. Multiple VPNs running simultaneously almost always leak.

How to test

Use Fexyn's DNS leak test with the VPN connected. The result should show only the VPN provider's resolvers. If your ISP's name appears, you have a leak.

Two checks:

• Standard test — single query batch, catches consistent leaks.
• Extended test — six rounds spread over time, catches intermittent leaks.

Run both. The extended test is the one that catches the worst category: works once, leaks under real-world load.

What an attacker or ISP gets

For each leaked query: the domain, timestamp, and a long-term picture of your browsing pattern. Even with the encrypted tunnel hiding everything else, the destinations are enough to identify behaviour. ISPs in countries with mandatory retention (UK Investigatory Powers Act, France's Loi Renseignement, Russia's SORM) keep these as long-term records.

How Fexyn closes the leaks

Layered defence:

• NRPT rules at the OS level force every domain through the VPN's resolver, overriding SMHNR.
• Per-protocol DNS — WireGuard, VLESS Reality, and OpenVPN each route DNS through the tunnel.
• IPv6 null-routing while the tunnel is up.
• WFP kill switch — if the tunnel drops, no DNS escapes either.

Read the deep dive in How DNS leaks expose location and the troubleshooting guide.

Try Fexyn free for 7 days and verify with the leak test.