Fexyn
Fexyn

Troubleshooting

Fix a DNS leak

What a DNS leak is, how to test for one, and what to do if a test flags your connection.

What a DNS leak actually is

When you visit example.com your computer first looks up that name to find the server IP. That lookup is a DNS query. With a VPN active, every DNS query should travel through the encrypted tunnel and be answered by a resolver inside the tunnel — so the network you're sitting on (your ISP, the coffee shop Wi-Fi, the corporate firewall) never sees which sites you look up.

A DNS leak is when one or more of those queries skip the tunnel and go straight out to your ISP's default resolver. The encrypted traffic still works, but the ISP learns the domain you visited from the leaked DNS request — which is enough to build a fairly complete browsing profile.

How to test

Use the built-in tester. It runs from your browser while the VPN is connected and reports which DNS resolver answered the queries:

fexyn.com/tools/dns-leak-test

The standard test fires a single batch of queries. The extended test runs six rounds spread over time so it catches intermittent leaks that a single check would miss.

What the results mean

  • All queries resolved through a known public/Fexyn DNS resolver. Healthy — no leak detected. Your DNS is travelling inside the tunnel.
  • At least one query resolved through your ISP. Leak. Your ISP saw at least one of your lookups. Move to the fixes below.
  • Mixed providers. Possible partial leak. Re-run the extended test; if the result is consistent, treat it as a leak and follow the fixes.

Browser-based DNS leak tests can only see queries the browser itself made. They don't catch leaks from other apps on your machine. For day-to-day use this is fine, but if you're investigating a security incident specifically, also check with a packet capture.

Fix 1 — Reconnect the VPN

The simplest and most often effective fix. Disconnect, wait five seconds, and reconnect. Fexyn's helper service re-applies the NRPT (Name Resolution Policy Table) rules and the WFP firewall filters that force DNS into the tunnel. If those rules drifted (a Windows update, a sleeping/waking sequence, another VPN tool that stomped on them), reconnecting puts them back.

After reconnect, re-run the extended test. If it passes, you're done.

Fix 2 — Switch protocol

All three Fexyn protocols force DNS through the tunnel, but the underlying mechanism differs. If reconnecting on the same protocol still leaks, switching protocols often clears it.

  • Try Fexyn Bolt (WireGuard) if you were on Stealth or Secure.
  • Try Fexyn Stealth (VLESS Reality / XRay) if you were on Bolt or Secure.
  • Try Fexyn Secure (OpenVPN) as the last fallback — its DNS handling is the most conservative.

About protocols on Fexyn.

Fix 3 — Try a different server

A particular server's DNS resolver might be slow or dropping requests, causing your client to silently fall back. Pick another country/city from the server list and re-test.

Fix 4 — Flush Windows DNS cache

Old cached entries can show up as "leaked" even after the tunnel is healthy. Open an admin Command Prompt and run:

ipconfig /flushdns

Then re-run the extended leak test.

Fix 5 — Check for other VPN/DNS software

Multiple VPNs running at once almost always cause leaks. Cloudflare WARP, NordVPN, ExpressVPN, Mullvad and many corporate VPN clients all install their own NRPT rules and fight Fexyn for DNS control. Quit (don't just disconnect) any other VPN client before testing.

Browser-level DNS-over-HTTPS settings (Firefox, Chrome, Edge) can also bypass the system DNS layer entirely. That's usually fine for privacy — DoH to Cloudflare or Google is more private than your ISP — but it will appear as a "leak" in a tester that expects all DNS to come from the tunnel. Disable browser-level DoH temporarily if you want a clean test.

Fix 6 — IPv6 considerations

IPv6 has its own DNS resolution path. If your ISP gives you IPv6 and your device prefers IPv6 over IPv4, queries can leak over IPv6 even when IPv4 traffic is correctly tunneled. Fexyn's WFP rules block IPv6 traffic from leaving the tunnel by default, but if you've disabled the kill switch the IPv6 path opens back up. Re-enable the kill switch in app settings.

What this means for your privacy

Fexyn does not log browsing history, DNS queries, or traffic content — even when the queries arrive at our resolvers via the tunnel. That's the no-logs policy in plain language. A DNS leak is concerning specifically because it routes around our resolvers and hands the query to your ISP — which generally does keep records.

When to contact support

If the extended test still flags leaks after all six fixes, email support@fexyn.com with the protocol and server you tested, the test result page (URL is fine, no need for screenshots), and your Windows version. Don't share account recovery codes.

Related reading

Re-test once you've worked through the fixes.

Run DNS leak testBack to Support
Fix a DNS Leak on Fexyn VPN for Windows | Fexyn VPN