DNS Leak Test

Every time you type a domain name into your browser—say, example.com—your device needs to translate that human-readable name into a numeric IP address. That translation is handled by the Domain Name System (DNS). Your device sends a DNS query to a resolver, the resolver looks up the answer, and your browser connects to the resulting IP.

By default, your DNS resolver is assigned by your Internet Service Provider. That means your ISP receives a record of every domain you look up. Not the full URL. Not the page content. But the domain itself—and that’s enough to reconstruct a detailed picture of what you do online.

A VPN is supposed to fix this. When you connect to a VPN, all your traffic—including DNS queries—should travel through the encrypted tunnel and resolve on the VPN provider’s DNS servers. A DNS leak happens when some or all of your DNS queries escape the tunnel and reach your ISP’s resolver instead. Your browsing traffic is encrypted inside the VPN, but the DNS queries that reveal which sites you’re visiting travel in the clear.

This defeats one of the primary reasons for using a VPN. You might think you’re private, but your ISP still has a log of every domain you resolve. That log can be subpoenaed, sold to data brokers (legal in many jurisdictions), or used for targeted advertising.

Windows Smart Multi-Homed Name Resolution

Windows 8.1 and later send DNS queries to all available network adapters simultaneously, not just the VPN tunnel. This feature was designed to speed up name resolution by racing queries across interfaces. The first response wins. In practice, it means your ISP’s DNS server often answers before the VPN’s resolver does, leaking the query outside the tunnel. Microsoft calls this Smart Multi-Homed Name Resolution. Security researchers call it a privacy disaster.

IPv6 DNS leaks

Many VPNs only tunnel IPv4 traffic. If your ISP assigns you an IPv6 address and your operating system prefers IPv6, DNS queries can travel over IPv6 directly to your ISP’s resolver, bypassing the VPN tunnel entirely. The VPN client never sees these requests because they use a different protocol stack.

Manual DNS settings

If you’ve manually configured DNS servers on your network adapter (say, 8.8.8.8 for Google DNS), those settings may persist when you connect to a VPN. The VPN sets its own DNS on the tunnel interface, but your physical adapter still has the manual override. Depending on your OS and routing table, queries may go to the manual DNS instead of the VPN’s resolver.

VPN disconnects without a kill switch

VPN connections drop. Wi-Fi reconnects. Laptops wake from sleep. During these transitions, your device reverts to its default DNS configuration for anywhere from a fraction of a second to several minutes. Without a kill switch that blocks all non-tunnel traffic, every DNS query during that window goes straight to your ISP.

Your DNS resolver sees every domain you look up. That includes the obvious (google.com, youtube.com) and the sensitive (health-condition-forum.org, political-organization.com, dating-app.io). It knows your IP address. It knows the exact timestamp of each query. It knows how often you visit each domain and at what time of day.

It does not see the full URL path. If you visit example.com/private/document.pdf, the DNS resolver only sees “example.com.” It does not see page content, form submissions, or any data transferred over HTTPS. But the domain alone carries significant information. A query for a specific medical condition forum, a bankruptcy attorney, or a particular political party tells a story without needing the full URL.

ISPs in the United States, United Kingdom, Australia, and most of the EU are required by law to retain DNS query logs for months or years. Some ISPs sell anonymized (often poorly anonymized) browsing data to advertising networks. Your DNS history is a product, and you are the source.

The most reliable prevention is a VPN that handles DNS correctly at the system level. That means more than just setting a DNS server on the tunnel adapter. It means forcing the operating system to use that resolver and blocking all other DNS paths.

A proper kill switch is essential. If the VPN tunnel drops, all traffic—including DNS—should be blocked until the tunnel re-establishes. Without this, every momentary disconnect is a leak window.

IPv6 handling matters. If your VPN does not tunnel IPv6 traffic, it should block IPv6 entirely to prevent queries from leaking over the v6 stack. Half-measures here create false confidence.

Remove manual DNS settings from your network adapters before connecting to a VPN. Manual overrides can persist across VPN sessions and silently route queries outside the tunnel.

Run a DNS leak test after connecting—not once, but periodically. DNS configurations can change after OS updates, network switches, or VPN client updates. The extended test on this page runs multiple rounds to catch intermittent leaks that a single query would miss.

Fexyn VPN takes a multi-layer approach to DNS leak prevention that operates at the Windows kernel level, not just in userspace.

On Windows, Fexyn uses Name Resolution Policy Table (NRPT) rules to force all DNS queries through the VPN tunnel. NRPT operates at the OS level before any application sees the query—it overrides per-adapter DNS settings, manual configurations, and Smart Multi-Homed Name Resolution behavior. Every query for every domain hits the VPN’s resolver.

The kill switch uses Windows Filtering Platform (WFP) filters—the same firewall API that Windows Defender and enterprise firewalls use. When the kill switch is active, WFP blocks all non-tunnel traffic at the network stack level. If the VPN tunnel drops for any reason, DNS queries are blocked along with everything else. No leak window.

IPv6 is null-routed when the VPN is active. Rather than hoping IPv6 queries go through the tunnel, Fexyn routes all IPv6 traffic to a null destination. This eliminates the entire class of IPv6 DNS leaks without breaking IPv4 connectivity.

Each protocol (WireGuard, VLESS Reality, OpenVPN) has its own DNS configuration path, and all three force DNS through the tunnel. WireGuard uses the AllowedIPs catch-all route. VLESS uses tun2socks with a tunnel DNS override. OpenVPN pushes DNS via the dhcp-option DNS directive.