VPN DNS Leak 2026: Understand, Test, Prevent

Q: What is a DNS leak?

A DNS leak happens when your VPN is active but your DNS queries (domain name → IP resolution) go outside the VPN tunnel — to your ISP's DNS (Orange, SFR, etc.). Result: your ISP knows which sites you visit even if traffic is encrypted. Three leak types: classic DNS leak, WebRTC leak, IPv6 leak.

Q: Why are DNS leaks problematic?

Three consequences: (1) Your ISP keeps a log of visited sites (French law: 1 year retention). Useful for subpoenas or ISP data breach. (2) The VPN is useless — you pay for privacy you don't get. (3) Hadopi/BREIN/ARCOM can identify P2P sites visited even with active VPN if DNS leaks.

Q: Difference between DNS leak and WebRTC leak?

DNS leak: your resolution queries go via ISP instead of VPN. WebRTC leak: a browser tech (peer-to-peer for video chats) exposes your real IP via JavaScript, even with active VPN. Very pernicious — constantly tests your IP alongside VPN. Solution: anti-WebRTC extension (uBlock Origin, Firefox about:config disable, ExpressVPN/NordVPN extension).

Q: Do premium VPNs prevent ALL leaks?

NordVPN, ExpressVPN, Surfshark, CyberGhost: yes, designed with proprietary DNS (custom VPN DNS) + anti-WebRTC + IPv6 blocked or tunneled. Apps regularly audit-tested. Free VPNs: often leak, DNS passed to ISP, no WebRTC protection. PureVPN: proprietary DNS and kill switch, test recommended.

Q: How to fix a detected DNS leak?

Several actions: (1) Enable kill switch in your VPN app. (2) Use VPN's DNS: NordVPN has proprietary DNS auto-enabled. (3) Disable IPv6 in system settings if IPv6 leak (Windows: Control Panel > Network). (4) Disable WebRTC via browser extension. (5) Change VPN if persistent leaks — free or dodgy VPN.

DNS Leak: the invisible issue that makes your VPN useless

You have a VPN on. You think you’re protected. And yet, your ISP can still know which sites you visit. This is the DNS leak — one of the most insidious cybersecurity problems, still affecting many users in 2026. This article explains the mechanism, how to test it, and how to protect yourself.

DNS: understand in 2 minutes

Before discussing leaks, let’s recall what DNS is.

When you type google.com in your browser:

Your device asks a DNS server: “what’s google.com’s IP?”
DNS answers: “142.250.203.110”
Your browser connects to this IP

By default, this DNS server is your ISP’s (Orange 80.10.246.2, SFR 109.0.66.10, Free 212.27.40.240).

Consequence: your ISP knows all the sites you visit. These logs are kept 1 year in France (surveillance law, LCEN).

What is a DNS leak?

With a correctly configured VPN:

Your traffic goes through the encrypted VPN tunnel
DNS queries too — to the VPN’s DNS (NordVPN, Cloudflare, Quad9)
Your ISP sees just an encrypted connection to the VPN, nothing else

With DNS leak:

Your traffic passes through VPN (encrypted)
But DNS queries bypass the tunnel and go to your ISP
Your ISP sees: “User resolved netflix.com, pornhub.com, thepiratebay.org”
Even though traffic is encrypted, visited sites are exposed

It’s like mailing a package in an opaque box, but sticking the recipient’s shipping label clearly visible on it.

Why it’s serious

1. Your ISP logs everything

In France, ISPs must retain metadata 1 year (LCEN, 2021 decree). These logs can be given to:

Hadopi/ARCOM in P2P investigations
Police/Justice on subpoena
In case of ISP data leak, publicly exposed

2. The VPN becomes useless (almost)

You pay for a VPN for privacy. With a DNS leak, you only have content encryption but no anonymity. 50% of VPN value lost.

3. Hadopi can identify P2P

A DNS leak during a torrent session can reveal visited trackers/sites. Even with VPN, your IP is hidden to other peers, but your ISP knows you visited an illegal tracker.

The 3 leak types: DNS, WebRTC, IPv6

Classic DNS leak

Mechanism: Windows / OS sends DNS query to the DNS configured in network properties instead of VPN’s DNS. Common on Windows default.

Test: free DNS leak test tool

WebRTC leak

WebRTC is a browser tech (Chrome, Firefox, Edge, Safari) for peer-to-peer video calls. It reveals your real IP via JavaScript, even with active VPN.

Test: WebRTC leak tool

Solution:

Firefox: about:config > media.peerconnection.enabled = false
Chrome: uBlock Origin extension (under “more > I’m an advanced user” check WebRTC leaks)
NordVPN, ExpressVPN: browser extensions auto-block

IPv6 leak

Your connection may have an IPv6 address (new protocol) on top of IPv4. If the VPN only handles IPv4, your IPv6 requests bypass the tunnel.

Test: IPv6 leak tool

Solution:

NordVPN, ExpressVPN, Surfshark: disable IPv6 auto OR tunnel it
Manually: disable IPv6 in system network settings

How to test your leaks in 3 minutes

Step 1 — Connect your VPN

Enable your VPN (NordVPN, ExpressVPN, Surfshark, CyberGhost, PureVPN).

Verify the connection is active (green icon in app).

Step 2 — Test DNS

Go to our DNS leak tool or dnsleaktest.com.

Expected result:

Returned DNS belong to the VPN (NordVPN 103.86.96.100, Cloudflare 1.1.1.1, Quad9 9.9.9.9)
NOT your ISP’s DNS (Orange, SFR, Free, Bouygues, Proximus, Swisscom)
DNS country matches connected VPN server

If leak: ISP DNS appear → fix immediately.

Step 3 — Test WebRTC

Our WebRTC leak tool.

Expected result:

No real IP exposed
If WebRTC fully disabled, nothing displays (good sign)

Step 4 — Test IPv6

Our IPv6 leak tool.

Expected result:

No IPv6 address exposed
If exposed, tunneled via VPN (not your ISP’s)

How to fix a DNS leak

Solution 1 — Use a VPN that protects

NordVPN, ExpressVPN, Surfshark, CyberGhost protect against all 3 leak types by default. Verify in settings that:

Custom DNS (not ISP) is selected
IPv6 blocked or tunneled
WebRTC extension installed if available

Solution 2 — Disable IPv6 (Windows)

Control Panel > Network and Internet > Network and Sharing Center
Change adapter settings
Right-click your connection > Properties
Uncheck Internet Protocol Version 6 (TCP/IPv6)
OK → reboot

Solution 3 — Disable WebRTC (browser)

Firefox:

about:config
media.peerconnection.enabled = false

Chrome/Edge:

WebRTC Network Limiter extension (official Google)
Or uBlock Origin extension with WebRTC setting

Solution 4 — Manual DNS config

If your VPN doesn’t force DNS, force manually:

Cloudflare: 1.1.1.1 and 1.0.0.1 (fast, pro-privacy)
Quad9: 9.9.9.9 and 149.112.112.112 (malware filter)
Google: 8.8.8.8 and 8.8.4.4 (NOT recommended — Google logs)

Solution 5 — Change VPN

If your current VPN leaks regularly despite config: time to change.

Recommended no-leak VPNs (tested):

NordVPN — Panama proprietary DNS
ExpressVPN — Network Lock + private DNS
Surfshark — WireGuard + proprietary DNS
CyberGhost — proprietary DNS
PureVPN — proprietary DNS

DNS leaks by VPN — comparison

VPN	DNS Protection	WebRTC	IPv6
NordVPN	✅ Auto proprietary DNS	✅ Extension	✅ Tunneled
ExpressVPN	✅ TrustedServer private DNS	✅ Extension	✅ Tunneled
Surfshark	✅ Proprietary DNS	✅ Built-in	✅ Tunneled
CyberGhost	✅ Proprietary DNS	⚠️ Verify extension	✅ Tunneled
PureVPN	✅ Proprietary DNS	⚠️ Verify	✅ Option
Free VPNs	❌ Often leak	❌ No protection	❌ Unprotected

Complementary security

VPN + proprietary DNS + kill switch only cover the network. For complete security:

NordPass — password manager (account protection)
2FA (Google Authenticator) on critical accounts
HTTPS Everywhere (plugin, or default enabled modern Chrome/Firefox)

What NOT to do

❌ Assume everything works after VPN install — always test
❌ Ignore WebRTC — affects 90% of Chrome/Firefox users without protection
❌ Leave IPv6 on with VPN that doesn’t handle it
❌ Use free VPN — massive leaks quasi-systematic
❌ Test only once — retest after each VPN/OS update

Verdict

Test your DNS/WebRTC/IPv6 leaks today via our free tools:

If leak detected: fix immediately or switch VPN. NordVPN is our default pick — protects against all 3 leak types, 10 connections, Panama.

Frequently asked questions

What is a DNS leak?

A DNS leak happens when your VPN is active but your DNS queries (domain name → IP resolution) go outside the VPN tunnel — to your ISP's DNS (Orange, SFR, etc.). Result: your ISP knows which sites you visit even if traffic is encrypted. Three leak types: classic DNS leak, WebRTC leak, IPv6 leak.

How to test for DNS leak?

Use our free DNS leak test tool. With VPN enabled, run the test. The returned DNS must be the VPN's (NordVPN, Cloudflare, etc.) — NOT your ISP's (Orange, SFR, Free). If you see your ISP, leak. Also test WebRTC and IPv6.

Why are DNS leaks problematic?

Three consequences: (1) Your ISP keeps a log of visited sites (French law: 1 year retention). Useful for subpoenas or ISP data breach. (2) The VPN is useless — you pay for privacy you don't get. (3) Hadopi/BREIN/ARCOM can identify P2P sites visited even with active VPN if DNS leaks.

Difference between DNS leak and WebRTC leak?

DNS leak: your resolution queries go via ISP instead of VPN. WebRTC leak: a browser tech (peer-to-peer for video chats) exposes your real IP via JavaScript, even with active VPN. Very pernicious — constantly tests your IP alongside VPN. Solution: anti-WebRTC extension (uBlock Origin, Firefox about:config disable, ExpressVPN/NordVPN extension).

Do premium VPNs prevent ALL leaks?

NordVPN, ExpressVPN, Surfshark, CyberGhost: yes, designed with proprietary DNS (custom VPN DNS) + anti-WebRTC + IPv6 blocked or tunneled. Apps regularly audit-tested. Free VPNs: often leak, DNS passed to ISP, no WebRTC protection. PureVPN: proprietary DNS and kill switch, test recommended.

How to fix a detected DNS leak?

Several actions: (1) Enable kill switch in your VPN app. (2) Use VPN's DNS: NordVPN has proprietary DNS auto-enabled. (3) Disable IPv6 in system settings if IPv6 leak (Windows: Control Panel > Network). (4) Disable WebRTC via browser extension. (5) Change VPN if persistent leaks — free or dodgy VPN.