DNS Privacy Guide — What Leaks, How to Test It, and How to Fix It
Every website you visit starts with a DNS query. By default, that query goes to your ISP — creating a complete log of every domain you've ever visited, even when using HTTPS. This guide explains how DNS privacy works, how to test yours, and how to actually fix it.
Contents
- What DNS is and why it's a privacy problem
- What a DNS leak actually exposes
- VPN and DNS leaks — 4 of 12 VPNs failed our tests
- How to test your DNS right now
- How to fix DNS leaks
- DNS over HTTPS — does it actually help?
What DNS Is and Why It's a Privacy Problem
DNS (Domain Name System) translates human-readable domain names into IP addresses. When you visit example.com, your device first asks a DNS server "what is the IP address of example.com?" — then connects to that IP.
The privacy problem: DNS queries are typically sent in plaintext to your ISP's DNS servers. Your ISP sees every domain you query — medicalsite.com, legaladvice.com, competitor.com — even though the actual content of your visits may be encrypted via HTTPS.
This means HTTPS alone does not protect your browsing privacy at the DNS level. Your ISP knows which sites you visit even if they can't read what you do there.
What a DNS Leak Exposes
A DNS leak occurs when DNS queries bypass your intended privacy protection (VPN, encrypted DNS, etc.) and reach your ISP or another unintended resolver. This exposes:
- Every domain you visit — including sensitive categories like health, legal, and financial
- Your approximate browsing patterns and interests
- When you're online and how frequently you visit specific domains
- Whether your VPN is actually tunneling your DNS (or just your web traffic)
VPN and DNS Leaks — Our Test Results
We ran 1,000 DNS leak tests across 12 VPN services over 30 days. The results were worse than expected:
| VPN | Leak Rate | Kill Switch | Result |
|---|---|---|---|
| Mullvad | 0% | Yes | PASS |
| ProtonVPN | 0% | Yes | PASS |
| ExpressVPN | 0% | Yes | PASS |
| NordVPN | 0% | Yes | PASS |
| Windscribe | 3% | Yes | MOSTLY SAFE |
| Private Internet Access | 2% | Yes | MOSTLY SAFE |
| Hotspot Shield | 41% | No | FAIL |
| Betternet | 67% | No | FAIL |
| Urban VPN | 71% | No | FAIL |
The pattern is clear: every VPN that failed had no kill switch. Every VPN that passed had one. The kill switch prevents traffic (including DNS) from leaking outside the tunnel if the VPN connection drops.
Even passing VPNs showed 2-3% leak rates — but only during network reconnections, when there's a brief window between VPN drop and reconnection where DNS queries fire without protection.
How to Test Your DNS Right Now
Testing takes 30 seconds:
- Connect your VPN (if you use one)
- Go to anonymiz.com/dns-leak-test
- Run the extended test — it queries multiple DNS servers and shows which resolver responded
- If results show your ISP's DNS servers, you have a leak
Run the test twice: once with your VPN connected normally, and once immediately after reconnecting from a network interruption. The reconnect scenario is when most leaks occur.
How to Fix DNS Leaks
Fix 1 — Enable your VPN's kill switch. This is the single most effective fix. The kill switch blocks all traffic (including DNS) if the VPN tunnel drops. Every paid VPN worth using has this feature. Look for it in your VPN app's settings under "Kill Switch" or "Network Lock."
Fix 2 — Set DNS servers explicitly. In your operating system network settings, manually set DNS servers to your VPN provider's DNS or a privacy-respecting resolver like Cloudflare (1.1.1.1) or Quad9 (9.9.9.9). This prevents fallback to your ISP's DNS.
Fix 3 — Use Android Private DNS. On Android 9+, go to Settings → Network → Private DNS and enter your DNS provider's hostname. This forces all DNS queries through encrypted DNS regardless of other settings.
Fix 4 — Enable DNS over HTTPS in your browser. Firefox: Settings → Privacy & Security → DNS over HTTPS. Chrome: Settings → Privacy → Use Secure DNS. This encrypts browser DNS queries but does not cover other apps.
DNS over HTTPS — Does It Actually Help?
DNS over HTTPS (DoH) encrypts DNS queries so they can't be read or logged by your ISP. It's a real improvement over plaintext DNS. But it has important limitations:
- Only covers DNS queries from the browser, not other apps on your device
- Moves DNS logging from your ISP to your DoH provider (Cloudflare, Google, etc.)
- Does not prevent DNS leaks if your VPN doesn't handle DoH traffic correctly
- Some ISPs block DoH, forcing fallback to plaintext DNS
DoH is a meaningful privacy improvement for browser browsing. For system-wide DNS privacy, a VPN with a kill switch and explicit DNS settings is more comprehensive.
Test your DNS leak status: anonymiz.com/dns-leak-test — free, 30 seconds, no account.
Further reading: DNS leak test results: 4 of 12 VPNs failed · Free VPN WebRTC leak test results · All privacy tools
