Why DNS Leak tests often indicate positive result?
Last updated
Was this helpful?
Last updated
Was this helpful?
A DNS (Domain Name System) leak occurs when DNS queries from your device bypass the VPN tunnel and are sent directly to your default DNS servers (typically provided by your ISP). This exposes your browsing activity to your ISP and potentially other third parties, defeating a key privacy benefit of using a VPN.
Many DNS leak detection websites flag our configuration as "leaking" because they use a simplistic detection method: they compare your apparent IP address with the IP address of the DNS resolver handling your queries. When these differ (e.g., your traffic comes from our VPN IP but DNS queries appear to come from Google DNS), the test incorrectly flags this as a leak.
Our service maintains complete protection against actual DNS leaks at all times:
Full Tunnel Protection: All DNS requests from your device are fully encrypted and routed through our secure VPN tunnel, preventing exposure to your ISP or local network observers.
Strategic Use of Third-Party DNS: We intentionally use Google DNS and Cloudflare DNS as recursive resolvers on our VPN servers for several important security and performance reasons:
Enhanced Privacy Through Anonymization: When our VPN servers forward DNS requests to Google or Cloudflare, these requests are anonymized and cannot be associated with specific VPN clients. The requests appear to come from our VPN servers, not from you.
Additional Security Layer: This architecture creates an additional caching layer that mixes anonymized DNS requests from our customers with other Google/Cloudflare users worldwide, further enhancing privacy.
Performance Benefits: These global DNS providers offer superior reliability, speed, and protection against DNS poisoning compared to running our own DNS infrastructure.
In a vulnerable configuration (a true DNS leak):
DNS queries bypass the VPN tunnel completely
Your ISP can see all domain names you're accessing
Your real IP address is exposed to DNS providers
In our secure configuration:
All DNS traffic is encrypted inside the VPN tunnel
Queries leave our VPN servers anonymized
Your ISP sees only encrypted VPN traffic
Your real IP address is never exposed
Most DNS leak detection services simply check whether the address of the recursive resolver matches your apparent IP address. When they detect a public DNS resolver (like Google or Cloudflare) being used, they report a "leak" even though:
Your DNS queries are fully encrypted inside the VPN tunnel
Your ISP cannot see or intercept these queries
The DNS provider only sees requests coming from our VPN servers, not from you personally
No, because:
Google DNS never sees your real IP address, only our VPN server addresses
DNS queries from our servers are mixed with millions of other queries, providing "strength in numbers" privacy
Your browsing activity cannot be linked back to you personally
If you want to verify that your connection is secure against actual DNS leaks (rather than relying on potentially misleading leak test websites), you can:
Check that all network traffic (including DNS) passes through our VPN interface
Verify that no DNS requests are being sent unencrypted to your ISP's DNS servers
Confirm that DNS requests are properly encrypted within the VPN tunnel