How to Avoid DNS Leaks in 2026 — Complete Guide
By SwissGuard Team · Last updated March 15, 2026
Table of Contents
You are connected to your VPN, your IP address shows the VPN server's location, and you believe your online activity is private. But there is a hidden vulnerability that could be undermining your entire VPN connection: DNS leaks. A DNS leak can silently expose every website you visit to your internet service provider, even while your VPN is active.
In this guide, we will explain what DNS is, how DNS leaks occur, how to test whether your connection is leaking, and exactly how to fix and prevent DNS leaks on every major platform.
What Is DNS?
The Domain Name System (DNS) is often described as the phone book of the internet. When you type a website address like swissguard.co into your browser, your device needs to convert that human-readable name into a numerical IP address that computers use to communicate. This conversion process is called a DNS query, and it happens every time you visit a website, open an app, or connect to an online service.
How a DNS Query Works
You type "swissguard.co" into your browser's address bar and press Enter.
Your device sends a DNS query to a DNS resolver, asking it to look up the IP address associated with that domain name.
The DNS resolver responds with the IP address (for example, 188.190.4.101), and your browser connects to that IP to load the website.
By default, your DNS queries are sent to your ISP's DNS servers. This means your ISP sees every domain name you look up, which effectively provides them with a complete log of every website and service you access. This is true even if the actual content of your browsing is encrypted via HTTPS. The DNS query itself reveals the destination.
What Is a DNS Leak?
A DNS leak occurs when your DNS queries are sent outside of your VPN tunnel, typically to your ISP's DNS servers, instead of through the VPN to the VPN provider's DNS servers. This means that even though your actual internet traffic is encrypted and routed through the VPN, the domain names you are visiting are being leaked to your ISP in plain text.
No DNS Leak
DNS Leak
Warning: A DNS leak is particularly dangerous because it is invisible to the user. Your VPN may appear to be working perfectly (your IP address shows the VPN server), but your DNS queries are silently being sent to your ISP. Without actively testing for DNS leaks, you would never know your browsing history is being exposed.
How DNS Leaks Happen
DNS leaks can occur for several technical reasons, many of which are related to how your operating system handles DNS resolution when a VPN is active. Understanding these causes helps you prevent them.
Operating System DNS Configuration
Windows, in particular, is notorious for DNS leaks. When you connect to a VPN, the operating system may continue to use the DNS servers configured on your primary network adapter (usually your ISP's DNS) alongside the VPN's DNS servers. Windows uses a "smart multi-homed name resolution" feature that sends DNS queries to all available DNS servers simultaneously and uses whichever responds first. This means your ISP often receives your DNS queries even when the VPN is active.
IPv6 DNS Leaks
Many VPNs only tunnel IPv4 traffic. If your device has IPv6 enabled and your ISP supports it, DNS queries may be sent over IPv6, completely bypassing the IPv4 VPN tunnel. This is one of the most common and overlooked sources of DNS leaks, because the user has no indication that IPv6 traffic is not being tunneled.
VPN Connection Drops
If your VPN connection drops momentarily (even for a fraction of a second), your device may revert to its default DNS settings and send queries to your ISP before the VPN reconnects. Without a kill switch, these brief interruptions can leak DNS queries without you noticing.
Transparent DNS Proxies
Some ISPs use transparent DNS proxies that intercept all DNS traffic on port 53, regardless of which DNS server you have configured. Even if your VPN sets a custom DNS server, the ISP's transparent proxy may intercept the query before it reaches the VPN tunnel. This is why it is important that your VPN encrypts DNS queries, not just redirects them.
Browser-Level DNS (DoH/DoT)
Modern browsers like Firefox and Chrome support DNS over HTTPS (DoH), which sends DNS queries to a configured DNS provider (like Cloudflare or Google) at the browser level. If DoH is enabled, the browser may bypass your VPN's DNS configuration entirely and send queries directly to a third-party DNS resolver. While this encrypts the DNS query itself, it exposes your browsing activity to the DoH provider rather than routing it through the VPN.
Testing for DNS Leaks
Testing for DNS leaks is straightforward and should be done every time you connect to your VPN, especially after changing network settings or updating your VPN software.
Connect to your VPN
Activate your VPN connection and wait for it to fully establish. Verify your IP address has changed by checking our What Is My IP tool.
Run a DNS leak test
Visit our DNS Leak Test tool and run the test. The tool will send multiple DNS queries and report which DNS servers resolved them.
Analyze the results
Look at the DNS servers reported in the results. If you see your ISP's DNS servers or any DNS servers that are not your VPN provider's servers, you have a DNS leak. The results should only show DNS servers operated by your VPN provider or the DNS servers you explicitly configured within the VPN.
Tip: Run the DNS leak test both with and without your VPN connected. This helps you understand which DNS servers your device uses by default (without VPN) and verify that all of those default servers are replaced when the VPN is active.
How to Fix DNS Leaks
If your DNS leak test reveals a leak, here are the steps to fix it on different platforms. Apply all relevant fixes for the most comprehensive protection.
Fix DNS Leaks on Windows
Disable smart multi-homed name resolution: Open the Group Policy Editor (gpedit.msc), navigate to Computer Configuration, Administrative Templates, Network, DNS Client, and enable "Turn off smart multi-homed name resolution." This prevents Windows from querying multiple DNS servers simultaneously.
Set the VPN DNS in your network adapter: Open your network adapter settings, go to the properties of your primary connection (Ethernet or WiFi), select Internet Protocol Version 4, and manually set the DNS servers to your VPN provider's DNS addresses. This ensures DNS queries go to the VPN provider even if the tunnel configuration fails.
Disable IPv6 if not tunneled: Open Network Adapter Properties and uncheck Internet Protocol Version 6 (TCP/IPv6). This prevents IPv6 DNS leaks if your VPN does not tunnel IPv6 traffic.
Fix DNS Leaks on macOS
Configure DNS through WireGuard: When using SwissGuard VPN with the WireGuard app on macOS, the DNS settings in the configuration file automatically override your system DNS. Ensure the DNS field in your WireGuard configuration is set to SwissGuard's DNS servers.
Flush DNS cache after connecting: Open Terminal and run "sudo dscacheutil -flushcache; sudo killall -HUP mDNSResponder" after connecting to your VPN. This clears any cached DNS entries from before the VPN was connected.
Disable IPv6 if needed: Open System Settings, go to Network, select your active connection, click Details, then TCP/IP, and set Configure IPv6 to "Link-Local Only" to prevent IPv6 DNS leaks.
Fix DNS Leaks on Linux
Configure systemd-resolved: If your Linux distribution uses systemd-resolved, set the DNS servers in the WireGuard configuration and ensure the PostUp and PostDown scripts in your WireGuard config update the system DNS to use the VPN's DNS servers when the tunnel is active.
Prevent resolvconf overrides: Some Linux network managers (like NetworkManager) may override DNS settings when the network state changes. Configure your WireGuard connection to take priority over other DNS sources by setting the DNS priority in the connection profile.
Use firewall rules: For maximum protection, add iptables or nftables rules that block all DNS traffic (port 53) that does not go through the WireGuard interface. This acts as a system-level DNS leak kill switch.
Fix Browser-Level DNS Leaks
Disable DNS over HTTPS (DoH): In Firefox, go to Settings, Privacy and Security, scroll to DNS over HTTPS, and select "Off." In Chrome, go to Settings, Privacy and Security, Security, and disable "Use secure DNS." This ensures the browser uses the system DNS (which should be your VPN's DNS) instead of a third-party DoH provider.
Disable WebRTC: WebRTC can leak your real IP address through STUN requests, even when using a VPN. In Firefox, go to about:config and set media.peerconnection.enabled to false. For Chrome, use an extension like WebRTC Leak Prevent.
SwissGuard VPN DNS Protection
SwissGuard VPN is designed to prevent DNS leaks by default. Here is how our infrastructure protects your DNS queries.
Private DNS Servers
SwissGuard operates its own private DNS servers on the same infrastructure as our VPN servers. When you connect to SwissGuard VPN, all DNS queries are resolved by our DNS servers within the encrypted tunnel. We do not use third-party DNS providers like Google or Cloudflare.
Encrypted DNS Within the Tunnel
DNS queries are sent through the WireGuard encrypted tunnel to our DNS servers. This means your ISP cannot intercept or read your DNS queries, even if they use transparent DNS proxies. The WireGuard configuration file automatically sets the DNS to our servers, so there is nothing extra to configure.
Zero-Log DNS
Our DNS servers do not log queries. We do not record which domains you look up, when you look them up, or how often. This is part of our strict zero-log policy that covers all aspects of our infrastructure, protected under Swiss privacy law.
Full Traffic Routing
SwissGuard VPN configurations set AllowedIPs to 0.0.0.0/0 and ::/0, which routes all IPv4 and IPv6 traffic through the VPN tunnel. This prevents both IPv4 and IPv6 DNS leaks by ensuring no traffic can bypass the encrypted tunnel.
Frequently Asked Questions
How often should I test for DNS leaks?
We recommend testing for DNS leaks every time you connect to your VPN, after any system update, after changing network settings, and when switching between WiFi and mobile data. DNS leak tests take only a few seconds and provide immediate peace of mind. Bookmark our DNS Leak Test tool for quick access.
Can a DNS leak reveal my identity?
A DNS leak alone does not directly reveal your name or physical address, but it reveals your browsing activity to your ISP, which can be linked to your identity through your ISP account. Combined with your ISP's own records of which IP address was assigned to your account at a given time, a DNS leak effectively allows your ISP (and anyone who requests data from them) to see exactly which websites you visited and when.
Is DNS over HTTPS (DoH) a good alternative to VPN DNS protection?
DNS over HTTPS encrypts your DNS queries, which prevents your ISP from reading them. However, DoH sends your queries to a third-party provider (like Cloudflare or Google) who can see which domains you visit. With a VPN, your DNS queries are encrypted within the tunnel and resolved by your VPN provider's own servers. If you are using a no-logs VPN like SwissGuard, this provides stronger privacy than DoH because no third party sees your queries at all.
Can DNS leaks happen on mobile devices?
Yes, DNS leaks can occur on both iOS and Android devices. Mobile operating systems may use their own DNS resolution mechanisms that bypass the VPN tunnel, especially when switching between WiFi and cellular data. Using a properly configured WireGuard profile on your mobile device (with DNS set to the VPN provider's servers) minimizes this risk. Test your mobile connection with our DNS leak test tool after connecting.
What should I do if I find a DNS leak?
If your DNS leak test reveals a leak, first disconnect your VPN and reconnect. If the leak persists, check the DNS settings in your VPN configuration file to ensure they point to your VPN provider's DNS servers. Then apply the platform-specific fixes described in this guide. After making changes, run the DNS leak test again to verify the fix worked. If you continue to experience leaks, contact your VPN provider's support team for assistance.
Does changing my DNS to 8.8.8.8 or 1.1.1.1 prevent DNS leaks?
No. Changing your DNS to a public resolver like Google (8.8.8.8) or Cloudflare (1.1.1.1) does not prevent DNS leaks. It simply changes who receives your leaked DNS queries. Instead of your ISP seeing your queries, Google or Cloudflare would see them. The only way to prevent DNS leaks is to ensure all DNS queries are routed through your VPN tunnel to your VPN provider's DNS servers.
Prevent DNS Leaks with SwissGuard VPN
Built-in DNS leak protection, private zero-log DNS servers, and Swiss privacy law. Your DNS queries stay private.