A DNS leak happens when your device sends DNS requests outside the encrypted tunnel you expected (for example, outside your VPN). The result: websites and your ISP can still see which domains you look up, even if your traffic is otherwise protected.
This guide shows normal, non‑technical users how to check for leaks and fix them quickly on Windows, macOS, and Linux. We keep things simple and safe, with optional advanced steps if you want more control.
Before you start: Do a quick leak test
First, find out whether you actually have a leak. Open this page in the same browser and network you normally use (VPN on if you plan to use it):
If you see DNS servers from your ISP or your country when your VPN is ON, that’s a DNS leak.
Quick fixes that help on any system
- Use your VPN app’s DNS protection: Many VPN apps have a setting like “DNS leak protection,” “Use VPN DNS,” or “Block outside DNS.” Turn it on, then reconnect the VPN.
- Enable Secure DNS (DNS over HTTPS) in your browser: This encrypts DNS from the browser itself (great for public Wi‑Fi).
- Chrome/Edge/Brave: Settings → Privacy → Use secure DNS → Choose a provider (e.g., Cloudflare or Google).
- Firefox: Settings → Privacy and Security → Network Settings → Enable DNS over HTTPS → Choose a provider.
- Safari: Uses system DNS; see macOS section below to set a trusted DNS or use a VPN.
- Reconnect the network: Turn Wi‑Fi off and on, or unplug/plug Ethernet. Then reconnect your VPN and test again.
Windows: Step‑by‑step fixes
1) Set trusted DNS servers
Choose a reputable public DNS. Two common choices:
- Cloudflare:
1.1.1.1and1.0.0.1 - Google:
8.8.8.8and8.8.4.4
How to set on Windows 10/11:
- Open Settings → Network & Internet → Advanced network settings → More network adapter options.
- Right‑click your active connection → Properties.
- Select “Internet Protocol Version 4 (TCP/IPv4)” → Properties.
- Choose “Use the following DNS server addresses” and enter the DNS above.
- Do the same for “Internet Protocol Version 6 (TCP/IPv6)” if you use IPv6 (optional).
- Click OK → Close. Reconnect to your network and VPN.
2) Flush the DNS cache
This clears old entries that might cause mixed or leaking lookups.
# PowerShell or Command Prompt (Run as Administrator)
ipconfig /flushdns
3) Disable “Smart Multi‑Homed Name Resolution” (optional)
Windows can sometimes query multiple interfaces. If your VPN app doesn’t already prevent this, consider disabling the feature via Group Policy or a reputable VPN setting. For most users, enabling “DNS leak protection” in the VPN app is simpler.
4) Test again
Reconnect your VPN and run the test: myip.casa/dns-leak-test.
macOS: Step‑by‑step fixes
1) Set trusted DNS servers
- System Settings → Network → Your active network → Details.
- Go to DNS → Add servers:
- Cloudflare:
1.1.1.1,1.0.0.1 - Google:
8.8.8.8,8.8.4.4
- Cloudflare:
- Click OK → Apply. Reconnect Wi‑Fi and your VPN.
2) Flush the DNS cache
# macOS (Terminal)
sudo dscacheutil -flushcache
sudo killall -HUP mDNSResponder
3) Prefer the VPN’s own DNS
Most macOS VPN apps can “force” DNS through the tunnel. Look for options like “DNS leak protection,” “Use VPN DNS,” or “Force all traffic through VPN.” Enable them, reconnect, then test.
4) Test again
Run the test: myip.casa/dns-leak-test.
Linux: Step‑by‑step fixes
1) Check which resolver you use
# systemd-resolved (Ubuntu, Fedora, etc.)
resolvectl status
# Or check the stub file:
cat /etc/resolv.conf
2) Set trusted DNS servers
Two simple approaches:
- Via your network manager GUI (easiest): Network settings → IPv4/IPv6 → DNS → set
1.1.1.1,1.0.0.1(or your preferred provider) → Save → reconnect. - Via systemd-resolved:
# Replace 'wlan0' or 'eth0' with your interface name (see: ip link)
sudo resolvectl dns wlan0 1.1.1.1 1.0.0.1
sudo resolvectl dnssec wlan0 yes
sudo resolvectl flush-caches
If your distro doesn’t use systemd-resolved, set DNS in NetworkManager or edit /etc/resolv.conf (if not managed). Reconnect the network and VPN afterward.
3) Flush caches
# systemd-resolved
sudo resolvectl flush-caches
# nscd (if installed)
sudo service nscd restart
# dnsmasq (if used locally)
sudo service dnsmasq restart
4) Test again
Run the test: myip.casa/dns-leak-test.
Browser tips to prevent leaks
- Enable Secure DNS (DoH): Turn on DNS over HTTPS in your browser settings (see “Quick fixes”).
- Reduce WebRTC exposure: WebRTC can reveal local IPs in the browser. In Firefox, set it to “Proxy all” or disable via about:config; in Chromium‑based browsers, use an extension that limits WebRTC to your proxy/VPN. Then retest.
- Use one path for DNS: Avoid running a separate “smart DNS” tool alongside a VPN unless you know it’s compatible.
VPN app settings that matter
- DNS leak protection / Use VPN DNS: Ensure the toggle is on.
- Kill switch: Prevents traffic (including DNS) from leaving outside the tunnel if the VPN drops.
- Split tunneling: If enabled, make sure your browser and DNS‑using apps are inside the VPN path.
- Protocol choice: Modern protocols like WireGuard or OpenVPN UDP/TCP often handle DNS reliably when configured by your provider.
IPv6 considerations
Some networks and VPNs handle IPv6 differently. If you still see leaks:
- Prefer a VPN that fully supports IPv6 (best option).
- Or temporarily disable IPv6 at the OS level while using a VPN that only supports IPv4. After disabling, flush DNS and retest. Re‑enable IPv6 later if needed.
Troubleshooting checklist
- Restart your VPN app and reconnect to a different server.
- Forget and rejoin your Wi‑Fi network (enter the password again).
- Temporarily disable third‑party security apps that might intercept DNS, then test.
- Try another browser with Secure DNS enabled to isolate whether the issue is system‑wide or browser‑only.
You’re done, verify your fix
After applying the steps for your system, run the test again:
Tip: With a VPN connected and DNS leak protection enabled, the test should only show DNS servers from your VPN or your chosen trusted DNS, not your ISP.