How to Check for and Fix a WiFi DNS Leak: Testing Tools, Router DNS Settings, and VPN Split-Tunnel Fixes for Private Browsing

A DNS leak is one of the most common — and most misunderstood — privacy failures on home networks. Even when your VPN is active and your traffic is encrypted, your device may still be sending DNS queries — the requests that translate “example.com” into an IP address — directly to your ISP’s resolver instead of routing them through the VPN tunnel. Your ISP can see every domain you visit, even though they can’t read the content of your browsing. This guide walks through how to test for a leak, why it happens, and exactly how to fix it at the router, VPN app, and operating system level.

What Is a DNS Leak?

When you type a URL into a browser, your device first asks a DNS resolver to look up the IP address of that domain. Under normal conditions without a VPN, this query goes to your ISP’s DNS servers — so your ISP has a complete log of every domain you visit. A VPN is supposed to prevent this by routing DNS queries through its own encrypted tunnel to private resolvers. A DNS leak means that routing has broken down: your encrypted web traffic goes through the VPN, but your DNS queries bypass it and reach your ISP anyway. The result is a privacy gap that exposes your full browsing history to your provider even though your connection appears protected.

DNS leaks are distinct from IP leaks (where your real IP address is exposed) and WebRTC leaks (where browsers expose your local network IP). All three can coexist, but DNS leaks are by far the most common on home networks in 2026.

How to Test for a DNS Leak

Testing takes under two minutes and requires no software installation.

1. Connect to your VPN and confirm it shows as active.
2. Open a browser and navigate to dnsleaktest.com or browserleaks.com/dns.
3. Click Standard test (or Extended for a more thorough check).
4. The tool shows which DNS servers responded to the test queries. If you see your ISP’s servers in the results — rather than your VPN provider’s servers or a privacy-focused public resolver — your DNS is leaking.

Run the test a second time without your VPN connected to confirm what your baseline DNS servers are. If the same servers appear in both tests, the VPN is providing no DNS protection at all. If the servers differ but still show your ISP’s infrastructure, the leak is partial.

Common Causes of DNS Leaks

Several different failure points can produce a DNS leak, and fixing the wrong one won’t solve the problem.

• Router DHCP pushing ISP DNS: Most home routers are set by default to push your ISP’s DNS servers to every device on the network via DHCP. When a VPN app on your laptop takes over the network adapter, it may not override this DHCP-assigned DNS setting, leaving ISP resolvers in place alongside the VPN tunnel.
• Split tunneling misconfiguration: VPN split tunneling lets you route some apps through the VPN and others directly. A common misconfiguration routes app traffic through the VPN but leaves DNS queries on the host OS’s default resolver, which answers from your ISP’s servers.
• Windows Smart Multi-Homed Name Resolution: On Windows 10 and 11, this feature sends DNS queries to all available network interfaces simultaneously for speed. When your VPN adapter and your physical WiFi adapter both exist, Windows may send queries to both — and your ISP’s server often responds first.
• Captive portal DNS override: Hotel, airport, and coffee shop WiFi networks inject their own DNS servers via DHCP to run their login portal. Some VPN clients fail to override this, leaving the network’s DNS in place even after the VPN connects.
• IPv6 not covered by the VPN: If your router assigns IPv6 addresses and your VPN only tunnels IPv4 traffic, IPv6 DNS queries travel outside the tunnel to your ISP’s IPv6 resolvers entirely. This is a silent leak that standard DNS tests catch but many VPN connection indicators do not.

Fix 1: Set a Private DNS Server on Your Router

Changing the DNS server on your router affects every device on your network at once, without touching individual devices or apps. Log into your router admin panel (typically 192.168.1.1 or 192.168.0.1) and find the DNS settings under WAN or Internet setup. Replace the ISP-assigned DNS entries with a privacy-focused public resolver:

• Cloudflare: 1.1.1.1 and 1.0.0.1 (privacy-first, fastest average response time in independent benchmarks)
• Quad9: 9.9.9.9 and 149.112.112.112 (privacy-first with malware blocking)
• Google: 8.8.8.8 and 8.8.4.4 (reliable but Google logs queries)

After saving, reboot your router and run the DNS leak test again. Your ISP’s servers should no longer appear in the results. Note that this fix protects against ISP visibility at the DNS level but does not encrypt DNS queries in transit — for that, you need DNS-over-HTTPS (DoH) or DNS-over-TLS (DoT), which some routers support natively and most modern operating systems can be configured to use.

For TP-Link routers, DNS settings are under Advanced › Network › Internet › DNS. On ASUS routers, navigate to WAN › Internet Connection › WAN DNS Setting and disable “Connect to DNS Server automatically.” On eero, DNS is configured in the eero app under Network Settings › DNS. See our guide on router security settings for additional privacy hardening steps to take while you’re in the admin panel.

Fix 2: Enable DNS Leak Protection in Your VPN App

Most major VPN providers added explicit DNS leak protection settings after this became a widespread problem. In your VPN app, look for a setting labeled DNS Leak Protection, Prevent DNS Leaks, or Use VPN DNS Only and enable it. This forces the app to override the OS DNS configuration when the VPN connects, replacing ISP or router-assigned servers with the VPN provider’s own resolvers.

In NordVPN, this setting is under Settings › Advanced › DNS. In ExpressVPN, the option is labeled Use ExpressVPN DNS Servers in Preferences › Advanced. In Mullvad, custom DNS and leak protection are configured under Settings › Advanced. After enabling, reconnect to a VPN server and run the DNS leak test again before considering the issue resolved.

Fix 3: Disable Split Tunneling or Configure It Correctly

Split tunneling is a frequent leak source because most implementations route app traffic through the tunnel while leaving DNS on the default OS resolver. If you’re using split tunneling and failing a DNS leak test, try disabling it entirely first to confirm it’s the cause. If removing split tunneling stops the leak, re-enable it carefully: most VPN apps that support “app-based” split tunneling have a separate toggle for whether DNS queries from split-tunneled apps should also bypass the VPN. Set this to “route DNS through VPN for all apps” regardless of which apps bypass the tunnel for data traffic.

Fix 4: Disable Windows Smart Multi-Homed Name Resolution

On Windows 10 and 11, Smart Multi-Homed Name Resolution sends DNS queries to all available interfaces simultaneously. To disable it:

1. Press Win + R, type gpedit.msc, and press Enter to open Group Policy Editor.
2. Navigate to Computer Configuration › Administrative Templates › Network › DNS Client.
3. Find Turn off smart multi-homed name resolution and set it to Enabled.
4. Restart your computer.

This forces Windows to use only the primary network adapter’s DNS resolver, which should be your VPN when it’s active. The Group Policy Editor is available on Windows 10 and 11 Pro and Enterprise; Home editions require a registry edit instead (set HKLM\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\DisableSmartNameResolution to 1).

Fix 5: Disable IPv6 if Your VPN Doesn’t Tunnel It

If your VPN provider does not support IPv6 tunneling, the safest approach is to disable IPv6 on your router entirely until your VPN adds support. Log into your router and look for an IPv6 setting under WAN or Advanced Network settings — disable it or set the connection type to “IPv4 only.” This prevents IPv6 DNS queries from traveling outside the VPN tunnel. Most consumer routers have this option; on ASUS routers, it is under Advanced Settings › IPv6. On TP-Link Archer routers, look under Advanced › IPv6.

Alternatively, check whether your VPN app has an IPv6 leak protection setting. NordVPN and Mullvad both include this; enabling it blocks IPv6 traffic entirely when the VPN is connected, which prevents leaks without requiring a router change.

Verifying the Fix

After applying any combination of the fixes above, run the DNS leak test at dnsleaktest.com a second time with your VPN connected. The results should show only your VPN provider’s DNS servers or a third-party privacy resolver like Cloudflare — not your ISP. Run a second test at browserleaks.com to check for WebRTC leaks and IPv6 leaks simultaneously. If all three tests show clean results, your connection is as private as your VPN provider’s policies allow. For ongoing monitoring, your router logs can show which DNS servers are actually being queried — see our guide on how to read router system logs for instructions on interpreting those entries.