DNS Leak Test

Verify your encrypted DNS configuration (DoH/DoT/DoQ) is working correctly. See which DNS resolvers are handling your requests.

What is a DNS Leak?

Secure

Protected Connection

You
ISP (Blind)
Encrypted
DNS

✓ Expected: DNS queries are encrypted via DoH, DoT, or DoQ. Your ISP only sees encrypted traffic and cannot log which sites you visit.

Leaking

DNS Leak Detected

You
ISP (Watching)
ISP
DNS

✗ Problem: DNS queries are sent unencrypted to your ISP's resolver. They can log every website you visit and potentially inject ads or block content.

Common Causes of DNS Leaks

Misconfigured Client

DNS client not set as system resolver.

IPv6 Leaks

IPv4 DNS encrypted but IPv6 bypasses it.

Transparent Proxy

ISP intercepts DNS at network level.

Browser Override

Browser's DoH using different resolver.

Run Your Test

Your Connection

Public IP Address
Loading...
ISP / Org
...
Location
...

Compare this with your DNS results below.

Control Panel

Sends 6 unique DNS queries to detect all resolvers.

Status: Ready

How to Read Results

  • Good: Resolvers are different from your ISP shown above
  • Bad: Resolvers match your ISP organization
  • Note: DNS providers often use cloud hosting infrastructure - the organization name may differ from your DNS service

DNS Resolvers Detected

No Results Yet

Click "Run Extended Test" to discover which DNS servers are handling your requests.

Understanding Your Results

Signs of a Secure Setup

  • Resolvers are different from your ISP shown in "Your Connection"
  • Resolvers are in locations you expect based on your DNS provider
  • Multiple resolvers from different organizations is normal if using dnscrypt-proxy with multiple servers
  • Organization names may show hosting providers rather than your DNS service name

Signs of a DNS Leak

  • Resolver organization matches your ISP name
  • Resolver is in your exact city/region when your DNS provider should be elsewhere
  • You see your router's IP (192.168.x.x, 10.x.x.x)
  • Mix of ISP + other resolvers indicates partial leak

Important: About Organization Names

Many privacy DNS providers use cloud hosting infrastructure to run their servers globally. This means the organization name shown may be a hosting company, not your DNS service. This is completely normal and doesn't indicate a leak. The key is that the resolver is not your ISP.

Need to Fix a DNS Leak?

Configure encrypted DNS (DoH/DoT/DoQ) at the system level using tools like dnscrypt-proxy, stubby, or your OS's native settings.

View Setup Guide

Troubleshooting

No Results Found

  • Your browser may have cached DNS responses. Try clearing cache or using incognito mode.
  • Ad blockers or privacy extensions may block our test domains. Temporarily disable them.
  • Some corporate firewalls block external DNS queries entirely.

Still Seeing ISP DNS?

  • Verify your DNS client is running: systemctl status dnscrypt-proxy
  • Check system DNS points to 127.0.0.1 where your client listens.
  • On Linux, ensure /etc/resolv.conf isn't overwritten by NetworkManager.
  • Disable browser's built-in DoH if you want system DNS to be used.

Transparent DNS Proxy

  • Some ISPs intercept all DNS traffic on port 53, regardless of destination.
  • Solution: Use DoH (port 443), DoT (port 853), or DoQ (port 8853) which cannot be easily intercepted.
  • Our setup guide shows how to configure encrypted DNS.

Mobile Devices

  • Android 9+: Use Private DNS with dnsdoh.art
  • iOS 14+: Install a DNS profile from our setup page.
  • Mobile browsers may have separate DNS settings that override system config.

Frequently Asked Questions

How does this test work?
We generate unique subdomains (e.g., abc123.leak.dnsdoh.art) that have never been queried before. Your browser must perform a fresh DNS lookup, which our authoritative nameserver logs. We then show you which DNS resolvers made the query on your behalf.
Why doesn't the organization name match my DNS provider?
Many privacy DNS providers use cloud hosting infrastructure to run their servers globally. The IP lookup shows the hosting company, not your DNS service. This is completely normal. The important thing is that it's not your ISP.
Why do I see multiple different resolvers?
This is normal for several reasons:
  • DNS providers use multiple servers for load balancing and redundancy
  • If you use dnscrypt-proxy with multiple upstream servers, each query may go to a different one
  • Anycast routing may direct queries to different data centers
As long as none of them are your ISP, you're not leaking.
Is my data logged or stored?
Test results are temporarily stored (typically less than 5 minutes) to display your results, then automatically deleted. We do not permanently log DNS queries, IP addresses, or any personally identifiable information.
What's the difference between DNS leak and IP leak?
IP leak tests check if your real IP address is exposed (via WebRTC, etc.). DNS leak tests check if your DNS queries are going to the expected resolver. You can have a hidden IP but still leak DNS, which reveals your browsing activity.