The same lookup can stay inside the tunnel and reach your VPN's resolver, or slip outside it and reach your ISP's. The leak test shows which one actually happened.
A DNS leak does not mean your VPN is broken. It means one specific thing has slipped outside the tunnel: the lookups. And because those lookups carry the name of every site you open, the server answering them can build the same picture a VPN is meant to hide.
What a DNS leak actually is
Before your device can connect to a site, it asks a DNS resolver to translate the name into an address. A VPN is supposed to carry that question through the same encrypted tunnel as the rest of your traffic, so it is answered by a resolver your VPN provider controls. When the question instead travels outside the tunnel, usually to the resolver your internet provider handed you, that is a DNS leak.
The payload of your traffic can still be fully encrypted while this happens. That is what makes a leak easy to miss: nothing looks wrong, pages load normally, yet the list of domains you visit is being read by a server you did not choose. If you want the underlying mechanism, the companion guide on how the DNS leak test works walks through how a resolver reveals itself.
How to check, in about two minutes
Connect the VPN
Bring up the VPN exactly as you normally use it, and wait for it to report that it is connected.
Run the leak test
Open the DNS leak test and let it finish. It forces fresh lookups so no cache can hide the answer.
Read the resolvers
Look at which servers answered. Whether they belong to your VPN or to your ISP is the whole result.
Reading the result
Every resolver shown belongs to your VPN provider. The lookups stayed inside the tunnel.
A resolver belonging to your ISP or local network appears next to, or instead of, the VPN's.
A resolver's address is not your home address. It tells you which network answered the lookup, not where you live. To see what your connection exposes more broadly, the IP and fingerprint check covers the rest.
Why leaks happen
A leak is rarely the VPN failing outright. It is usually one path the VPN did not capture. The common causes:
- The operating system asks on its own. Some systems keep a separate resolver setting that ignores the tunnel unless the VPN overrides it.
- IPv6 is not routed. If the VPN only tunnels IPv4 but your network also has IPv6, lookups can slip out over the path the VPN never claimed.
- Split tunneling. When some apps are excluded from the VPN by design, their lookups leave outside it too.
- The browser does its own DNS. A browser configured for encrypted DNS can send lookups to a third resolver that has nothing to do with the VPN.
- The network intercepts DNS. Some routers and public networks quietly redirect lookups to their own resolver before the tunnel can take over.
What a leak does, and does not, mean
It does mean the resolver that answered can see the domains you looked up, and can keep a record of them. One fresh lookup escaping is enough to reveal the pattern, so an occasional leak still matters.
It does not mean the contents of your traffic were exposed, that the resolver learned your home address, or that the VPN is useless. It means a specific gap exists between your device and the tunnel, and that gap is fixable.
Closing the gap
Most leaks close with one of a few changes: turn on the VPN's own DNS or its leak-protection option so it forces every lookup through the tunnel; disable IPv6 if the VPN does not carry it; and check that your browser is not running its own encrypted DNS that points elsewhere. The full walkthrough, layer by layer, is in how to fix a DNS leak.
If you would rather control DNS yourself instead of relying on the VPN's default, you can point your device at an encrypted resolver directly. The setup guide covers configuring DNS over HTTPS and DNS over TLS per platform. Either way, re-run the leak test afterwards to confirm the change took effect.
Check your own connection
Connect your VPN, then run the test. The resolvers that answer are the answer.
Run the DNS leak test