Comparitech Logo

Please turn off your VPN and press the button below.

Other DNS details

Recommended VPN to avoid DNS leaks

DNS Address leak

First, run the test with your VPN off. Make a note of the IP addresses and locations listed in each of the test results. Next, turn your VPN on and run the test again. If your VPN does not leak DNS requests, all of the IP addresses and locations should be different. Ideally, they will all be in the location of the VPN server you chose.If your VPN does leak DNS requests, then one or more of the IP addresses will be the same in both tests. This happens when the VPN fails to route a DNS request to its own server instead of the default DNS server specified by your ISP or in your internet settings.A DNS leak can reveal your true IP address and/or location to a website while also allowing your ISP or another entity to monitor your browsing, which defeats the purpose of a VPN.
The solution to a DNS leak depends on the root cause. Run this test after each of the following steps to troubleshoot and patch the leak (check next section for WebRTC leaks):
  • 1. First, go into your VPN app's settings and look around for any option to route DNS requests to the VPN servers or enable DNS leak prevention. Turn it on if available.
  • 2. Change your DNS servers. You will need to manually replace the preferred and alternate DNS nameservers in your device's internet settings. You can also ask your VPN provider's customer support for its DNS nameserver addresses. The exact process to do this depends on your operating system. Here are some DNS nameserver addresses (IPv4 unless otherwise stated) that are popular and reliable:
    • OpenDNS
      • ■ preferred: 208.67.222.222
      • ■ alternate: 208.67.222.220
      • ■ preferred: (IPv6): 2620:0:ccc::2
      • ■ alternate: (IPv6): 2620:0:ccd::2
    • Comodo Secure DNS
      • ■ preferred: 8.26.56.26
      • ■ alternate: 8.20.247.20
    • Google Public DNS
      • ■ preferred: 8.8.8.8
      • ■ alternate: 8.8.4.4
      • ■ preferred (IPv6): 2001:4860:4860::8888
      • ■ alternate (IPv6): 2001:4860:4860::8844
    • OpenNIC
      • ■ Go to the website to find the nearest DNS server address
  • 3. Disable Teredo. Teredo is a Windows tool that turns IPv6 requests into IPv4 requests. Sometimes it sends the converted request through a non-VPN tunnel. To prevent this:
    • ○ Search for Command Prompt in your taskbar, right click it, and select "Run as administrator".
    • ○ Enter the following: netsh interface teredo set state disabled
    • ○ Reboot your PC
  • 4. Flush your DNS cache. Old DNS entries might be corrupting your DNS settings. To fix this on Windows:
    • ○ Search for Command Prompt in your taskbar, right click it, and select "Run as administrator".
    • ○ Copy/paste the following and hit Enter: ipconfig /flushdns
  • 5. To fix this on Mac OSX:
    • ○ Go to Applications > Utilities > Terminal
    • ○ Enter the following commands based on your version of OSX:
      • ■ Yosemite and later:
        • ■ v10.10.4 or later: sudo killall -HUP mDNSResponder
        • ■ v10.10 through v10.10.3: sudo discoveryutil mdnsflushcache
      • ■ Mavericks, Mountain Lion, and Lion
        • ■ sudo killall -HUP mDNSResponder
      • ■ Snow Leopard
        • ■ sudo dscacheutil -flushcache
  • 6. Use a VPN monitoring utility. The Pro version of VPNCheck and OpenVPN Watchdog are both paid software used to protect users from VPN connection failure and other issues, including DNS leaks. Enable DNS leak protection in the settings. As these solutions cost money, they should be last resorts. It is recommended you invest in a better VPN, such as those listed above, with built-in leak protection instead of paying for additional third-party software.
A vulnerability in WebRTC allows a website to detect your device's IP address despite using a VPN or proxy. WebRTC is used by certain web browsers for VoIP and P2P filesharing.In Firefox, you can disable WebRTC in the browser settings:
  • 1. Type about:config into the URL bar
  • 2. Search for "media.peerconnection.enabled"
  • 3. Change the entry to 'False' by double-clicking it
In Chrome, an extension is necessary. You can choose between uBlock Origin or WebRTC Network Limiter. The former also has Opera and Firefox versions, and the latter is an official release from Google.In Android, just type the following into your URL bar: chrome://flags/#disable-webrtc
Internet Protocol version 6, or IPv6, is the successor to IPv4. Every device that connects to the internet needs an IP address. An IPv4 address has fewer digits than IPv6, and IPv4 is quickly running out of available IP addresses as more devices come online.IPv6 is meant to solve this problem by creating a far larger range of possible IP addresses, but the internet still primarily depends on IPv4. Many VPNs mask IPv4 addresses, but not IPv6 addresses. A website or app can use a device's IPv6 address to determine a user's location in what's known as an IPv6 leak.If that's the case, you might need to disable IPv6 on your device and force all requests to IPv4.

Recommended VPN to avoid DNS leaks