DNS Leak Test

A DNS leak happens when your computer sends DNS queries to your ISP or another default resolver instead of through your VPN tunnel. Even if your HTTP traffic is encrypted and routed through a VPN exit, the list of websites you visit is still visible to whoever answers your DNS lookups.

The test loads a diagnostic endpoint at edns.ip-api.com. The endpoint redirects your browser to a unique, never-before-seen subdomain, which forces your system resolver to perform a fresh DNS lookup. ip-api operates the authoritative server for that subdomain and echoes back the IP address of the resolver that made the query, along with its country and ISP. We then compare that resolver to the IP your HTTP request came from — if the two live in different countries or autonomous systems, your DNS is leaking outside your VPN.

Some VPN clients tunnel only HTTP/HTTPS traffic and leave DNS on the default system resolver. Some operating systems (especially Windows) send DNS queries in parallel to every configured resolver and use the fastest answer, which is often the ISP. And some apps — browsers with DNS-over-HTTPS, smart-TV streaming apps, Docker containers — configure their own resolver independently of the VPN.

First, enable the "Use VPN DNS" or "Block DNS outside tunnel" option in your VPN client. Second, set your system resolver manually to a trusted provider (Cloudflare 1.1.1.1, Quad9 9.9.9.9, or your VPN provider's own DNS). Third, in Firefox enable DNS-over-HTTPS (Settings → Privacy → DNS over HTTPS → Max protection); in Chrome enable Secure DNS under Privacy and security → Security. Re-run this test to confirm the leak is closed.

DoH hides your queries from your ISP and from anyone sniffing the local network, which is a large improvement. It does not automatically route queries through your VPN; the DoH resolver you pick still sees the full list of names you look up. For maximum privacy use a VPN that tunnels DNS alongside a trusted DoH provider (your VPN vendor, Cloudflare, or Quad9).

Public DNS operators run large fleets of recursive resolvers behind anycast. When you query 1.1.1.1, the actual server that answers is one of hundreds of IPs distributed across the global Cloudflare network, and it is that backend IP that appears in the whoami lookup. What matters for leak detection is whether the backend is in the same country/ASN as your VPN exit.

The most common cause is a content blocker or tracker blocker stopping the fetch to edns.ip-api.com. Some corporate networks and captive portals also block third-party DNS diagnostic services. Disable blockers and retry. If the failure persists on public networks, the endpoint is probably being blocked by the network operator.