How to fix a DNS Leak

The solution is to ensure that once connected to the VPN, you are using ONLY the DNS server/s provided by the VPN service.

Web Browsers

When DNS is managed elsewhere on your computer system or mobile device (i.e. operating system, VPN client), secure DNS set in the web browser could be considered a leak.

Google Chrome / Brave / Opera

  1. Select the menu in your browser and go to Settings.
  2. Select Privacy and security > Security.
  3. Scroll down and disable Use secure DNS.

Microsoft Edge

  1. Select the three-dot menu in your browser and go to Settings.
  2. Select Privacy, Search, and Services, and scroll down to Security.
  3. Disable Use secure DNS.

Mozilla Firefox

  1. Select the menu button and go to Settings.
  2. In the Privacy & Security menu, scroll down to the Enable secure DNS using: section.
  3. Choose Off.

Operating Systems

The source for DNS leaks in operating systems is often related to the network adapter, like Wi-Fi or Ethernet. Removing static DNS server entries can eliminate leaks.

Windows

  1. Connect the VPN.
  2. Flush the DNS cache by opening a Command Prompt (Start > CMD) then enter the following command and press Enter: ipconfig /flushdns
  3. Open “Network Connections" via the Start menu search feature
  4. Identify the local network adapter. This could be "Wi-Fi", "Ethernet", etc.
  5. Right-click the adapter name and select Properties.
  6. Select Internet Protocol Version 4 (TCP/IPv4) and click the Properties button.
  7. Click the Advanced... button and navigate to the DNS tab.
  8. Click the Add button, enter 0.0.0.0 and click Add.
  9. Click OK on two properties windows and Close on the last.
  10. Test for DNS leaks.
  11. After disconnecting the VPN, reconfigure the adapter to restore the previous DNS settings.
  12. In the adapter's IPv4 Properties area from above, select the option to Obtain DNS server address automatically.
  13. Click OK then Close on the two properties windows to accept the change.
  14. Once again, flush the DNS resolver cache: ipconfig /flushdns

To mitigate IPv6 DNS leaks, select Internet Protocol Version 6 (TCP/IPv6) (similar to Step 6 above), select the option to Use the following DNS server addresses:, then enter :: (two colon characters) into the Preferred DNS server field. Using :: for IPv6 is the same as using 0.0.0.0 for IPv4.

macOS

  1. Go to System Preferences > Network.
  2. Select the first connection in your list (i.e. "Wi-Fi" or "Ethernet") and click Advanced.
  3. Select the DNS tab.
  4. Select any addresses in the list and attempt to remove them using the - button. If you cannot select them or the - is not active, then you are already using your routers DHCP assigned DNS servers.
  5. Click OK and exit all the windows.
  6. Flush the DNS cache by opening a Terminal (Finder > Applications > Utilities). Enter the following command and press Enter: sudo killall -HUP mDNSResponder Note: The sudo command requires your macOS user password and typing it will not echo any characters, so type carefully and press Enter.

    7. Linux

    DNS server addresses often reside in the /etc/resolv.conf file. VPN clients will try to replace the existing system DNS server details with a DNS server associated with the VPN service. Depending on the thoroughness of the VPN client to takeover DNS, leaks might still be present if non-VPN related nameserver entries remain in the /etc/resolv.conf file after the VPN is connected.

    Use the dig and/or nslookup commands (if available) in a Terminal to check which DNS server the system currently uses:

    • dig eff.org
    • nslookup privacyinternational.org

    View the contents of the /etc/resolv.conf file: cat /etc/resolv.conf

    Use elevated permissions (sudo) with an editor (i.e. nano, vi) to edit the file: sudo nano /etc/resolv.conf

    Use a # (number sign/hash mark/octothorp) at the beginning of a line in the /etc/resolv.conf file to comment out (i.e. ignore) existing DNS details. Add a DNS server of your choice with the nameserver directive:

    • # Comments from the distribution...
    • nameserver A.B.C.D

    Note: A.B.C.D is an example to represent a real DNS server IP address.

    Some modern Linux distributions use the systemd init system, which might manage DNS in an insistent and persistent manner. Disable this using the following command: sudo systemctl disable systemd-resolved.service

    Re-enable systemd's resolver using: sudo systemctl enable systemd-resolved.service

    Note: A system reboot might be required after disabling/enabling the systemd-resolved service.

    VPN Protocols

    OpenVPN v2.3.9+

    As of OpenVPN version 2.3.9, it is possible to prevent DNS leaks by specifying a directive in the configuration file (OVPN or CONF file extension). Edit the configuration file for the server that you are connecting to and add the following on a new line. For more information, see the OpenVPN manual. OpenVPN manual.

    block-outside-dns

    Wireguard

    Make certain the [Interface] section of the WireGuard configuration file includes a valid entry for the DNS directive: DNS = A.B.C.D

    Note: A.B.C.D is an example to represent a real DNS server IP address.