What is a DNS leak?
DNS stands for Domain Name System. This system translates your words into numbers in a browser. When you enter a web address like www.vpntests.com, that request goes to your ISP’s DNS servers. These servers translate that information into numbers and send you to the website. Since you are using their servers, the ISP can see all of the web addresses you enter. They can target you for regional ads, examine your history, sell your data, and do other things with that information. Many netizens connect to a VPN to stop that from happening. Instead of using your ISP’s servers, you use the VPN’s servers. While that is supposed to protect you, that isn’t always the case. Some VPNs have DNS leaks.
A DNS leak is a security flaw in a VPN’s setup. It allows your ISP to see the websites you visit. It also leaves you vulnerable to 3rd party and on-path eavesdroppers because your request goes directly to the ISP instead of the VPN. Despite the promises of some VPN providers, not all of them are safe to use. A 2016 study of Android VPN apps done by ACM Digital Library shows a staggering 66% of them did not prevent DNS leaks from happening. If you are using a VPN to protect your privacy and others can still see your information, you’re not doing yourself any good.
Other types of leaks
WebRTC leaks – WebRTC stands for Web Real-Time Communication, and it’s a part of all modern browsers. Instead of the need to download native software or plug-ins, WebRTC is a P2P system that allows direct audio and video communication between browsers. Though it can be helpful, it will give away your accurate IP address. You could install a plug-in to block it when it first became an issue. However, most VPN providers have WebRTC protection built into their products now.
IP address leaks – Ths type of leak is one of the easiest to fix for most providers. However, on some lesser-known VPNs, IP address leaks can still be an issue. Whether you’re trying to protect your privacy or get around geo-blocks, you want a VPN that keeps your IP address secure. Without that protection, you are defeating the two primary reasons for using a VPN.
How to test your VPN for DNS leaks
Luckily, there are ways to test your VPN for leaks. You can use multiple websites to see how your VPN stacks up. Whether you choose one of ours below or have your own, you can quickly test it. You can use several tools, but for our tests, one of the best tools we have found is DNSleaktest.com. Others include Doileak.com, IPX.ac, IPleak.net, and more. All three of these options work well, but we chose dnsleaktest.com because it’s straightforward. The results may not make sense to you, though, if you don’t know how to read the data.
The easiest way to test for DNS leaks is to follow these steps.
- Connect to a VPN server different from your own. If you are in the US, connect to a VPN server anywhere outside the country.
- Once you connect to your chosen location, go to DNSleaktest.com or one of the others and perform a DNS leak test.
- If your VPN lists multiple servers, that’s OK. However, if your test shows results from your country and ISP, you have a DNS leak.
In the example below, we connected to a server in the US. The last two entries show a different from the server we chose and show a different ISP. That’s a significant indication that your DNS is leaking.
Now that you know what it may look like, let’s see how our providers perform. All providers have servers in Canada, so we can quickly tell if it leaks.
ExpressVPN
When we tested ExpressVPN, we showed it did not have DNS leaks. While it’s the only provider to display multiple Canadian servers in this test, they all match with the target city, Toronto. For the sake of this test, that’s just fine. It does not affect how the Domain Name System handles the requests, so your privacy and location will stay safe with ExpressVPN.
30-day money-back guarantee
NordVPN
NordVPN shows only one DNS request, and that is for a server in Toronto, Canada. As you can see below, that is the server we chose. This is a fast provider, and it performs consistently well in tests like these. NordVPN gets our stamp of approval for this test because it doesn’t show any signs of DNS leakage.
30-day money-back guarantee
PIA
Private Internet Access passes our DNS leak test because of the results we got. Like NordVPN, Private Internet Access (PIA) only shows one IP address. Since the client tells us what the IP is supposed to be, you can see that the last numbers differ slightly. That means the client uses a different subnet, but it’s common and perfectly acceptable for DNS leak tests.
30-day money-back guarantee
CyberGhost
CyberGhost is another provider that shows the IP address in the client. As you can see here, it does show an address in Toronto, Canada. It also shows a different subnet (the last set of numbers). Because that’s acceptable, that means CyberGhost passes our DNS leak test.
45-day money-back guarantee
IPVanish
This one is straightforward, and though it does not show the IP address, it does offer a singular address in Toronto. Stackpath operates IPVanish’s server in Canada. That name is specific to IPVanish because it operates servers in many counties. IPVanish passes our DNS leak test because of those factors.
30-day money-back guarantee
Surfshark
Surfshark only shows one IP listing, and it looks almost identical to NordVPN’s information. Since NordVPN acquired Surfshark in 2018, that is not a big surprise. For this test, Surfshark passes because we don’t see any evidence of DNS leaks with the service.
30-day money-back guarantee
PrivadoVPN
As a newcomer to the VPN community, you might expect PrivadoVPN to have a leaking DNS. However, that is not the case. Thankfully, the team buttoned up the DNS well. As you see in this image, it only shows one IP address. That address closely matches the one PrivadoVPN shows in their client. That means it passes our DNS leak test.
30-day money-back guarantee
StrongVPN
StrongVPN has been around for quite a while. This veteran service has had plenty of time to perfect its settings, and it doesn’t disappoint. Both IP addresses match up exactly when running the DNS leak test for StrongVPN. Of course, it shows a location in Toronto, Canada. That means Strong has no issues passing our DNS leak test.
30-day money-back guarantee
HMA
HMA gets a passing grade on our DNS leaks test because it only shows a single address that matches what we expect. The company has a massive list of servers in many different places. Of course, that includes servers in Toronto. Like some other options showing the IP address, HMA’s is similar except for the last few digits. That means their client is reasonably consistent with the results we received.
30-day money-back guarantee
PureVPN
When we ran the DNS leak test for PureVPN, we got a single IP address result. It did not show our true IP address or location. However, while other providers show a minor difference in subnet numbers, PureVPN shows an IP address that starts with 199 instead of 198. It is a small difference, and it is still a Toronto IP address, but we did not expect the change. PureVPN gets a passing grade from us because it doesn’t show any DNS leaks.
31-day money-back guarantee
AtlasVPN
Instead of testing to a server in Toronto, AtlasVPN doesn’t offer that as an option. What they do offer are two servers in Montreal. The test shows a single Montreal location that’s consistent with the server we chose. AtlasVPN does what it’s supposed to do because it doesn’t show any DNS leaks.
30-day money-back guarantee
Ivacy
Ivacy is still one of the smaller providers in the community. That means your choices are limited when you choose this one. Toronto, though, is one of the locations it offers. In this image, you see a single IP address only and matches up with Toronto. That means that Ivacy passes the requirements for our DNS leak test.
30-day money-back guarantee
TorGuard
TorGuard prides itself on being a secure provider, and you can easily see their server information when we connect for our DNS test. Here, the IP address in the client matches up with the single server it shows. TorGuard has done an excellent job of controlling DNS leaks in the past, which is still valid in this test. We give TorGuard a passing grade for its performance on the DNS leak test.
7-day money-back guarantee
CactusVPN
By technical definition, CactusVPN passes the DNS leak test. That’s because it doesn’t display our ISP or DNS. However, we did see something strange happening. As you can see in this image, we connected to a server in Montreal. CactusVPN’s only Canadian servers are both there. However, the test shows we are in Piscataway in the United States (New Jersey). Additionally, the IP addresses are completely different from what the client shows. We’re not sure why there is such a significant difference, but that could cause problems if you are trying to stream content from Canada. Whether or not this happens with other servers for CactusVPN is something you’ll want to watch for.
30-day money-back guarantee
Bottom Line
Running the DNS leak test on our providers offered a few surprises. All of them performed well and are secure. ExpressVPN is the only provider that showed more than a single server, but it still passes the test. The other surprise was CactusVPN’s display results. It still passed the test, but the IP address differed quite a bit from the client to the test. Additionally, the server shows up as being in Piscataway, United States, instead of Montreal, Canada. If you connect to a VPN to stream content from Canada, that’s not a workable solution.
