You're connected to your VPN. The lock icon is on. You feel private.

But there's a good chance your VPN is leaking — quietly sending unencrypted data outside the tunnel while you think everything is protected. DNS leaks, WebRTC leaks, and IPv6 leaks are common across both free and paid VPNs, and most users never check for them.

This guide will show you exactly what each leak type is, why it happens technically, how to test for it in under five minutes, and how to fix it on any operating system or browser.

---

Why Leaks Happen at All

A VPN works by routing all your network traffic through an encrypted tunnel to a remote server. The key word is all. If any part of your traffic escapes that tunnel and goes directly to the internet, your real IP and identity are exposed — regardless of how well the VPN encrypts everything else.

Leaks happen because modern operating systems and browsers make architectural decisions that prioritize speed and compatibility over privacy. The VPN is often fighting against these defaults.

There are three main leak types:

  • DNS leaks — Your DNS queries (domain lookups) leave the VPN tunnel and reach your ISP
  • WebRTC leaks — Your browser exposes your real IP via a peer-to-peer communication API
  • IPv6 leaks — Your IPv6 traffic bypasses the VPN entirely because many VPNs only handle IPv4

Let's go through each one.

---

DNS Leaks: The Most Common Problem

What's Happening

Every time you visit a website, your device sends a DNS query — essentially asking "what's the IP address for this domain name?" Under normal operation with a VPN, these queries should go through the VPN tunnel to the VPN provider's DNS servers. When there's a DNS leak, they go to your ISP's DNS servers instead.

The practical consequence: your ISP sees every domain you visit, even though your actual browsing traffic is encrypted. Your VPN is encrypting the contents of your connections while your ISP maintains a complete list of the sites you're visiting.

Why DNS Leaks Happen

Windows Smart Multi-Homed Name Resolution (SMHNR) is the most frequent culprit. Introduced in Windows 8 and still active in Windows 11, it's designed to speed up DNS by sending queries to all available DNS servers simultaneously and accepting whichever responds first. On a VPN, this means queries go to both the VPN's DNS servers and your ISP's servers — and your ISP almost always responds faster.

Teredo is another Windows issue — an IPv6 transition protocol that can route traffic around VPN tunnels entirely. If enabled, it may take precedence over your VPN.

IPv6 incompatibility causes DNS leaks when your system sends IPv6 DNS queries that the VPN doesn't handle, and those queries route directly to your ISP's IPv6-capable DNS resolvers.

Misconfigured VPN clients simply fail to redirect DNS traffic through the tunnel. This is more common in older or lower-quality VPN software.

How to Test

  1. Connect to your VPN
  2. Visit dnsleaktest.com and click "Extended Test"
  3. Look at the results — you'll see a list of DNS servers that received your queries

What you want to see: DNS servers belonging to your VPN provider (or a trusted public resolver like Cloudflare 1.1.1.1 or Quad9 9.9.9.9).

What's a problem: Your ISP's name appearing in the DNS server list. Even one ISP DNS server in the results means your queries are leaking.

You can also run a comprehensive check at ipleak.net, which tests DNS, IP, and WebRTC on a single page.

How to Fix DNS Leaks

In your VPN app: Look for a setting called "DNS Leak Protection," "Prevent DNS Leaks," or "Use VPN DNS." Enable it. This tells the VPN client to force all DNS queries through the tunnel.

Manually set your DNS servers in your OS network settings to a trusted public resolver:

  • Cloudflare: 1.1.1.1 / 1.0.0.1
  • Quad9: 9.9.9.9 / 149.112.112.112

This doesn't prevent leaks on its own, but ensures that if a query does escape the tunnel, it at least doesn't reach your ISP's servers.

Disable SMHNR on Windows (Pro/Enterprise):

  1. Press Win+R, type gpedit.msc
  2. Navigate to: Computer Configuration → Administrative Templates → Network → DNS Client
  3. Find "Turn off smart multi-homed name resolution" → set to Enabled
  4. Restart Windows

Disable Teredo on Windows: Open Command Prompt as Administrator and run:

Command 
netsh interface teredo set state disabled

After making changes, retest at dnsleaktest.com to confirm the fix worked.

---

WebRTC Leaks: The Browser Problem

What's Happening

WebRTC (Web Real-Time Communication) is a browser standard that enables peer-to-peer features like video calls, voice chat, and file sharing. To establish a direct connection between two browsers, WebRTC needs to discover the real IP addresses of both devices using STUN (Session Traversal Utilities for NAT) servers.

Here's the problem: these STUN requests bypass your VPN tunnel at the browser level. JavaScript running on any webpage can silently trigger a WebRTC IP discovery request, read the result, and send your real IP to the server — all while your VPN's lock icon sits there looking reassuring.

This affects Chrome, Firefox, Edge, Opera, and Brave to varying degrees. It's a browser architecture issue, not a VPN failure.

How to Test

  1. Connect to your VPN
  2. Visit browserleaks.com and click "WebRTC"
  3. Look at the IP addresses listed under "Your IP Addresses"

What you want to see: Only your VPN server's IP address.

What's a problem: Your real ISP-assigned IP appearing anywhere in the results, particularly under "Public IP Address."

You can also check ipleak.net — it has a WebRTC section built in.

How to Fix WebRTC Leaks (Browser by Browser)

Firefox — best native control:

  1. Type about:config in the address bar and press Enter
  2. Accept the warning and search for media.peerconnection.enabled
  3. Double-click it to toggle to false
  4. For extra hardening: also set media.peerconnection.ice.default_address_only to true

Brave — has built-in WebRTC controls:

  1. Settings → Privacy and security → WebRTC IP Handling Policy
  2. Select "Disable non-proxied UDP"
  3. Restart Brave

Chrome — no native setting (major limitation):

  • Install the "WebRTC Control" extension
  • The extension adds a toggle to disable WebRTC per-session

Edge:

  1. Type about:flags in the address bar
  2. Search for "WebRTC"
  3. Enable "Anonymize local IPs exposed by WebRTC"
  4. Restart Edge

Tor Browser: WebRTC is disabled entirely by default. No action needed.

Note: Disabling WebRTC will break video call services like Google Meet, Zoom (browser version), and Discord in browser. If you need these services, re-enable WebRTC when using them and disable it afterward.

---

IPv6 Leaks: The Protocol Mismatch

What's Happening

Modern internet connections are dual-stack, meaning they support both IPv4 and IPv6. IPv4 has been the standard for decades. IPv6 is the newer protocol designed to replace it, with a vastly larger address space.

Most VPNs were built when IPv4 dominated. They create an encrypted tunnel for IPv4 traffic but leave IPv6 traffic unhandled. If your connection has an IPv6 address assigned (which it likely does on most home and cellular connections), that traffic travels outside the VPN tunnel entirely. Any website with an IPv6 address receives your real IPv6 address, not your VPN's.

IPv6 addresses are often more persistent and more specific than IPv4 addresses, making this leak potentially more identifying than a standard IPv4 leak.

How to Test

  1. Connect to your VPN
  2. Visit ipleak.net and scroll down to the IPv6 section

What you want to see: Either no IPv6 address detected, or an IPv6 address belonging to your VPN provider.

What's a problem: Your real IPv6 address appearing — particularly if it matches the prefix assigned by your ISP.

You can verify your real IPv6 address separately by disconnecting the VPN and visiting ipleak.net, then comparing.

How to Fix IPv6 Leaks

Option 1: Use a VPN with full IPv6 support. Mullvad routes IPv6 traffic through the VPN tunnel. NordVPN blocks IPv6 by default to prevent leaks. This is the cleanest solution if your VPN supports it.

Option 2: Disable IPv6 at the OS level (simplest universal fix):

Windows:

  1. Settings → Network & Internet → Advanced network settings
  2. Right-click your active network adapter → Properties
  3. Uncheck "Internet Protocol Version 6 (TCP/IPv6)"
  4. Click OK

Or via PowerShell (applies to all adapters):

Command 
Disable-NetAdapterBinding -Name "*" -ComponentID ms_tcpip6

macOS:

Command 
sudo networksetup -setv6off Wi-Fi
sudo networksetup -setv6off Ethernet

Linux: Add these lines to /etc/sysctl.conf:

Command 
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1

Then apply with:

Command 
sudo sysctl -p

After disabling IPv6, retest at ipleak.net. The IPv6 section should show "No IPv6 address detected."

---

The Kill Switch: Your Last Line of Defense

A kill switch blocks all internet traffic if the VPN connection drops unexpectedly. Without one, a momentary VPN interruption — during reconnection, network switching, or a sleep/wake cycle — briefly exposes your real IP and DNS traffic.

Every serious VPN has this feature. It may be called "Kill Switch," "Network Lock," "Always-on VPN," or "Internet Kill Switch" depending on the provider.

Enable it. This is especially important if you:

  • Frequently switch between networks (home → hotspot → office)
  • Leave your VPN running through sleep/hibernate
  • Use your VPN for activities where even a brief exposure matters

Test it: Connect to your VPN, enable the kill switch, then disconnect your VPN without disabling the kill switch first. Try to load a webpage. It should fail to load until you reconnect the VPN. If pages load with your real IP, the kill switch isn't working.

---

Full Testing Checklist

Run through this sequence after initial VPN setup, after OS updates, and after VPN app updates:

  1. Connect to VPN and wait 10 seconds for the connection to stabilize
  2. Visit ipleak.net — confirm IP, DNS servers, and WebRTC all show VPN data
  3. Visit dnsleaktest.com — run extended test, confirm all DNS servers belong to VPN provider
  4. Visit browserleaks.com/webrtc — confirm no real IP in WebRTC results
  5. Check the IPv6 section at ipleak.net — confirm no real IPv6 address
  6. Disconnect VPN (leave kill switch enabled) — confirm pages won't load
  7. Reconnect VPN — confirm everything returns to VPN data

If any test shows your real IP or ISP data, address that leak before considering your setup secure.

---

Which VPNs Handle Leaks Best Out of the Box

Mullvad: DNS leak protection on by default, WebRTC blocking built in, full IPv6 routing through the tunnel. The most privacy-correct defaults of any mainstream VPN.

NordVPN: DNS protection on by default, automatic WebRTC blocking, IPv6 blocked by default to prevent leaks. "Network Lock" kill switch available.

Proton VPN: Solid protection, but some settings require manual verification. DNS leak protection and kill switch need to be enabled explicitly on some platforms. Worth the extra setup time given their privacy track record.

ExpressVPN: Automatically disables IPv6 to prevent leaks, DNS handled through VPN. Very user-friendly, fewer manual configuration steps needed.

All of these can still leak if OS-level settings interfere. Regardless of which VPN you use, test your setup with the steps above.

---

What Leaks Actually Expose You To

DNS leaks matter most in specific situations: if your ISP logs and sells DNS data, if you're in a jurisdiction with surveillance programs, if you're on a monitored network (work, school, public WiFi), or if you're accessing content your ISP throttles based on destination.

For most users in privacy-respecting jurisdictions doing routine browsing, a DNS leak is a privacy violation but not an immediate safety risk. For journalists, activists, or anyone on a hostile network, a DNS leak can expose visit patterns that are genuinely dangerous.

Regardless of your threat model, fixing leaks costs nothing and takes ten minutes. There's no reason not to.

---

Check your current IP, DNS, and network details with the IP Lookup tool — useful as a baseline before testing your VPN setup.