DNS Leaks: What They Are and How to Prevent Them

What Is DNS?

DNS stands for Domain Name System -- it is the internet's phone book. When you type 'nexun.io' into your browser, your device sends a DNS query to a server asking for the IP address associated with that domain. The server replies with something like 185.220.101.1, and your browser connects. Without DNS, you would need to memorize the IP addresses of every website you visit.

Who Handles Your DNS Queries by Default?

By default, your device sends DNS queries to the DNS server provided by your ISP. This means your ISP has a complete log of every domain you visit -- not the content of the pages, but the list of sites. For many ISPs, this data is commercially valuable and may be used for targeted advertising or sold to third parties. Even HTTPS does not hide your DNS queries from your ISP unless you use encrypted DNS.

What Is a DNS Leak?

A DNS leak occurs when your DNS queries are sent outside the VPN tunnel -- typically to your ISP's DNS server -- even though your other traffic is protected. This can happen due to operating system DNS settings that override the VPN, IPv6 DNS not being tunneled, or VPN software that does not properly lock down DNS. The result is that your ISP can still see exactly which websites you are trying to reach, even though your actual connection is VPN-protected.

Why DNS Leaks Are Dangerous

• Your ISP sees a complete record of every domain you visit
• Advertisers using ISP data can still profile your browsing behavior
• Authorities can subpoena DNS logs from your ISP to reconstruct your activity
• Even encrypted DNS requests can be linked back to you if they leave the VPN tunnel
• The VPN's IP masking becomes irrelevant if DNS reveals your identity separately

How to Test for DNS Leaks

You can test for DNS leaks by visiting a site like dnsleaktest.com or ipleak.net while connected to your VPN. These tools perform DNS lookups and report which DNS server handled the query. If the result shows your ISP's DNS servers instead of your VPN provider's servers, you have a leak. Run the test both on a standard connection and on an extended test to catch intermittent leaks.

How WireGuard Prevents DNS Leaks

WireGuard allows VPN clients to specify DNS servers that should be used exclusively while the tunnel is active. Nexun configures WireGuard to route all DNS queries through the VPN tunnel to Nexun's own DNS servers, which do not log queries. The operating system is prevented from sending DNS to any other server while the VPN is connected. This is enforced at the kernel level -- not just as a software preference -- making it far more reliable than older VPN implementations.

Additional Measures: DNS over HTTPS and DNS over TLS

Even if your DNS queries go through a VPN, there is a second concern: what happens at the VPN provider's DNS server? Nexun uses DNS over HTTPS (DoH) on its resolvers, which means DNS traffic is encrypted end-to-end even within the tunnel. Queries are not stored, not logged, and not associated with your account.

WebRTC Leaks -- a Related Risk

WebRTC is a browser technology used for video calls and real-time communication. It can bypass your VPN and reveal your real IP address through browser APIs. This is separate from DNS leaks but similarly dangerous. The Nexun Chrome extension includes WebRTC leak protection, blocking the API from exposing your real IP while the extension is active.