Checks which DNS resolvers actually answer for you — even when a VPN is active.
tools.pages.dns_leak.footer
If unexpected resolvers showed up, DNS traffic is taking paths your configuration doesn't intend. Two configuration adjustments to consider.
Windows 11, macOS, recent Linux distros, iOS and Android can all be configured to use DoH for system-wide DNS, not just the browser. macOS: Settings → Network → DNS → Add encrypted DNS. Windows 11: Settings → Network → DNS → Encryption: On. Affects every application, not just the browser.
If DNS is set only on a single device, other devices and applications still ask whatever the router hands out. Set DoH/DoT (or plain 1.1.1.1 / 9.9.9.9 if the router doesn't speak DoH) on the router itself. Every connected device inherits the setting.
When you visit a site, your OS asks a DNS resolver for the IP. Which resolver depends on configuration: typically your ISP's, sometimes a public one you set (1.1.1.1 / 8.8.8.8). Whichever resolver answers sees the full list of every domain you visit. A VPN that handles DNS internally captures these queries inside the tunnel and forwards them to its own resolver, hiding them from your ISP. A VPN that doesn't — or a misconfigured DoH-in-browser-only setup — lets the OS-level resolver continue answering, leaking the query list to the original provider. This is the DNS leak. The pure-browser path is also leaky: if you enable DoH in the browser but other apps (chat clients, native YouTube app, system services) keep using OS DNS, only your browsing is private. Public resolvers vary in what they log. Cloudflare 1.1.1.1 has the strongest no-log policy. Google 8.8.8.8 keeps minimal logs but they're aggregated. Your ISP's resolver typically logs everything and may aggregate it for advertisers in markets where that's legal.
Technical tool for diagnosing the quality of a network connection. Does not provide means of access to information resources whose access is restricted under applicable law.