A DNS leak happens when your DNS queries are sent to a resolver that isn't the one you intended to use β typically your ISP's resolver β even when you're using a VPN or privacy DNS service. This means your ISP can see every domain you visit, regardless of your VPN.
DNS leaks are common with poorly configured VPNs, split-tunnel setups, or operating systems that bypass VPN tunnels for DNS. This tool checks your resolver, detects WebRTC leaks, and tells you whether your DNS is encrypted.
What does this test actually check?
This test checks: (1) your public IP address, (2) whether WebRTC is leaking a local or different IP, (3) which DNS resolver is handling your queries and who operates it, and (4) whether DNS-over-TLS encryption is in use. Together these reveal whether your DNS traffic is private.
My VPN is on β why is my ISP shown as the resolver?
Many VPNs use split tunnelling or don't force DNS through the tunnel. Your OS may fall back to the ISP resolver if the VPN's DNS is slow or unavailable. Check your VPN's "DNS leak protection" setting, or manually set your DNS to DNSAFE's resolvers to ensure all queries go through an encrypted channel.
What is DNS-over-TLS and do I need it?
DNS-over-TLS (DoT) encrypts your DNS queries over port 853, preventing your ISP or anyone on the network from seeing which domains you look up. Standard DNS uses port 53 in plain text. If you're on a public Wi-Fi network, unencrypted DNS is visible to anyone on the same network.
Is this test sending my data anywhere?
Your IP is fetched from ipify.org (a public, privacy-respecting API). Resolver detection uses the browser's own DNS lookups β no data is sent to DNSAFE servers during this test. Nothing is stored.