VPN DNS Leak Test: What It Is and How to Check on Android

You installed a VPN to keep your browsing private. But even when the connection icon says you are protected, there is one gap that can quietly undermine that: a DNS leak. This guide explains what a DNS leak is, why it matters, and exactly how to test for one on your Android phone using free tools. No fear-mongering, and no promise that any single VPN is leak-proof, just an honest, practical way to verify your own setup.

If you are new to what a VPN does and does not hide, it helps to start with our realistic privacy guide at /blog/what-does-a-vpn-hide. This article focuses specifically on the DNS-leak angle.

What is a DNS leak?

Every time you open a website or use an app that reaches the internet, your device needs to translate the human-readable domain name (like example.com) into a numeric IP address that computers use to route traffic. That translation is handled by a DNS query, which is sent to a DNS resolver, a server that looks up the answer and returns the IP.

Without a VPN, those DNS queries typically go to your internet service provider's resolver. That means your ISP can see every domain you look up, which is a record of the websites you visit, even if the actual page content is encrypted with HTTPS.

When you turn on a VPN, the goal is to route all of your traffic, including DNS queries, through the encrypted VPN tunnel to the VPN provider's own DNS resolver. Your ISP should then see only an encrypted connection to a VPN server, not the individual domains you are visiting.

A DNS leak happens when your DNS queries do not go through the VPN tunnel. Instead, they escape to the default resolver on your device or network, usually your ISP's. The result is that your ISP, or whoever operates that resolver, can still see which domains you are looking up, even though your data traffic itself is encrypted. It is a partial gap in the protection you expected, not a total failure of encryption.

Why a DNS leak matters

A DNS leak does not expose the content of your web traffic. HTTPS still encrypts the pages you load, your passwords, and your form submissions. What it does expose is metadata: the list of domains your device asked about. That tells an observer which websites and services you visited, even if they cannot see what you did there.

For many people that distinction is the whole point of using a VPN. If you installed one so that your ISP, a network administrator, or anyone on your local network cannot see which sites you visit, then a DNS leak quietly defeats that goal. The encrypted tunnel protects your data, but the leaking DNS queries hand your browsing history to a third party anyway.

It is also worth keeping the risk in perspective. A DNS leak does not make your traffic readable, does not expose your passwords, and does not let someone impersonate you. It is a privacy gap, not a security breach. Understanding it helps you verify that your VPN is doing what you expect, without overstating the danger. For a broader look at what a VPN realistically protects, see /blog/what-does-a-vpn-hide.

How to test for a DNS leak on Android

Testing for a DNS leak is straightforward and takes about two minutes. You will use a free, browser-based tool. No app installation is required.

Step 1: Connect to your VPN on your Android phone. Make sure the VPN status shows as connected before you continue.

Step 2: Open a web browser (Chrome, Firefox, or your preferred browser) and go to a reputable leak-testing site. Two widely used options are dnsleaktest.com and ipleak.net. Both are free and run the test in your browser.

Step 3: On dnsleaktest.com, tap the Standard test button. On ipleak.net, the test runs automatically when the page loads and also checks for other leak types such as IP and WebRTC.

Step 4: Wait a few seconds for the test to complete. The page will display a list of DNS servers that responded to your test queries.

Step 5: Look at the server names and their hosting company or ISP. This is the critical part. The next section explains exactly what to look for.

You can run the test more than once for confidence. DNS resolution can sometimes hit different servers, so seeing consistent results across two or three runs is more reassuring than a single check.

How to read the results

The test works by asking your device to look up several domains and then showing you which DNS servers actually answered. Those servers tell you where your DNS queries are going.

If the DNS servers listed belong to your VPN provider, typically shown with the provider's name or a hosting company in the VPN server's country, your DNS is being routed through the tunnel. That is the expected, no-leak result. Some VPNs use well-known public resolvers like Google DNS or Cloudflare as their internal DNS, so those names can also be normal if they match what your VPN documents.

If the DNS servers listed belong to your own ISP, the company you pay for internet access, that is a DNS leak. Your DNS queries are bypassing the VPN tunnel and going straight to your ISP's resolver, which means your ISP can see which domains you are visiting.

If you see a mix, or servers you do not recognize, investigate further. Some VPNs use third-party DNS providers by design, and that can be legitimate. The key question is whether your own ISP's resolver appears in the list. If it does, you most likely have a leak.

A quick way to confirm: run the same test with the VPN disconnected and note your ISP's DNS servers. Then connect the VPN and run it again. If the ISP servers disappear when the VPN is on, you are protected. If they stay, the DNS is leaking.

Common causes of DNS leaks

DNS leaks do not usually mean your VPN is broken. They happen for a handful of specific, understandable reasons.

Split tunneling is one of the most common. Some VPNs let you choose which apps or traffic go through the tunnel and which use your regular connection. If DNS traffic is set to bypass the tunnel, your queries will leak. Check your VPN's split-tunneling settings and make sure DNS is not excluded.

IPv6 leaks are another cause. If your network supports IPv6 and your VPN only tunnels IPv4 traffic, DNS queries over IPv6 can escape outside the tunnel. Some testing tools check for this separately. If your VPN does not handle IPv6, you may need to disable IPv6 on your device or network to close the gap.

Network transitions can cause temporary leaks. When you switch from Wi-Fi to cellular, or when your phone briefly loses and regains a connection, there can be a moment where DNS queries go out before the VPN tunnel re-establishes. A kill switch helps here. It blocks all traffic when the VPN is not actively connected, preventing leaks during those gaps.

VPN configuration matters too. Not every VPN forces all DNS traffic through the tunnel. Some rely on the device's default DNS settings, which can point to your ISP. If your VPN does not override the system DNS resolver, leaks are more likely. This is one reason why testing is valuable rather than assuming protection.

How to reduce the risk of DNS leaks

There are practical steps you can take to minimise the chance of a leak, though no single step is a guarantee.

Enable your VPN's kill switch if it has one. A kill switch cuts off all internet traffic the moment the VPN disconnects, which prevents DNS queries from leaking during reconnection gaps. This is one of the most effective protections against transient leaks.

Check your VPN's DNS settings. Some VPNs let you choose which DNS resolver to use, or they have a setting that forces all DNS through the tunnel. If there is an option to use the VPN's own DNS or to prevent DNS leaks, turn it on.

Handle IPv6 deliberately. If your VPN fully supports IPv6, make sure it is enabled. If it does not, consider disabling IPv6 on your Android device to prevent IPv6 DNS queries from bypassing the tunnel. The setting is usually found under your Wi-Fi or mobile network configuration.

Review split-tunneling rules. If you use split tunneling, make sure DNS traffic is routed through the VPN, not excluded from it. Test after changing any split-tunnel settings to confirm the change worked.

Test periodically, not just once. DNS leaks can appear after app updates, OS updates, or network changes. A quick test every few weeks, or after any major change to your setup, keeps you confident that your VPN is still routing DNS correctly.

If you are also having trouble getting your VPN to connect at all, which is a separate issue, see our Android troubleshooting guide at /blog/vpn-not-connecting-android.

How Zaylo handles DNS today

Zaylo VPN is currently an Android beta/pilot. That means it is real and usable today, but it is still maturing, and we will not claim it is leak-proof or finished. We also will not invent specific DNS resolver specifications, server configurations, or guarantees that we have not confirmed.

What we encourage is exactly what this guide teaches: test it yourself. Connect Zaylo on your Android device, run a DNS leak test at dnsleaktest.com or ipleak.net, and read the results using the framework above. That tells you more than any marketing claim we could make.

If you want to understand what a VPN realistically does and does not protect before you test, see /blog/what-does-a-vpn-hide. For a broader evaluation framework, including logging policy, protocol transparency, and how to choose a VPN in the first place, see /blog/choosing-android-vpn. And to get started with Zaylo on Android, see our setup guide at /blog/zaylo-vpn-android-setup.

A quick checklist: verify your VPN DNS in five minutes

Connect your VPN and confirm it shows as active.

Open a browser and visit dnsleaktest.com or ipleak.net.

Run the standard test and wait for the DNS server list.

Check whether your own ISP's DNS servers appear in the results.

If they do, review your kill switch, split-tunneling, IPv6, and DNS settings, then retest.

If they do not, and the servers match your VPN provider, your DNS is routing through the tunnel.

Run the test once more to confirm the result is consistent.