When you connect to a VPN, it’s easy to assume that you’re protected as long as your connection is active. But leaks exist, and they can compromise your privacy without you ever knowing. In most cases, the settings that leak your IP are switched on by default.
The scariest thing about VPN leaks is that they are silent. Unless you visit a dedicated leak checker tool on the internet, you’d never know there was a problem. But the consequences could be serious.
There are two common categories of leak: DNS leaks and WebRTC leaks. This article explains how to quickly check for both and resolve the problems fast.
What is DNS?
In basic terms, the DNS system is what turns website addresses, like top10VPN.com, into numerical IP addresses. DNS is a global network of servers that work a little like phone directories, looking up URLs and returning the IP they are associated with.
Crucially, these servers sometimes log the queries they get, along with the IPs that are making those queries.
The system most websites currently use is called IPv4, but there’s a slow movement towards IPv6. IPv6 has been designed to provide more addresses as the modern internet grows. We’ll explain why this matters in a moment.
What is a DNS Leak?
When you connect to a VPN, you should automatically use the VPN provider’s own DNS servers to find the IPv4 address for the site you request. That way everything is contained within the all-important encrypted tunnel that your provider has set up.
With a good provider, this all happens behind the scenes without you knowing.
But if your VPN provider is poorly configured, your device may continue to use the default DNS services provided by your ISP. There’s no difference to your browsing if this happens, so you’d never know unless you checked.
There’s an additional risk, and it comes back to IPv6. IPv6 isn’t supported by VPN providers at all, so if you use an app or service that requires it, your DNS requests will bypass the protection of your VPN provider — unless your provider is savvy and has taken steps to stop it happening.
Finally, be aware of browser extensions that prefetch DNS information. Prefetching guesses which links you may click and performs the DNS query before the click happens. Unfortunately, all of these types of requests will go through your ISP’s DNS servers as well.
What are the Implications of a DNS Leak?
If you’re using your ISP’s DNS servers, your activity is almost certainly being tracked. So while you think your VPN is protecting your privacy, it probably isn’t.
In the US, a DNS leak may result in your browsing history being tracked and sold to commercial companies. In the UK,the sites you visit could end up in a vast, secretive snooping database called the Request Filter, which is open to many organisations including the police. as well as a few you may not recognize. It’s all legal under the terms of the Investigatory Powers Act.
If you’re using a browser that’s prefetching DNS information, you might be allowing your ISP to harvest this information without clicking a single link. Essentially, that makes your VPN pointless — it’s not protecting you in the way it’s supposed to, and you have no control over the DNS requests your IP is seeing.
Most people that use VPNs are trying to mitigate these kinds of risks. The leak could be making the VPN ineffective from a privacy point of view.
How to Detect a DNS Leak
The easiest way to check for a DNS leak is to connect to your VPN, then head to DNSleaktest.com. Click the Standard Test button to get some basic information on your connection.
If you see your real location or ISP on this page, there’s a good chance that you’ve sprung a leak in your DNS.
If you’re concerned that a Chrome extension is leaking your data, there’s an easy way to check that too:
- Install the VPN extension for your provider if you don’t have it already
- Establish a connection to your VPN
- In Chrome’s URL bar, type chrome://net-internals/#dns
- Click Clear host cache
- Open a new tab and go to any website
- Check the DNS information in the previous tab.
How to Fix and Prevent DNS Leaks
If you want certainty that you’re not affected by DNS leaks, the simple answer is to choose a really good VPN provider that’s proactively protecting you against them.
If they’re already forcing all traffic to go to their DNS servers, not your ISP’s, then you’re automatically protected. A low-quality provider might not be quite so diligent, so it’s important to run that leak test while you’re connected just to be sure.
Quality VPN providers also completely disable IPv6 while you’re connected. That means there’s no chance that an occasional request for an IPv6 address will reveal your true IP. IPv6 is not currently in widespread usage, so this restriction is unlikely to affect most web users unless they have specialized requirements.
What is WebRTC?
WebRTC is often used for things like browser-based video calling and is almost always enabled by default.
What's a WebRTC Leak?
Popular browsers like Firefox and Chrome are prone to WebRTC leaks because the traffic it sends can bypass encrypted VPN connections.
This isn’t a flaw, as such; it’s part of the design. Efficient IP sharing is supposed to provide convenience and speed for these demanding, high-bandwidth services. And WebRTC employs some very clever techniques to figure out your “real” IP and get around any firewalls that might otherwise prevent your real-time connection from taking place.
Unfortunately, it’s these technical differences in WebRTC that can expose your IP, even if it’s successfully hidden for normal browsing.
What Are the Implications of a WebRTC Leak?
A WebRTC leak could expose your IP, even if you’re behind a VPN, unless your provider has taken steps to intercept and block the requests.
That could allow your ISP or government to snoop on your activity and log it, which is probably what you’re trying to prevent by connecting through a VPN server.
How to Detect a WebRTC Leak
It’s a good idea to check whether you have a WebRTC leak right now, even if you have a VPN already. You almost certainly won’t know if there’s an issue unless you run these tests.
Here’s how to do it quickly:
- Connect to your VPN
- Open the WebRTC Leak Check at BrowserLeaks
- Review the IP address that appears; if it’s your ISP’s IP, you have a problem.
Note: Some leak checkers might show your internal network IP (which likely starts with 192.x.x.x or 10.x.x.x) alongside your public IP. Don’t worry about the internal IP; it’s the public one that matters.
How to Fix and Prevent WebRTC Leaks
You can use the web without WebRTC, but it’s usually enabled by default to enable efficient use of certain websites. Disabling it is unfortunately not as intuitive as it should be.
In some browsers, you can disable WebRTC by changing your browser settings; in Chrome, you’ll need an extension:
- In Firefox, navigate to about:config and search for the media.peerconnection.enabled setting. Change it to Disabled.
- In the mobile version of Chrome, paste chrome://flags/#disable-webrtc. Change it to Disabled.
- In the desktop version of Chrome, install an extension called WebRTC Network Limiter. This is an official Google extension that switches off WebRTC’s IP-leaking feature while still allowing real-time communication to take place. Beware of bogus extensions; it’s safest to stick with the official Google extension or a similar extension from a good quality VPN provider.
- In Edge, type about:flags into the URL bar. Locate the Hide my local IP address over WebRTC connections setting and disable it.
The key thing here is to be very careful when changing your settings. Verify that the setting you’re looking at is correct before altering it.
If you’re uncomfortable with turning off WebRTC, or you simply want additional peace of mind, you should look for a VPN provider that is aware of the potential for WebRTC leaks and has taken steps to block them from happening. That way, you can use your device normally without exposing yourself to privacy-invading leaks.