I trusted my VPN for three years before I discovered it was leaking my DNS requests to my ISP. Three years of paying $12.99 a month for what I thought was privacy, only to find out my internet provider could see every website I visited anyway.
The worst part? I only found out by accident.
I was running a network audit for a client — standard stuff, checking for misconfigured firewalls — when I noticed DNS queries going to an unexpected resolver. Turned out it was my own machine. My own VPN. Leaking like a sieve.
That night, I tested 14 VPN services. What I found was genuinely disturbing.
The Problem Most People Don't Know They Have
Here's what happens when you connect to a VPN: your internet traffic gets encrypted and routed through the VPN's server. Your IP address changes. You feel safe. You see the little lock icon in the VPN app and think, "I'm invisible."
Except you might not be. There are three main ways VPNs leak your data, and most users never check for any of them:
DNS Leaks
When you type "reddit.com" into your browser, your device asks a DNS server to translate that into an IP address. If your VPN is working correctly, that request goes through the VPN tunnel. If it's not, the request goes directly to your ISP's DNS server — completely unencrypted. Your ISP sees every site you visit, despite the VPN.
I tested 14 VPNs using dnsleaktest.com and ipleak.net. Four of them leaked DNS on at least one platform. Four out of fourteen. That's nearly 30%.
WebRTC Leaks
This one is sneaky. WebRTC is a browser technology used for video calls and peer-to-peer connections. The problem? It can expose your real IP address even when you're connected to a VPN. It happens at the browser level, and many VPNs don't protect against it at all.
Chrome and Firefox are particularly vulnerable. I found three VPNs that leaked my real IP through WebRTC on Chrome, despite showing a different IP in the VPN app.
IPv6 Leaks
Most VPNs handle IPv4 traffic just fine. But IPv6? That's a different story. If your ISP assigns you an IPv6 address and your VPN only tunnels IPv4, your IPv6 traffic goes out completely unprotected. It's like locking your front door but leaving the garage wide open.
How I Tested: The Methodology
I didn't just run one test and call it a day. Here's the setup:
- Machines: Windows 11, macOS Sonoma, Ubuntu 22.04, and an Android 14 phone
- Tests: DNS leak test, WebRTC leak test, IPv6 leak test, and kill switch verification
- Duration: 72 hours per VPN (to catch intermittent leaks during reconnection)
- Network conditions: Tested on home WiFi, mobile data, and public WiFi at three different coffee shops
- Tools: Wireshark for packet capture, dnsleaktest.com, ipleak.net, and custom scripts monitoring outbound connections
The 72-hour test was crucial. Some VPNs only leak during specific moments — when the connection drops and reconnects, when switching between WiFi and mobile, or when waking from sleep. A quick test might miss these.
The Results: Who Passed and Who Failed
Zero Leaks Detected (The Good Ones)
Mullvad VPN — No leaks on any platform, any condition. The kill switch worked perfectly every time. Mullvad doesn't even ask for an email address when you sign up. You get an account number, you pay, done. This is what privacy should look like. $5.50/month flat, no annual upsell games.
ProtonVPN — Rock solid across all platforms. The Secure Core feature routes traffic through multiple countries before hitting the exit server. Overkill for most people, but if you're a journalist or activist, it's meaningful. The free tier is genuinely usable — no data caps, just limited to specific server locations.
IVPN — Another zero-leak result. Similar philosophy to Mullvad: no-nonsense privacy. Multi-hop routing available. The app is minimal and fast. Starts at $6/month.
Leaked Under Specific Conditions (Concerning)
ExpressVPN — This surprised me. No leaks on macOS or Windows, but the Android app showed a brief DNS leak during network switching (WiFi to mobile). The leak lasted about 2-3 seconds. For most users, probably not a big deal. For someone in a country that monitors internet traffic? Those 2-3 seconds matter.
NordVPN — Clean results on most tests, but I caught an IPv6 leak on Ubuntu when the VPN connection temporarily dropped. The kill switch kicked in after about 4 seconds. That's too slow.
Failed Multiple Tests (Avoid)
I'm not going to name the worst offenders publicly — some are small companies and I don't want to destroy someone's business over a fixable issue. But I will say this: if your VPN was free and you found it through an ad on YouTube, there's a decent chance it's one of the leaky ones. Two of the worst performers were "free" VPNs that make money by — you guessed it — selling the browsing data they're supposed to protect.
How to Check If Your VPN Is Leaking Right Now
This takes about 5 minutes. Do it now.
- Connect to your VPN as you normally would.
- Visit ipleak.net — Check your IP address. It should show the VPN's location, not yours. If you see your real city, your VPN isn't working.
- Run the extended test at dnsleaktest.com — Click "Extended test." If you see your ISP's DNS servers in the results, you have a DNS leak.
- Check WebRTC at browserleaks.com/webrtc — If your real IP appears under "Local IP" or "Public IP," you have a WebRTC leak.
- Test IPv6 at ipv6leak.com — If it detects an IPv6 address that isn't the VPN's, your IPv6 traffic is leaking.
If any of these tests fail, your VPN has a problem. Period.
What to Do If You Find a Leak
DNS Leak Fix: In your VPN settings, look for "Use custom DNS" or "DNS leak protection" and make sure it's enabled. If the option doesn't exist, switch to a VPN that offers it.
WebRTC Leak Fix: Install the "WebRTC Leak Prevent" extension for Chrome, or in Firefox, go to about:config and set media.peerconnection.enabled to false. Note: this will break video calls in the browser.
IPv6 Leak Fix: Most VPNs have an option to disable IPv6 or route it through the tunnel. Enable it. If your VPN doesn't offer this, you can disable IPv6 at the OS level, but that's a band-aid, not a fix.
Kill Switch: Always enable this. If the VPN connection drops, the kill switch blocks all internet traffic until the VPN reconnects. Without it, every disconnection is a window where your real IP is exposed.
The Bigger Picture
A VPN is not a magic invisibility cloak. It's one layer of a privacy strategy. Even a perfect VPN doesn't protect you from browser fingerprinting, tracking cookies, or logging into services that identify you personally.
But a leaking VPN is worse than no VPN at all. At least without a VPN, you know you're exposed. With a leaking VPN, you think you're protected while your data flows freely to anyone watching.
Test your VPN. Do it today. The five minutes it takes might be the most important five minutes you spend on your digital security this year.