Even with a VPN running, your browser may be sending DNS queries to your ISP — exposing every site you visit. This test reveals exactly which DNS servers you're using and whether they betray you.
These are the DNS resolvers your traffic is routed through
Server-side DNS logging not available
Accurate DNS leak detection requires server-side DNS query logging. The result above reflects what your browser reports. For full accuracy, your VPN's DNS settings should be verified manually.
Every time you visit a website, a DNS query is made to translate the domain (like google.com) into an IP address. When using a VPN, these queries should go through the VPN's DNS servers. A DNS leak happens when they bypass the VPN and go directly to your ISP's servers instead — exposing your full browsing history.
Windows in particular has a feature called "Smart Multi-Homed Name Resolution" that sends DNS queries to all available interfaces simultaneously — including your real network adapter. Some VPN clients don't properly override this. IPv6 can also bypass a VPN's DNS settings entirely.
If your VPN is working correctly, you should see only DNS servers belonging to your VPN provider — not your ISP. All servers should be in the same country as your VPN exit node. Seeing Cloudflare (1.1.1.1), Google (8.8.8.8), or a dedicated VPN DNS server is usually fine. Seeing your ISP is not.
Multiple DNS providers from different countries, or DNS servers clearly belonging to your home ISP (Comcast, BT, Vodafone, etc.) appearing alongside your VPN's servers. Even one rogue ISP server in the list means your ISP can see which domains you're resolving.
Most VPN clients have a "DNS leak protection" or "Use VPN DNS only" setting. Enable it. This forces all DNS queries through the VPN's own servers and prevents your OS from sending them elsewhere.
If your VPN only tunnels IPv4 traffic, IPv6 queries will bypass it entirely and go straight to your ISP. On Windows: Control Panel → Network Adapters → IPv4/IPv6 Properties and uncheck IPv6. On Linux: sysctl -w net.ipv6.conf.all.disable_ipv6=1.
If you're not using a VPN, setting your system DNS to Cloudflare (1.1.1.1), Quad9 (9.9.9.9), or Google (8.8.8.8) at least prevents your ISP from seeing your DNS queries. Go to your network adapter settings and set the DNS server addresses manually.
DNS leaks in your browser are bad. But your torrent client announcing your real IP to the swarm is worse. A dedicated SOCKS5 proxy configured inside your torrent client routes tracker and peer traffic independently of your OS DNS — the swarm never sees your real IP regardless of browser leaks.
Armor routes torrent traffic through 10 Gbps SOCKS5 proxy. Set it up once in qBittorrent, uTorrent, or Deluge — the swarm only ever sees the proxy IP, DNS irrelevant.
Armor includes WireGuard VPN with port forwarding so peers can connect inbound. Keep your ratio healthy and speeds maxed — without sacrificing privacy.
VPNs disconnect. Proxies time out. Armor's Leak Monitor watches 24/7 and fires an instant alert the moment your real IP surfaces in the swarm.
