Even after you connect to a VPN, your DNS queries might still be sent to your ISP instead of your VPN service. This situation is called a DNS leak. DNS leak tests will tell you who your DNS provider is. You’ll find multitude of DNS leak test sites when you search for “dns leak test“.
Usually, people assume that there’s no leak if the DNS servers reported by the DNS leak test are not that of their ISP.
DNS leak tests tell you who your DNS provider is, but they don’t tell you how you reached your DNS service.
As a simple example, disconnect your VPN but set your DNS service to Cloudflare (IP addresses 18.104.22.168 & 22.214.171.124). Now run a DNS leak test. It’ll tell you that your DNS provider is Cloudflare.
Are your DNS queries protected? No. Your DNS queries are going through your ISP connection unencrypted. Your ISP is still able to monitor your DNS requests.
tracert command, you can see how you are reaching your DNS server.
As you can see, in both cases the DNS requests will go through the ISP network.
In both cases, your DNS queries will go through the VPN network. Even if you still use your ISP’s DNS servers, they won’t be able to associate those queries with you, because the DNS queries are coming from the IP address of the VPN server.
In order to make sure that your DNS queries are properly protected, you need to:
tracertto make sure that you’re reaching the DNS servers through your VPN connection.
What to do if you can’t run
tracert? I offer two options here, but there may be other ways.