Cyber Metadata · DNS Leak Check

DNS Leak Check

Record the resolvers that actually query DNS and compare them with your HTTP egress path.

Waiting

Want the full diagnosis?

This is a single check. Run the deep check to cover split egress, DNS/WebRTC leaks, VPN/proxy detection, AI/streaming reachability, and speed in one pass.

Run the deep check →

DNS 泄漏检测——你连了 VPN，但浏览器的 DNS 查询是否真的走了隧道？下面的检测会实测真正为你解析的递归 DNS 服务器，判断它是否落回了你的本地运营商。

什么是 DNS 泄漏

你每打开一个网站，设备都要先做一次 DNS 查询，把域名解析成 IP。连上 VPN 后，这次查询本应也走加密隧道、由 VPN 指定的解析器完成。DNS 泄漏指的是：尽管你的网页流量走了 VPN，DNS 查询却绕过隧道、回落到本地运营商的解析器——于是你的真实运营商、所在地区，以及你正在访问哪些域名，都暴露给了本地 ISP。

DNS 泄漏意味着什么风险

暴露真实地区与运营商：解析器落在你本地 ISP，等于告诉对方你人在哪、用谁的网。
访问记录被本地 ISP 看见：即使网页内容是 HTTPS 加密的，DNS 查询里的域名是明文，本地运营商能记录你访问过哪些站点。
地区解锁 / 分流失效：很多服务按 DNS 解析结果判断地区，泄漏会导致解锁失败或被识别。
被风控标记：出口与 DNS 解析地区不一致，是账号 / 支付风控常用的代理识别特征。

这个工具怎么检测

我们用一次性随机子域触发解析，由自建权威 DNS 记录真正为你发起查询的递归解析器出口 IP，再判断它是否在隧道之外：

你已在用 VPN / 代理（出口是隧道 / 机房），但解析器落在消费级 ISP（住宅 / 移动）网络 → DNS 回落本地运营商，判为泄漏 ——这种「同国家泄漏」也能查出；
或解析器所在国家与你的出口不同 → 真实位置漏出；
解析器是公共 DNS（如 Google、Cloudflare）或 VPN 自有解析器（数据中心 / anycast）→ 视为正常路径，不报，避免误报。

如何修复 DNS 泄漏

在 VPN 客户端开启「DNS 泄漏保护 / 强制隧道 DNS」，让所有查询都交给 VPN 的解析器；
关闭系统或浏览器里自定义的本地 DNS（除非它本身走隧道）；
注意 IPv6 泄漏：很多 VPN 只隧道了 IPv4，IPv6 的 DNS 仍走本地——要么确认 IPv6 也走隧道，要么禁用 IPv6；
检查路由器 / 系统级 DNS 是否被写死成本地 ISP；
浏览器的「安全 DNS / DoH」应指向可信解析器，而不是覆盖掉 VPN 的设置。

常见问题

DNS 泄漏和 IP 泄漏是一回事吗？

不是。IP 泄漏是你的真实出口 IP 被暴露（常见于 WebRTC、双栈分流）；DNS 泄漏是解析这一步绕过了隧道。两者可独立发生——想一次看全，用完整深度检测。

同一个国家也会 DNS 泄漏吗？

会，而且最隐蔽。本工具已支持这种情形：只要为你解析的递归服务器落在消费级 ISP 网络（你的本地运营商），即便它和你的出口同国，也会被标记为泄漏。

连了 VPN 为什么还会 DNS 泄漏？

最常见的原因是客户端没开 DNS 泄漏保护、系统写死了本地 DNS、或 IPv6 未被隧道覆盖。

开了 DoH / DoT 还能测出来吗？

不一定。若浏览器或系统启用了 DNS-over-HTTPS（如 Firefox 默认的 Cloudflare DoH），DNS 走加密直连、绕过系统解析器，这类基于「递归解析器捕获」的检测可能观测不到本地 ISP——这是所有同类工具的共性盲区。

检测显示泄漏，想进一步知道你的出口是否被识别为代理、AI 是否可用、是否存在 WebRTC / 双栈泄漏？运行完整深度检测，或单独做分流与泄漏诊断。

DNS leak test — you connected a VPN, but is your browser's DNS query actually going through the tunnel? The check below measures the recursive DNS server that really resolves for you and tells you whether it fell back to your local ISP.

What is a DNS leak

Every site you open starts with a DNS query that resolves the domain to an IP. Behind a VPN, that query should also travel the encrypted tunnel and be answered by the VPN's resolver. A DNS leak is when your web traffic uses the VPN but the DNS query bypasses the tunnel and falls back to your local ISP's resolver — exposing your real ISP, your region, and which domains you visit to that ISP.

Why a DNS leak matters

Reveals your real region and ISP: a resolver on your local ISP tells the other side where you are and whose network you use.
Your browsing is visible to the local ISP: even when page content is HTTPS, the domain in the DNS query is plaintext, so the ISP can log which sites you visit.
Geo-unblocking / split routing breaks: many services judge region by DNS resolution; a leak causes failures or detection.
Risk-control flags: a mismatch between exit and DNS region is a common proxy-detection signal in account / payment risk control.

How this tool detects it

We trigger resolution of a one-time random subdomain and let our own authoritative DNS record the recursive resolver IP that actually queries on your behalf, then decide whether it sits outside the tunnel:

You are behind a VPN / proxy (a tunnelled / datacenter exit) but the resolver is on a consumer ISP (residential / mobile) network → DNS fell back to the local ISP, flagged as a leak — this catches even same-country leaks;
or the resolver is in a different country than your exit → your real location leaks;
the resolver is public DNS (e.g. Google, Cloudflare) or a VPN-provider resolver (datacenter / anycast) → treated as a normal path and not flagged, to avoid false positives.

How to fix a DNS leak

Enable "DNS leak protection / force tunnel DNS" in your VPN client so every query goes to the VPN's resolver;
Turn off custom local DNS set in the OS or browser (unless it is itself tunnelled);
Mind IPv6 leaks: many VPNs only tunnel IPv4 while IPv6 DNS still goes local — either confirm IPv6 is tunnelled or disable IPv6;
Check whether router / system-level DNS is hard-coded to the local ISP;
Point the browser's "Secure DNS / DoH" at a trusted resolver rather than overriding the VPN's setting.

FAQ

Is a DNS leak the same as an IP leak?

No. An IP leak exposes your real exit IP (often via WebRTC or dual-stack split routing); a DNS leak is the resolution step bypassing the tunnel. They happen independently — to see everything at once, run the full deep check.

Can a DNS leak happen within the same country?

Yes, and it is the most subtle case. This tool handles it: whenever the recursive resolver sits on a consumer ISP network (your local ISP), it is flagged as a leak even if it is in the same country as your exit.

Why does a DNS leak still happen on a VPN?

Usually because DNS leak protection is off, the OS hard-codes a local DNS, or IPv6 is not covered by the tunnel.

Can it be detected with DoH / DoT on?

Not always. If the browser or OS uses DNS-over-HTTPS (e.g. Firefox's default Cloudflare DoH), DNS goes over an encrypted direct connection that bypasses the system resolver, so a "recursive-resolver capture" test may not observe the local ISP — a blind spot shared by all tools of this kind.

If a leak shows up and you want to know whether your exit is seen as a proxy, whether AI is usable, or whether there is a WebRTC / dual-stack leak, run the full deep check, or do the split-routing diagnosis on its own.

DNS Leak Test — Is Your VPN Leaking DNS? | Cyber Metadata