You're connected to a VPN. Your IP is hidden. You feel secure. But your browser is quietly sending DNS queries to your ISP's servers — completely outside the VPN tunnel. This is called a DNS leak, and it reveals every website you visit to your internet provider, even when you think you're anonymous.
Table of Contents
What is DNS?
DNS (Domain Name System) is the phone book of the internet. When you type carrotvpn.com into your browser, your device doesn't know the IP address behind that name. It sends a query to a DNS server asking "what is the IP address for carrotvpn.com?" The DNS server replies with the IP, and your browser connects.
By default, your device uses your ISP's DNS servers. This means your ISP can log every domain you query — building a complete record of every website you visit, timestamped and linked to your account.
What is a DNS Leak?
A DNS leak occurs when your device is connected to a VPN but sends DNS queries outside the VPN tunnel — directly to your ISP's DNS servers. The result: your ISP can see every website you visit even though your connection appears to be through a VPN. Your IP address may be hidden, but your browsing history is fully exposed.
A VPN with a DNS leak is like a private car with a transparent roof — your route is still visible even if your identity is hidden.
Why DNS Leaks Happen
- VPN misconfiguration: Poorly configured VPN clients that don't redirect DNS traffic through the tunnel
- OS-level DNS settings: Windows and Android may have hardcoded DNS fallback behavior that bypasses VPN settings
- Split tunneling without DNS coverage: Split tunneling that routes traffic but not DNS queries through the VPN
- IPv6 leaks: Some VPNs only protect IPv4 traffic; IPv6 DNS queries can bypass the tunnel entirely
- WebRTC leaks: Browser WebRTC can expose your real IP and DNS server even when VPN is active
How to Test for DNS Leaks
- Connect to CarrotVPN (or any VPN you want to test)
- Visit a DNS leak test website (search for "DNS leak test" in your browser)
- Run the extended test (tests multiple DNS resolvers over time)
- Review the DNS server locations shown in the results
The test will show you which DNS servers are resolving your queries. If your VPN is working correctly, you should see DNS servers from the VPN provider's network, not your ISP's servers.
Reading Your Test Results
✅ No DNS Leak — Good Result
DNS servers shown are from your VPN provider's country/network. Your ISP's DNS servers don't appear. Your browsing is private.
❌ DNS Leak Detected
Your ISP's DNS servers appear in the results, or DNS servers from your home country appear while your VPN is connected to a different country. Your ISP can see your browsing history.
❌ Multiple DNS Servers
Both VPN DNS and ISP DNS servers appear — partial leak. Some queries are protected, but some go to your ISP. You still have a privacy vulnerability.
How CarrotVPN Prevents DNS Leaks
CarrotVPN implements multiple layers of DNS leak protection:
- Exclusive DNS tunneling: All DNS queries are forced through the WireGuard® tunnel — the OS cannot send DNS queries outside the VPN
- Private DNS servers: CarrotVPN operates its own DNS servers inside the VPN network, not relying on third-party public DNS services
- IPv6 leak blocking: IPv6 traffic is blocked when the VPN is active to prevent IPv6 DNS leaks
- WebRTC protection: The CarrotVPN Android app restricts WebRTC access to prevent browser-level IP and DNS leaks
- DNS-over-WireGuard: Unlike OpenVPN which has known DNS leak vulnerabilities on Android, WireGuard® handles DNS at the kernel level, making leaks structurally impossible
Zero DNS Leaks, Guaranteed
CarrotVPN routes all DNS queries through WireGuard® — your ISP can't see a single domain you visit.
Download CarrotVPN — Free