A VPN changes your exit IP. It does not, by default, seal every path through which your real identity leaks. DNS queries, WebRTC peer discovery, and IPv6 packets each represent distinct channels that bypass or pre-date typical VPN configurations. This guide provides a reproducible testing protocol and the technical background to understand what each leak type exposes and how to close each gap.
1. Why network leaks persist in 2026
The architecture of the internet was not designed with tunnel enforcement in mind. When you connect to a VPN, the client typically creates a virtual network interface, installs routing rules, and updates the system DNS configuration. Each of these operations has failure modes — and failure is common.
Three threat actors concentrate most of the practical risk for users who use a VPN specifically to preserve their privacy:
ISP-level surveillance. Your ISP can observe your DNS queries at their recursive resolver unless you route DNS inside the VPN tunnel. On residential connections, this means they see a log of every hostname you access. In jurisdictions with data retention laws (EU Directive 2006/24 successors, UK IPA 2016, Australia TSSR), ISPs store this data for months to years. A DNS leak re-enables this capability for the entire session.
Public Wi-Fi and captive portals. Managed Wi-Fi at hotels, airports, and coworking spaces regularly intercepts traffic before VPN negotiation completes. DHCP assigns a gateway address, and until the VPN tunnel is up, all traffic — including DNS and WebRTC — flows over the captive network. Some captive portals actively block VPN protocols to prevent bypass, forcing reconnection attempts that create repeated exposure windows.
In-browser tracking at scale. Analytics and advertising scripts that load on ordinary commercial websites can execute WebRTC code to gather IP candidates without requesting any permissions. In 2026, at least 340 of the top 10,000 websites by Alexa rank load at least one third-party script that probes RTCPeerConnection. For users under a VPN, this exposes the local network address and sometimes the public address assigned by the ISP — data that can correlate to a household-level identity even without the exit IP.
Understanding which channel leaks requires testing each independently. Combined "am I leaking?" pages conflate results and often miss edge cases. A structured test protocol — documented in section 5 — provides reliable coverage.
For context on how leak exposure fits into the broader browser privacy landscape, see the State of Browser Privacy 2026 overview from PrivSec Lab.
2. DNS leaks — mechanism and detection
DNS resolution follows a priority order defined by the operating system. On Linux, /etc/nsswitch.conf and /etc/resolv.conf govern this. On Windows, the DNS client queries each adapter's configured resolver in order, using NRPT (Name Resolution Policy Table) rules for domain-specific overrides. On macOS, the resolver configuration in /etc/resolver/ and scutil --dns output determine behavior.
A VPN client that correctly prevents DNS leaks must override all of these paths. The common failure modes are:
System resolver not fully replaced. Some VPN clients update the primary adapter's DNS setting but leave secondary adapters (Ethernet while on Wi-Fi, for example) pointing at the ISP resolver. Queries may route through either interface depending on network conditions.
Browser DoH bypass. Chrome and Firefox implement DNS-over-HTTPS (RFC 8484) independently of the operating system. If the browser's built-in DoH is enabled and pointed at a public resolver (Cloudflare 1.1.1.1, Google 8.8.8.8), those queries bypass the VPN DNS entirely and go directly over HTTPS to the external resolver. The resulting resolution happens outside the VPN tunnel, though the HTTPS connection is itself encrypted.
DNS prefetch and speculative resolution. Browsers send speculative DNS queries for links on the current page before the user navigates. These use the browser's DNS stack, which may invoke DoH or the system resolver. Extensions that disable <link rel="dns-prefetch"> tags reduce this surface but do not eliminate background resolution entirely.
Testing DNS leaks:
- dnsleaktest.com — run both standard and extended tests. The extended test sends 30+ queries to force use of any secondary resolver paths. Compare the ASN (Autonomous System Number) and IP of the resolvers shown against what your VPN provider documents.
- ipleak.net — simultaneously shows IP, DNS resolvers, and WebRTC candidates on one page. Useful for a quick cross-channel snapshot but less granular than a dedicated DNS test.
- Cloudflare 1.1.1.1/help — shows which resolver your browser's current DNS stack is using, including whether DoH is active and pointing at Cloudflare's endpoint. Useful for verifying browser-level DNS configuration independent of the OS.
Protocol distinction matters: plain UDP/53 queries are unencrypted and interceptable at any network hop. DNS-over-TLS (RFC 7858) encrypts queries to the resolver but the resolver still sees all queries in plain text. DNS-over-HTTPS (RFC 8484) wraps queries in HTTPS, making them look like regular web traffic and resisting interception at intermediate network nodes. Neither DoT nor DoH prevents the resolver itself from logging queries.
For a deep technical comparison of DoH implementations across browsers and operating systems, see our DNS-over-HTTPS implementations 2026 analysis.
3. WebRTC leaks — STUN, ICE, and JavaScript exposure
WebRTC (Web Real-Time Communication) is a browser API enabling peer-to-peer audio, video, and data channels. The connection establishment process uses ICE (Interactive Connectivity Establishment), which in turn uses the STUN protocol defined in RFC 5389.
How STUN exposes IP addresses:
When a browser creates an RTCPeerConnection, it begins gathering ICE candidates — a list of network addresses through which it can receive peer connections. The gathering process involves:
- Host candidates: local interface IP addresses (LAN IPs, loopback) collected directly from the OS network stack.
- Server-reflexive candidates: the public IP as seen by a STUN server. The browser sends a UDP Binding Request to a STUN server; the server responds with the client's source IP and port (the Mapped Address attribute in the STUN response). This is the external IP — the one your router NAT exposes to the internet.
- Relay candidates: TURN server addresses used when direct connectivity fails.
The critical issue is that this gathering happens synchronously when RTCPeerConnection is instantiated, before any user interaction or permission grant. A script can run:
const pc = new RTCPeerConnection({ iceServers: [{ urls: 'stun:stun.l.google.com:19302' }] });
pc.createDataChannel('');
pc.onicecandidate = e => { if (e.candidate) console.log(e.candidate.candidate); };
pc.createOffer().then(o => pc.setLocalDescription(o));
This outputs all gathered candidates to the console — or to a remote server if the callback sends them via fetch. No camera permission. No microphone permission. No user alert.
Browser mitigations:
- Firefox:
media.peerconnection.enabledinabout:configset tofalsecompletely disables WebRTC. This prevents all leaks but also breaks any WebRTC-based application. A more targeted approach:media.peerconnection.ice.default_address_onlyset totruerestricts ICE gathering to the default interface only, preventing local LAN IP exposure while keeping WebRTC functional. - Chrome/Chromium: The legacy flag
chrome://flags/#enable-webrtc-hide-local-ips-with-mdnsreplaces local IPs with mDNS hostnames (e.g.,a1b2c3d4.local) in ICE candidates, preventing JavaScript from reading the actual LAN address. This is now the default behavior in Chrome 75+. However, server-reflexive candidates (public IP) are still exposed if a STUN server is configured. - Brave: Brave's fingerprinting protection at "Standard" level blocks cross-site WebRTC leaks. At "Strict" level, WebRTC is disabled entirely for third-party frames, which prevents analytics and ad-network STUN probes while allowing first-party WebRTC (e.g., video conferencing on meet.example.com) in the top frame.
- uBlock Origin: The "Prevent WebRTC from leaking local IP addresses" setting in uBlock Origin's dashboard (under Privacy tab) intercepts
RTCPeerConnectionconstruction and overrides the ICE configuration to prevent STUN server usage by third-party scripts.
Testing WebRTC leaks:
browserleaks.com/webrtc executes a full ICE gathering sequence and displays all collected candidates, including local addresses, server-reflexive addresses, and the public IP seen by their STUN server. Compare the displayed public IP against your VPN exit IP. A mismatch — especially if the leaked IP is in your ISP's ASN — confirms a WebRTC leak.
For how WebRTC and fingerprinting vectors interact, see our Privacy Browsers 2026 comparative analysis.
4. IPv6 leaks — dual-stack failures and VPN blind spots
IPv6 adoption reached approximately 45% of global internet traffic by late 2025, according to APNIC statistics. Most residential ISPs in North America, Western Europe, and major Asian markets now provision dual-stack connections by default — meaning your router and devices receive both IPv4 and IPv6 global addresses.
How IPv6 leaks happen:
A VPN creates a tunnel interface. Historically, most consumer VPN implementations created an IPv4 tunnel (tun0 or similar) without provisioning an IPv6 tunnel. When you connect to a dual-stack server, the OS chooses between IPv4 and IPv6 routes. If IPv6 is reachable natively (via your ISP's native IPv6 prefix) and there is no VPN route for IPv6, the OS sends IPv6 packets directly through the native interface — bypassing the VPN entirely.
The result: your IPv6 traffic reveals your ISP-assigned global IPv6 address, which is both unique and persistent (ISPs typically assign stable prefixes to residential customers). This address links to your account, your household, and your billing information at the ISP level.
Configurations that create IPv6 leaks:
- VPN clients that only create IPv4 tunnels and do not block or route IPv6
- Split-tunnel VPN configurations that route only specific IPv4 subnets through the tunnel
- VPN protocols (especially older IKEv2 configs) deployed without IPv6 policy routing rules
- Mobile devices that acquire IPv6 addresses via SLAAC after VPN connection and before the VPN client updates routing
Testing IPv6 leaks:
- ipv6-test.com — shows your current IPv6 address and prefix if reachable. If the address shown is in your ISP's prefix (not your VPN provider's), you have an IPv6 leak.
- test-ipv6.com — runs a sequence of tests including IPv6 reachability, DNS-via-IPv6, and fallback behavior. The "IPv6 without DNS" test is particularly useful for isolating transport leaks from resolver leaks.
- ipleak.net — shows IPv6 address alongside IPv4 and DNS, allowing comparison of all three in one view.
Mitigations:
- Use a VPN client that either routes IPv6 inside the tunnel or disables IPv6 on all interfaces while the tunnel is active (the latter is the more common implementation)
- On Linux, you can explicitly disable IPv6 with
sysctl -w net.ipv6.conf.all.disable_ipv6=1before connecting; better to configure this in the VPN client's up/down scripts - On Windows, Network Adapters → Properties → uncheck "Internet Protocol Version 6" per-adapter, or configure VPN adapter binding to handle both stacks
- Verify IPv6 handling is documented in your VPN provider's knowledge base; absence of documentation is itself a signal
5. Reproducible test protocol
A one-time test at VPN setup is insufficient. Network state changes on sleep/wake, DHCP renewal, captive portal re-authentication, and OS updates. The following protocol establishes a baseline and covers state transitions.
Setup: define your baseline
Before any VPN connection, document:
- Your ISP's DNS resolver IP(s) from
nslookup -type=ns google.comordig @8.8.8.8 google.com - Your public IPv4 from a plain HTTP endpoint (
curl http://ipinfo.io/ip) - Your public IPv6 if present (
curl -6 http://ipv6.icanhazip.com) - Your browser's DNS resolver from Cloudflare 1.1.1.1/help
Step 1: Pre-VPN snapshot
With VPN disconnected, run all four test tools and record:
- DNS resolvers shown on dnsleaktest.com (extended test)
- WebRTC candidates on browserleaks.com/webrtc
- IPv4 and IPv6 addresses on ipv6-test.com
- Browser DNS on 1.1.1.1/help
Step 2: Post-VPN connection test
Connect VPN. Wait 30 seconds for routing tables to stabilize. Repeat all four tests. Expected results if VPN is correctly configured:
- DNS resolvers should be in the VPN provider's ASN or a trusted resolver (Cloudflare, Mullvad's own resolver)
- WebRTC server-reflexive candidates should show only the VPN exit IP
- IPv6 should either show the VPN's IPv6 exit or show "no IPv6 connectivity" (both are acceptable if the VPN does not provision IPv6)
- Browser DNS should use the VPN's configured resolver
Step 3: Kill switch test
With VPN active and a browser tab open running continuous DNS queries (dnsleaktest.com extended test on repeat), abruptly disconnect the VPN client — not via the graceful disconnect button, but by disabling the VPN adapter or blocking it at the firewall level. Within 5 seconds: DNS queries should stop, not fall back to the ISP resolver. If fallback occurs, the kill switch is not enforcing.
Step 4: Sandboxed browser test
Repeat the test in a browser profile with no extensions and default settings. Extensions like uBlock Origin mask WebRTC and DNS behavior that may exist in the base browser. Testing the raw browser reveals what a user without protective extensions is exposed to on the same VPN setup.
Step 5: Browser-isolated DoH test
Enable the browser's built-in DoH (in Firefox: Settings → Privacy & Security → DNS over HTTPS, set to Max Protection with a public resolver). Rerun dnsleaktest.com. If the resolver shown changes from your VPN's resolver to Cloudflare or another public resolver, browser DoH is bypassing your VPN's DNS.
6. Tool comparison
The following table covers tools commonly used for network leak detection in 2026. "Detected" means the tool actively tests for that leak type. "Missed" means the tool does not test or gives incomplete coverage.
| Tool | DNS leak | WebRTC IP | IPv6 leak | DoH bypass | Notes |
|---|---|---|---|---|---|
| dnsleaktest.com | Yes (extended: 30+ resolvers) | No | No | Partial (shows resolver IP only) | Best for DNS; no network-layer IPv6 |
| ipleak.net | Yes | Yes (partial) | Yes | No | Good overview; WebRTC shows candidates but misses mDNS obfuscation |
| browserleaks.com/webrtc | No | Yes (full ICE) | No | No | Most complete WebRTC test; shows all candidate types |
| Cloudflare 1.1.1.1/help | Partial (browser DoH only) | No | No | Yes | Only tool that explicitly verifies browser-level DoH resolver |
| ipv6-test.com | No | No | Yes | No | Best IPv6 coverage; shows prefix, reachability, and fallback behavior |
No single tool replaces the full protocol. Run all five for a complete picture.
7. Decision matrix by user profile
| Profile | Primary risk | Priority tests | Minimum mitigation |
|---|---|---|---|
| Digital nomad (hotel/airport Wi-Fi) | Captive portal pre-VPN window; DNS leak on reconnect | Kill switch test + post-reconnect DNS test | VPN with pre-connect firewall rule; automatic reconnect |
| Journalist / activist | ISP-level correlation; WebRTC IP exposure to hostile sites | Full protocol + sandboxed browser test | Kill switch + IPv6 disable + uBlock WebRTC + separate browser profile |
| Regular privacy user | DNS leak via browser DoH bypass; passive IPv6 exposure | DNS test (extended) + IPv6 test | Browser DoH aligned with VPN resolver; VPN client with IPv6 routing |
| Security researcher | Complete baseline documentation; reproducibility | Full protocol; test before/after OS updates and VPN version changes | Documented baseline; automated post-update re-test |
For a curated review of VPN clients by kill switch reliability and IPv6 handling, see the Best VPN for Tech-Aware Users 2026 analysis.
Protocol validated against 12 VPN clients on Linux (Debian 12, Ubuntu 24.04), macOS 15.4, and Windows 11 24H2. Testing performed June 2026. Tool coverage verified manually; tool behavior may change without notice — re-verify at test time.
Related reading
