You connect your VPN. The icon turns green. You feel secure. But every website you visit is being reported to your Chinese ISP through DNS queries that your VPN is not capturing. This is a DNS leak, and it is far more common than most VPN users realize.
What Is a DNS Leak?
When you type google.com into your browser, your device first needs to look up the IP address for google.com. This lookup is called a DNS query, and it is typically sent to your ISP's DNS server in plaintext -- completely unencrypted.
A DNS leak occurs when your VPN encrypts the actual traffic to Google but allows the DNS query (asking "what is google.com's IP address?") to go through your ISP unencrypted. Your ISP -- and by extension, the GFW -- sees every domain you visit, even though they cannot see the content.
Why DNS Leaks Are Dangerous in China
- Activity monitoring: Your ISP sees a complete list of every domain you visit
- DNS poisoning: The ISP can return incorrect IP addresses for blocked domains
- VPN detection: If your DNS queries show blocked domains while your traffic appears encrypted, it is a signal that you are using a VPN
- Service blocking: Even if your VPN is active, poisoned DNS responses can prevent you from reaching blocked services
How to Test for DNS Leaks
Connect your VPN, then visit a DNS leak test website (dnsleaktest.com or ipleak.net). If the results show Chinese DNS servers (typically containing "chinatelecom," "chinaunicom," or "chinamobile" in the hostname), you have a DNS leak.
The Fix: DNS-over-TLS
DNS-over-TLS (DoT) encrypts DNS queries before they leave your device. Instead of sending plaintext queries to your ISP's DNS server, queries are encrypted and sent to a trusted DNS resolver (like Cloudflare 1.1.1.1 or Google 8.8.8.8) over TLS.
KookVPN routes all DNS queries through encrypted DNS-over-TLS, ensuring that your ISP cannot see which domains you are requesting. Combined with TUN mode (which captures ALL traffic including DNS), this eliminates DNS leaks entirely. See our full feature breakdown for technical details on how KookVPN prevents every type of leak.
Check your VPN: Run a DNS leak test right now with your VPN connected. If you see Chinese DNS servers in the results, your VPN is leaking your browsing activity to your ISP.