DNS Privacy Checker — User Guide

What the DNS Privacy Checker tests

The checker runs six independent tests against your DNS configuration. Each test targets a different privacy surface:

• DNS Leak Detection (20% weight) — identifies the actual resolver handling your DNS queries using authoritative DNS callbacks
• Encrypted DNS (20%) — checks whether DoH/DoT endpoints are reachable from your browser
• DNSSEC Validation (25%) — confirms your resolver verifies cryptographic signatures on DNS records
• IPv6 Exposure (10%) — detects IPv6 addresses leaking through WebRTC
• ECH/ESNI Support (15%) — tests whether your browser supports Encrypted Client Hello
• DNS Server Identification (10%) — determines which resolver you are actually using

The checker operates in two modes. "Check My DNS" runs browser-side heuristics to audit your live configuration. "Check a Specific DNS Server" runs server-side dig queries against any public resolver IP you provide, producing definitive pass/fail results. Both modes are free and require no installation.

How to run a privacy audit

Open the DNS Privacy Check page. You will see the two mode tabs at the top: Check My DNS (default) and Check a Specific DNS Server.

For a personal audit, leave "Check My DNS" selected and click Run Privacy Audit. Six test cards appear, each with a progress bar. Tests run in parallel and take 10–25 seconds depending on your connection.

Each card transitions through states:

1. Waiting — grey card, test has not started
2. Running — blue pulsing bar, test in progress
3. Pass — green border, this dimension is well protected
4. Warn — amber border, partial protection or inconclusive
5. Fail — red border, this dimension has a privacy gap

When all six tests finish, the grade ring animates to show your composite score and letter grade. Below it you will find the detected DNS servers, a share button, and a "Test Again" option.

Understanding your A–F grade

Your overall grade is a weighted average of the six test scores, mapped to a letter:

DNSSEC Validation carries the highest single weight (25%) because it is the most reliable browser-side test and directly protects against DNS spoofing. Encrypted DNS and Leak Detection each carry 20%, making encryption and leak prevention the next priority. ECH (15%) and IPv6/Server ID (10% each) round out the score.

A realistic target for most users is B or above. Reaching A+ requires a browser that supports ECH (Firefox with Cloudflare DNS), a DNSSEC-validating resolver, and no IPv6 leaks.

What each test dimension means

DNS Leak Detection

This is the most critical test. It uses the industry-standard authoritative DNS callback technique to reveal which resolver actually handles your queries.

When you click "Run Privacy Audit", your browser resolves a unique random subdomain of dnsprobe.online. Because the subdomain has never been queried before, there is no cached answer. The query travels all the way to our authoritative DNS server, which logs the IP address of the resolver that contacted it.

That logged IP is the real resolver processing your DNS queries. If you are using a VPN and the resolver IP belongs to your ISP instead of the VPN provider, your DNS is leaking. If you configured 1.1.1.1 but the resolver IP belongs to your ISP, your OS is ignoring your DNS settings.

Pass: The detected resolver matches your expected configuration (VPN provider, configured DNS, etc.).
Warn: The resolver is a known public DNS but does not match your system configuration, which may indicate a browser-level override.
Fail: The resolver is an ISP default when you expected a VPN or custom DNS, indicating a DNS leak.

Encrypted DNS (DoH/DoT Reachability)

This test checks whether known DNS-over-HTTPS endpoints are reachable from your browser. It sends fetch requests to the DoH APIs of Cloudflare and Google and checks for valid responses.

A key limitation: reachability does not prove your current queries are encrypted. It only confirms that encrypted DNS is available to you. To actually encrypt your queries, you must explicitly enable DoH or DoT in your browser or operating system. See our DoH vs DoT guide for setup instructions.

In "Check a Specific DNS Server" mode, this test runs a real DoT connection attempt to port 853, giving a definitive answer on whether the server supports DNS-over-TLS.

Pass: DoH endpoints are reachable and responding.
Warn: Partial reachability (one provider reachable, another blocked).
Fail: No encrypted DNS endpoints are reachable, possibly blocked by your network.

DNSSEC Validation

DNSSEC adds cryptographic signatures to DNS records. A validating resolver checks these signatures and rejects tampered responses, protecting you from cache poisoning attacks that redirect you to malicious servers.

The test queries dnssec-failed.org, a domain maintained with intentionally invalid DNSSEC signatures. A properly validating resolver refuses to resolve it and returns SERVFAIL. If the domain resolves to an IP address, your resolver accepted the invalid signature and is not performing DNSSEC validation.

This technique is reliable because it tests actual resolver behaviour, not configuration claims. All major public DNS providers (Cloudflare, Google, Quad9) validate DNSSEC. Most ISP resolvers do not.

Pass: Your resolver rejected the invalid DNSSEC domain.
Fail: The domain resolved, meaning DNSSEC validation is not active.

IPv6 Exposure

Even with a VPN protecting your IPv4 traffic, IPv6 addresses can leak through WebRTC or misconfigured tunnel settings. The checker creates an RTCPeerConnection and examines ICE candidates for IPv6 addresses.

If a public IPv6 address is detected, it may be bypassing your VPN. Most consumer VPN clients added IPv6 leak protection in recent years, but it is often not enabled by default. Some older routers also expose IPv6 even when the device is otherwise tunnelled through IPv4.

Modern browsers use mDNS (.local) addresses for WebRTC ICE candidates to prevent IP leaking. If your browser does this, the test passes because no real IP is exposed through WebRTC.

Pass: No public IPv6 addresses detected via WebRTC, or mDNS obfuscation is active.
Warn: Link-local IPv6 only (not a real privacy risk, but worth noting).
Fail: Public IPv6 address detected outside your VPN tunnel.

ECH/ESNI Support

Encrypted Client Hello (ECH) is the successor to ESNI (Encrypted Server Name Indication). When you connect to an HTTPS website, the TLS handshake contains a Server Name Indication (SNI) field that reveals the domain name in plaintext. ECH encrypts this field, hiding which site you are visiting from network observers.

The test checks whether your browser negotiates ECH with a server that advertises ECH keys via DNS HTTPS records. As of early 2026, ECH works best in Firefox with Cloudflare DNS (1.1.1.1), because Cloudflare publishes ECH keys for its customers and Firefox has mature ECH support.

Chrome and Edge have partial ECH support but it is not consistently enabled. Safari support is limited. ECH requires cooperation between the DNS resolver (to deliver the ECH key), the website (to publish it), and the browser (to use it).

Pass: ECH negotiation succeeded. Your browser is hiding domain names during TLS handshakes.
Warn: Browser supports ECH but the test server did not negotiate it.
Fail: No ECH support detected.

DNS Server Identification

The final test attempts to identify which DNS provider is actually handling your queries. It examines CDN edge routing patterns and timing heuristics to match your resolver against known providers.

This serves as a cross-check against the leak test. If the leak test says your resolver is Cloudflare but the server ID test identifies Google behaviour, something unusual is happening in your DNS chain, possibly a proxy or transparent DNS interception by your network.

Known privacy-focused providers score higher because they have published privacy policies, no-logging commitments, and DNSSEC support. An unidentified resolver or ISP default scores lower because its privacy practices are unknown.

Pass: Identified as a known privacy-focused DNS provider.
Warn: Identified as a known public DNS but not one with strong privacy commitments.
Fail: Could not identify the resolver, or identified as an ISP default with no privacy policy.

How to check a specific DNS server

Click the "Check a Specific DNS Server" tab on the privacy check page. An input field appears where you can enter any public DNS server IP.

This mode runs server-side tests. Instead of browser heuristics, the tool sends real DNS queries from our server using dig. This produces definitive results for:

• DNSSEC validation — actual SERVFAIL/NOERROR response to dnssec-failed.org
• NXDOMAIN hijacking — whether the server returns honest NXDOMAIN or redirects
• DNS-over-TLS support — real TLS connection attempt to port 853
• Response latency — measured round-trip time from our probe server

Use this mode to evaluate a resolver before switching to it. For example, enter 9.9.9.9 to audit Quad9, or enter your ISP's DNS IP to see if it supports DNSSEC and avoids hijacking.

Tip: You can find DNS server IPs for your country on our DNS by Country directory, or check our best privacy DNS rankings.

How to improve your score

Start with the highest-weighted failing test and work down. Here is the priority order and what to do for each:

1. Fix DNSSEC Validation (25% weight)

Switch to a resolver that validates DNSSEC. The simplest options:

• Cloudflare — 1.1.1.1 / 1.0.0.1
• Google — 8.8.8.8 / 8.8.4.4
• Quad9 — 9.9.9.9 / 149.112.112.112

All three validate DNSSEC by default. If you run your own resolver, see our Unbound setup guide for enabling DNSSEC validation.

2. Enable Encrypted DNS (20% weight)

Enable DoH or DoT on your device. Platform guides:

• Windows 11 — Settings → Network → DNS → Encrypted only
• macOS — DNS profile or Cloudflare WARP app
• Android — Settings → Private DNS → enter one.one.one.one
• iOS / iPad — DNS profile from your provider
• Firefox — Settings → Privacy → Enable DNS over HTTPS
• Chrome / Edge — Settings → Security → Use secure DNS
• Linux — systemd-resolved with DNSOverTLS=yes

For a detailed comparison of DoH and DoT, see our DoH vs DoT guide.

3. Stop DNS Leaks (20% weight)

If you use a VPN:

• Enable "DNS leak protection" in your VPN client settings
• Set your VPN to use its own DNS servers exclusively
• On Windows, disable Smart Multi-Homed Name Resolution (Group Policy or registry)
• Consider setting DNS manually on your adapter to match the VPN's resolver

If you do not use a VPN, the leak test verifies that your configured DNS (not your ISP default) is the one actually processing your queries. Change DNS on your device using our platform guides: Windows, macOS/iOS, Android, Linux, Router.

4. Enable ECH support (15% weight)

ECH requires three things working together:

1. A browser that supports ECH (Firefox has the best support)
2. A DNS resolver that delivers HTTPS records with ECH keys (Cloudflare 1.1.1.1)
3. Websites that publish ECH keys (Cloudflare-hosted sites do this)

In Firefox, verify ECH is enabled: navigate to about:config and confirm network.dns.echconfig.enabled is true. Use Cloudflare DNS (1.1.1.1) with DoH enabled for the best ECH coverage.

5. Prevent IPv6 leaks (10% weight)

• VPN users: enable IPv6 leak protection in your VPN app
• Windows: disable IPv6 in adapter properties or via netsh interface ipv6 set privacy state=disabled
• macOS: System Settings → Network → TCP/IP → Configure IPv6 → Link-local only
• Linux: add net.ipv6.conf.all.disable_ipv6 = 1 to /etc/sysctl.conf

6. Use a known privacy provider (10% weight)

Switch from your ISP default DNS to a provider with a published privacy policy and no-logging commitment. Our best privacy DNS page ranks providers by privacy features, reliability, and speed.

Sharing your results

After the audit completes, a Share Your Score button appears below the grade ring. Click it to generate a shareable image card containing your letter grade, composite score, and the pass/warn/fail status of each test dimension.

The image is generated client-side using a canvas element. No results are transmitted to our servers. You can save the image or share it directly on social media, forums, or messaging apps.

This is useful for comparing DNS configurations with other people on the same network, verifying a VPN's DNS handling, or documenting your setup for a technical support conversation.

Methodology and limitations

Transparency about what this tool can and cannot determine:

Browser-side tests (Check My DNS mode)

These tests run entirely in your browser using JavaScript. They are heuristic: they infer your DNS configuration from observable browser behaviour. They are useful for quick audits but have inherent limitations:

• The encrypted DNS test checks reachability of DoH endpoints, not whether your current queries are encrypted. Only explicit DoH/DoT configuration in your browser or OS guarantees encryption.
• IPv6 detection relies on WebRTC ICE candidates. Browsers that disable WebRTC or use mDNS obfuscation will show a pass even if IPv6 leaks exist at the OS level.
• ECH testing checks browser-server negotiation. A pass requires all three participants (browser, DNS, server) to cooperate.
• Server identification uses timing patterns that can be affected by network congestion, CDN routing changes, or transparent DNS proxies.

Server-side tests (Check a Specific DNS Server mode)

These tests query the target DNS server directly from our probe infrastructure using dig. Results are definitive for the properties tested (DNSSEC, NXDOMAIN hijacking, DoT support, latency). The limitation is that these results reflect the server's behaviour from our probe location, which may differ from your network path.

What we do not test

• DNS queries from non-browser applications (email clients, game launchers, system services)
• DNS queries during VPN connection/disconnection transitions
• Kernel-level DNS leaks before traffic reaches the browser
• DNS provider logging practices (we check published policies, but cannot verify server-side behaviour)

For comprehensive DNS privacy, combine this tool with terminal-based testing (dig, nslookup), VPN kill switches, and reviewing your provider's privacy audit reports.

Frequently asked questions

What does the A-F grade actually mean?

The grade maps to a 0-100 composite score. A+ is 95-100, A is 85-94, B is 70-84, C is 55-69, D is 40-54, and F is below 40. The score is a weighted average of six individual test scores: DNS Leak Detection (20%), Encrypted DNS (20%), DNSSEC Validation (25%), IPv6 Exposure (10%), ECH/ESNI Support (15%), and Server Identification (10%).

Why does the tool say my DNS is leaking when I have a VPN?

Some VPN clients do not properly capture DNS traffic. Your operating system may be sending DNS queries directly to your ISP resolver instead of through the VPN tunnel. Check your VPN settings for a "DNS leak protection" or "Use VPN DNS only" option. Some VPNs also fail to handle IPv6 DNS, so disable IPv6 on your network adapter if needed.

Is the Check My DNS mode or Check a Specific DNS Server mode more accurate?

Check a Specific DNS Server is more accurate for auditing a resolver because it runs real DNS queries server-side using dig. Check My DNS uses browser-side heuristics that are useful for detecting your current configuration (leaks, encryption status) but cannot definitively test all properties. Use both modes: Check My DNS to see your live setup, and Check a Specific Server to evaluate resolvers before switching.

Can this tool detect all DNS leaks?

The tool detects the most common DNS leak scenario: queries bypassing your VPN and going to your ISP resolver. It cannot detect leaks that occur at the OS kernel level before reaching the browser, leaks from non-browser applications, or DNS queries that happen during the brief moment before your VPN connects at boot. For comprehensive leak testing, combine this tool with a VPN kill switch and manual verification using dig or nslookup from a terminal.

Why did my DNSSEC test fail even though I use Cloudflare or Google DNS?

If your DNSSEC test fails while using a resolver that supports DNSSEC, a middlebox or proxy may be intercepting and re-signing your DNS traffic. Corporate firewalls, some antivirus software, and certain routers perform DNS interception that strips DNSSEC signatures. Try the Check a Specific DNS Server mode with the resolver IP to confirm it validates DNSSEC when queried directly.

Does a low ECH score mean my browsing is insecure?

No. ECH is an emerging privacy enhancement, not a security requirement. Without ECH, the domain name is visible in TLS handshakes (via SNI), but the connection is still encrypted by TLS. ECH adds privacy by hiding which specific site you are connecting to. As of 2026, ECH support is strongest in Firefox with Cloudflare DNS. A low ECH score means this specific privacy layer is missing, not that your connection is insecure.

Related tools and resources

Run the DNS Privacy Check now — audit your current DNS configuration in under 30 seconds.

Best Privacy DNS Servers — ranked by encryption support, DNSSEC, logging policy, and reliability.

DNS Privacy Provider Comparison — detailed feature comparison table of privacy-focused resolvers.

DNS Gaming Benchmark — test DNS latency from your browser and find the fastest resolver for your location.

DoH vs DoT Explained — compare encrypted DNS protocols and choose the right one for your setup.

NXDOMAIN Hijacking Guide — understand why some resolvers lie about non-existent domains.

DNS Servers by Country — browse public DNS servers available in your country.