Free tool · no signup

DNS leak test.

Every domain you visit is announced to whoever answers your DNS. Find out — precisely — who that is.

Who answers your DNS?

We'll fire 10 uniquely-named lookups that only our test nameserver can answer — then show every resolver that asked on your behalf, with its network, country, and transport. Takes about five seconds.

Under the hood

Names nobody has cached.

The test asks your browser to look up hostnames that have never existed before — random, one-time names under our test domain. Because no resolver anywhere has them cached, every resolver your device uses is forced to contact our authoritative test nameserver directly.

That nameserver does one job: it notes which resolver IPs asked about your test's names. Those IPs — matched to their operators via public routing data — are your answer. Not what your settings claim; what your network actually did.

Common questions

About DNS leaks.

What is a DNS leak?+

Every site you visit starts with a DNS lookup, and whoever answers those lookups sees every domain your device requests. A 'leak' is when your lookups go to a resolver you didn't intend — typically your ISP's — even though you configured a VPN or an encrypted DNS provider. The result: a third party can see every domain your device looks up.

How does this test work?+

Your browser requests a set of uniquely-named hostnames under our test domain. No resolver in the world has them cached, so whichever resolver your device uses must contact our test nameserver to answer — and our nameserver records which resolver IPs asked. The list you see is the ground truth of who handles your DNS.

What should the result look like if I use Guardino?+

Ideally a single resolver marked 'Guardino' — meaning every lookup from this device flows through your encrypted profile. If other resolvers appear alongside it, some of your DNS traffic is bypassing Guardino (common causes: a browser's own secure-DNS setting, a VPN's resolver, or per-app DNS).

Is seeing my ISP's resolver bad?+

It isn't dangerous by itself — it's the default state of most connections. It simply means your ISP's resolver sees the domains this device looks up, and that no DNS-level filtering or encryption is applied. Whether that's fine is your call; this test just shows you the reality.

What do you store when I run the test?+

The test nameserver briefly records the random test ID, the resolver IPs that asked about it, and timestamps — kept only long enough to produce your result, and not tied to any account. The probes themselves carry no personal data.

Just want a quick yes/no? Run the connection check.