How DNS leaks happen with Surfshark
If you use Surfshark for privacy, a DNS leak can expose the websites you visit even while your VPN tunnel is active.
This guide explains how to fix DNS leak with Surfshark, why it happens, and how to confirm that your DNS requests stay private.
Surfshark is designed to route traffic through encrypted VPN servers, but device settings, network policies, or conflicting software can still send DNS queries outside the tunnel.
The good news is that most leaks can be traced to a short list of causes and corrected quickly.
What a DNS leak means
Domain Name System, or DNS, is the service that translates domain names such as example.com into IP addresses.
When a DNS leak occurs, your browser or operating system may ask your internet service provider, a public resolver, or another network for those lookups instead of using Surfshark’s protected path.
That matters because DNS requests can reveal the sites you visit, which devices are active, and sometimes your approximate location.
Even if the rest of your internet traffic is encrypted by WireGuard, OpenVPN, or another VPN protocol, leaked DNS traffic can reduce privacy.
Common causes of DNS leaks with Surfshark
- Using a local or ISP-assigned DNS server from earlier network settings.
- Having a second VPN, proxy, or security app that overrides DNS routing.
- Misconfigured Windows, macOS, Android, iOS, or router-level DNS settings.
- Split tunneling rules that exclude specific apps or destinations.
- Browser features such as secure DNS, DNS-over-HTTPS, or custom extensions.
- Network adapters, virtual machines, or IPv6 configurations that bypass the VPN tunnel.
How to fix DNS leak with Surfshark on any device
1. Reconnect to Surfshark and change servers
Start with the simplest correction: disconnect Surfshark, reconnect, and try a different server location.
A fresh session can clear a temporary routing issue, and switching servers helps determine whether the problem is tied to one endpoint.
If you use a protocol selector, try another supported option such as WireGuard or OpenVPN.
Different protocols can behave differently on restrictive networks and may resolve DNS handling issues.
2. Turn on the VPN’s kill switch
Enable the kill switch in Surfshark so traffic stops if the VPN disconnects unexpectedly.
This does not directly repair a leak, but it prevents your device from falling back to unprotected DNS during a brief tunnel drop.
On systems that support it, use the strictest kill switch setting available.
That is especially important on laptops and mobile devices that move between Wi-Fi networks.
3. Disable conflicting DNS settings
Check whether your device has custom DNS entries set manually.
If you previously configured Cloudflare, Google Public DNS, Quad9, or another resolver, those settings can override VPN-provided DNS handling.
Return the device network adapter to automatic DNS, then reconnect Surfshark.
After changing the setting, restart the browser or refresh the network connection so the old resolver is not cached.
4. Turn off other VPNs, proxies, and security tools
Only one application should manage your encrypted tunnel and DNS path at a time.
Third-party antivirus suites, enterprise endpoint tools, traffic filters, or browser proxy extensions can intercept requests and cause inconsistent routing.
Temporarily disable any app that changes network behavior, then test Surfshark again.
If the leak disappears, re-enable tools one by one to identify the conflict.
5. Review split tunneling settings
Split tunneling can be useful, but it can also create unexpected DNS behavior if apps outside the tunnel still query your network provider.
If you need a clean privacy setup, turn split tunneling off and test again.
When split tunneling is necessary, make sure you understand which apps are excluded and whether they use system DNS or their own resolver.
Browsers are especially important because they often control their own secure DNS settings.
Device-specific fixes that often work
Windows
- Set DNS to automatic in the adapter properties.
- Flush the DNS cache using the built-in network tools.
- Disable IPv6 temporarily if your leak test shows IPv6 DNS queries outside the tunnel.
- Restart the Surfshark app after changing network settings.
macOS
- Remove manual DNS servers from the active network service.
- Renew the DHCP lease after reconnecting to Surfshark.
- Check for configuration profiles that force custom DNS.
- Test with browser secure DNS disabled if the browser overrides the system resolver.
Android and iOS
- Close browsers that use private DNS or secure DNS features.
- Confirm that the Surfshark app has full VPN permission.
- Disable any device-wide private DNS configuration that points to another provider.
- Reconnect after switching between mobile data and Wi-Fi.
Routers
If you use Surfshark at the router level, the router firmware becomes part of the DNS path.
Make sure the router is not pushing its own DNS server to connected devices and that the VPN client configuration points DNS traffic through the tunnel.
Router setups can also be affected by ISP modems, guest networks, and cached DHCP options.
After changing settings, reboot the router and reconnect a test device before checking again.
How browser settings can trigger DNS leaks
Modern browsers may use secure DNS features that bypass the operating system’s default resolver.
Chrome, Edge, Firefox, and Brave can all be configured to use custom DNS-over-HTTPS providers, which may cause leak tests to report unexpected resolvers.
To reduce confusion, temporarily disable secure DNS in your browser settings and retest with Surfshark connected.
If the leak disappears, you can decide whether to keep secure DNS off or configure it in a way that remains compatible with your VPN setup.
How to test whether the leak is fixed
After applying a change, verify the result with a DNS leak test while Surfshark is connected.
A proper result should show DNS servers associated with the VPN service or the routed tunnel, not your ISP or home network.
- Run the test once before connecting to establish a baseline.
- Connect Surfshark and run the same test again.
- Compare the DNS server location, provider name, and IP address.
- Repeat the test in a private browser window and in another browser if needed.
If the test still shows your ISP, disconnect and revisit each layer in order: browser, device DNS settings, other network apps, then router configuration.
Testing one variable at a time makes the cause easier to isolate.
What a stable Surfshark DNS setup should look like
A healthy configuration typically has one active VPN tunnel, automatic DNS on the device, no competing network tools, and a browser that is not forcing its own resolver.
With that setup, DNS requests stay aligned with the encrypted tunnel and are less likely to leak during reconnects or network changes.
If you travel frequently, switch between Wi-Fi hotspots, or use work-managed devices, recheck your configuration regularly.
Network policies can change without warning, and a setting that worked yesterday may be overridden by a new profile or update.
Quick checklist to prevent future DNS leaks
- Use only one VPN app at a time.
- Keep Surfshark updated to the latest version.
- Enable the kill switch.
- Set device DNS to automatic unless you have a specific reason not to.
- Review browser secure DNS settings after updates.
- Test again after changing Wi-Fi networks or router settings.
By checking these layers systematically, you can usually fix DNS leak with Surfshark without advanced troubleshooting or technical tools.
The key is to identify which layer is overriding the VPN and remove that conflict before retesting.