News Highlights
Upcoming Broadcast
Upcoming Sessions
According to your watchlist
According to your watchlist
Most "privacy tools" are sold on vague promises and tested against the wrong threats. This guide covers what actually leaks your identity online — DNS queries, WebRTC peer connections, IPv6 addresses, geolocation APIs, and your IP address itself — and then which tools genuinely close each gap. By the end you will know exactly which leaks you face, how to test for them, and which combinations of tools shut them down. No theatre, no marketing claims, just what works.
Test for DNS Leaks →Last updated: 13 May 2026 · 5,200 words · Reading time 22 min
"Privacy" is a category that hides many distinct problems behind a single word. Before choosing tools, it pays to be precise about what you're actually defending against. The threats fall into three rough categories.
Network-level surveillance is what your ISP, your government, your employer, or a coffee-shop WiFi operator can see about your traffic. They see the destinations you connect to, the volume and timing of those connections, and (when DNS or TLS are not encrypted) often the specific domains you query. VPNs, encrypted DNS, and Tor are the relevant tools here.
Site-level tracking is what the websites you visit (and the third parties they embed) can learn about you. They see your IP address, browser fingerprint, behavioural patterns, and any identifying data you submit. Privacy-respecting browsers, fingerprint randomisation, and tracker-blocking extensions address this layer. For the full picture of how site-level fingerprinting works, see our browser fingerprinting guide.
Cross-site identity linking is when separate services correlate your activity to build a unified profile. Advertisers combine cookies, fingerprints, IP addresses, and behavioural data. Data brokers buy and sell the resulting profiles. Defending against this requires breaking the linkability — different accounts, different IPs, different browsers, different fingerprints, often across separate devices.
The five technical leaks covered in this guide all live at the intersection of these categories. DNS leaks expose your queries to your ISP even when you use a VPN. WebRTC leaks reveal your real IP to JavaScript on a page. IPv6 leaks bypass IPv4-only VPNs. Geolocation APIs reveal your physical location with surprising precision. Your IP address itself, in clear, reveals your ISP, region, and (with paid databases) often your specific neighbourhood.
Most users assume that "using a VPN" solves online privacy. It does not. A VPN tunnels your traffic through an encrypted connection to a remote server — which hides the destination from your ISP and hides your IP from the destination. But it leaves at least five distinct ways for your real identity to leak through.
DNS leaks happen when your device sends DNS queries through your ISP's DNS server even though your traffic is routed through a VPN. The query "what is the IP for nytimes.com" travels in clear to your ISP, who logs that you visited the NYT — defeating the VPN's privacy purpose. Our DNS leak test guide covers how to detect and fix this.
WebRTC leaks happen when JavaScript on a webpage uses the WebRTC API to discover your real public IP — even through a VPN. WebRTC was designed for legitimate purposes (video calls, peer-to-peer file sharing) but its peer-discovery mechanism reveals all your IP addresses to any page that asks. The WebRTC leak guide shows exactly how it works.
IPv6 leaks happen when your VPN tunnels only IPv4 traffic but your ISP also provides IPv6 connectivity. Connections to IPv6-capable websites bypass the VPN entirely, sending your real IPv6 address. Our IPv6 leak test reveals whether your setup is affected.
Geolocation leaks happen when websites use the browser Geolocation API to request your physical location. Unlike the other leaks, this one requires your explicit consent — but the consent prompt is easy to misunderstand, and once granted, your location can be tracked with GPS-level precision. See our geolocation privacy guide for the details.
IP address exposure is the baseline. Any service you connect to without a VPN, proxy, or Tor sees your real IP — and from your IP, it can determine your country, region, ISP, and (using commercial databases) often your neighbourhood. Our IP lookup guide shows exactly what an attacker can learn from your IP alone.
DNS — the Domain Name System — translates the human-readable domain names you type into the numerical IP addresses computers use. Every page load, every API request, every email check triggers DNS queries that your device sends out before establishing the actual connection. When those queries leak, the privacy of every connection you make is compromised.
The reason DNS leaks are so widespread is structural. Most operating systems are configured to send DNS queries to whichever DNS server the network provides — typically your ISP's server. When you connect to a VPN, the VPN client should reconfigure this so that DNS queries also travel through the encrypted tunnel. Many VPN clients fail to do this correctly on Windows, Linux, and Android. The result: your traffic flows encrypted to the VPN, but your DNS queries flow in clear to your ISP, who logs every domain you visit.
The technical fix is straightforward: configure your system to use a privacy-respecting DNS resolver like Cloudflare (1.1.1.1), Quad9 (9.9.9.9), or NextDNS — over an encrypted DNS protocol like DNS-over-HTTPS (DoH) or DNS-over-TLS (DoT). When configured correctly, these resolvers replace your ISP's DNS entirely and encrypt the queries in transit. Even your ISP sees only encrypted DNS traffic to a third party, not the specific domains you query.
Testing for DNS leaks takes seconds: visit our DNS leak test guide, follow the simple test procedure, and verify that the DNS servers returned belong to your chosen resolver — not your ISP. If the test shows your ISP's DNS servers despite an active VPN, your VPN has a DNS leak that needs fixing.
WebRTC (Web Real-Time Communication) is a browser feature that lets web pages establish direct peer-to-peer connections — used legitimately by video conferencing apps, multiplayer browser games, and peer-to-peer file sharing services. To establish those connections, browsers need to discover their own IP addresses, which they do by querying STUN servers.
The problem: the WebRTC API exposes this information to any JavaScript running on the page. A tracking script can, with three lines of code, learn your real public IP address — including the IP your ISP assigns you — even when you're connected to a VPN. The VPN routes the IP discovery happens at the browser level, before any network configuration applies.
WebRTC leaks affect Chrome, Firefox, Edge, and most Chromium-based browsers by default. Safari is less affected because it implements WebRTC differently. Mobile browsers have varying behaviour. The leak applies to both your IPv4 and IPv6 addresses, and to local network addresses inside your home network (which can fingerprint your router model and home network topology).
Defenses fall into three categories. The cleanest is to disable WebRTC entirely in your browser — possible in Firefox via about:config, and in Chrome only through extensions. The second is to install browser extensions like WebRTC Network Limiter or uBlock Origin's anti-WebRTC rules, which restrict the addresses WebRTC exposes. The third is to use a browser that handles this correctly by default: Brave Browser routes WebRTC peer connections through its proxy when shields are enabled, eliminating the leak.
For the full mechanics, including a hands-on test you can run in any browser, see our WebRTC leak guide. The single most common privacy mistake among VPN users is not testing for WebRTC leaks — a properly configured VPN with an active WebRTC leak still exposes your real identity to every site you visit.
IPv6 is the successor protocol to IPv4, designed to solve the address-exhaustion problem of the older internet. Most modern ISPs in Europe, the US, and parts of Asia now provide both IPv4 and IPv6 connectivity to their customers, often automatically. Most users don't know they have IPv6 — and most VPN providers don't fully handle it.
The leak happens like this: your VPN client tunnels all your IPv4 traffic through the encrypted connection. But if your ISP also gives you an IPv6 address, and the VPN client doesn't disable or tunnel IPv6, then connections to IPv6-capable websites — including Google, Facebook, Cloudflare-hosted sites, and increasingly most major web properties — flow directly from your real IPv6 address, bypassing the VPN entirely. The destination sees your real IPv6 address, which uniquely identifies your specific ISP customer record.
Worse, some IPv6 address configurations embed your device's MAC address or use persistent identifiers that don't change when your IPv4 address does. This means IPv6 can actually provide less privacy than IPv4 by design, and an IPv6 leak through an otherwise functioning VPN reveals more information than the unprotected IPv4 connection would have.
Detection is straightforward: visit a site like ipv6leak.com or run our IPv6 leak test while connected to your VPN. If the test shows an IPv6 address that differs from your VPN's claimed location, you have a leak. The fix depends on your VPN client: most modern providers offer an "IPv6 leak protection" toggle. If yours doesn't, you can manually disable IPv6 in your operating system network settings — which prevents the leak by ensuring no IPv6 traffic exists in the first place.
Browser geolocation is unusual among privacy leaks because it's the most transparent: websites must request permission before accessing your location, and your browser shows a permission prompt. When you click "Allow," you authorize the site to learn your latitude and longitude with surprising precision.
What surprises most users is how much information that single click reveals. On mobile devices with GPS, the Geolocation API returns coordinates accurate to within a few meters — enough to determine which floor of an office building you're on. On desktop computers without GPS, location is estimated from WiFi network names visible to your device, IP address geolocation, and (where available) Bluetooth beacons. Desktop accuracy varies from a few hundred meters in dense urban areas to several kilometers in rural locations — but it's almost always more precise than users assume.
The Geolocation API isn't the only way websites determine your location. They also see your IP address (which gives them at least city-level location for most users) and may infer location from your timezone, language preferences, and browser settings. Even without API access, a typical website can place you within your home city with high confidence.
The defense is straightforward and underused: deny the Geolocation permission unless you actively need a service to know your location. Most users grant the permission reflexively, then forget about it. Modern browsers let you review granted permissions and revoke them at any time — Firefox at about:preferences#privacy, Chrome at chrome://settings/content/location, Safari in site preferences. For specific guidance on the geolocation API including the underlying data sources and what each reveals, see our geolocation privacy guide.
Your IP address is the return address on every internet connection you make. Without an IP, two-way communication isn't possible — so unlike fingerprinting techniques, you can't simply block your IP. You can only mask it (with a VPN, proxy, or Tor) or change it (by reconnecting to your ISP, which usually rotates your IP).
What your IP alone reveals is more than most users realize. Free IP-lookup services return your country, region, city, and ISP — that's standard. Paid commercial databases (used by ad tech and fraud detection systems) add ZIP code accuracy, often pinpointing your IP to a specific neighbourhood, and sometimes to a specific building. Some services link your IP to behavioural profiles built from previous visits, allowing them to recognize returning users even when other identifying data is absent. For the complete walkthrough of what your IP exposes and how to interpret IP-lookup results, see our IP address lookup guide.
The privacy trade-offs between the three masking options are real. A VPN is fast and easy but requires trusting a single provider with your real IP and the destinations you connect to. A proxy works for a single application but doesn't encrypt traffic, so your ISP still sees the destination. Tor provides the strongest anonymity but slows browsing significantly and is blocked by many websites. The right choice depends on your threat model — see our VPN speed test guide for benchmarking VPN performance, and the choosing-the-right-tools section below for the broader comparison.
There's no single "best privacy setup" because the right tools depend on what you're defending against. Three common threat models illustrate the trade-offs.
For most users worried mainly about advertising profiles and casual surveillance, a strong combination is: Firefox or Brave as the browser (both reduce fingerprint exposure significantly), uBlock Origin for tracker blocking, encrypted DNS via your operating system or browser settings, and a reputable VPN like Mullvad or Proton VPN for IP masking. This setup blocks the majority of tracking with minimal usability cost and is appropriate for the threat model of "I don't want my browsing logged to my real name."
For users who actively need to avoid identification by sophisticated adversaries, the requirements escalate sharply. Tor Browser for sensitive browsing sessions, run from a dedicated device that is never used for identified accounts. A privacy-respecting OS like Tails or Qubes for high-stakes work. Separate accounts and identities that are never linked. No biometric or device-tied authentication that would tie sessions to your hardware. This is significantly more inconvenient than casual privacy and requires a discipline that most users won't maintain, but it's necessary against state-level adversaries.
The hardest privacy scenario: when a specific known adversary (an ex-partner, an abusive family member, a stalker) actively tries to locate you. Standard privacy tools help but are not sufficient. The threat requires changing more than configuration — it requires changing devices, accounts, phone numbers, and often physical location. Specialised organizations like the Coalition Against Stalkerware and local domestic-violence support services offer guidance specific to this threat model. Privacy tools are necessary but not sufficient; consult a specialist organization.
Privacy is layered: no single tool addresses every threat, and the combinations matter. Here's how the most useful tools stack together.
| Tool | What It Hides | What It Doesn't Hide |
|---|---|---|
| VPN | IP from destination, destination from ISP | Browser fingerprint, DNS (if leaking), WebRTC (if leaking) |
| Encrypted DNS | Domain queries from ISP/network | IP address, destination IP |
| WebRTC disabled | Real IP from JavaScript | Anything else |
| Tor Browser | IP, browser fingerprint, location | Account-linked identity, behavioural patterns |
| Browser fingerprint defense | Cross-site fingerprint linkability | IP, account identity, network surveillance |
| Tracker blocker (uBlock) | Known tracking scripts | First-party tracking, network-layer signals |
The pattern: each tool addresses a specific layer, and the combinations multiply rather than add. A VPN with active WebRTC leaks is worse than no VPN (because you're identified plus you've trusted a third party with your real IP). Encrypted DNS without a VPN hides domain queries from your ISP but leaves your IP-based location fully exposed. Tor without sensible OPSEC (logging into identified accounts, distinctive writing style, unique behavioural patterns) provides almost no protection. The tools work together or not at all.
For the cross-pillar context of how privacy tools interact with internet speed and browser fingerprinting, see our internet speed guide and browser fingerprinting guide. Privacy work is a system, not a checklist.
Across user research and incident reports, the same handful of mistakes account for the vast majority of privacy failures.
Trusting a free VPN. Free VPNs are a business — and when the user isn't paying, the user is the product. Many free VPNs log traffic, sell behavioural data, inject ads, or have been documented sharing user data with third parties. The cost of a reputable paid VPN ($3–10/month) is one of the highest-ROI privacy spends available.
Using a VPN without testing for leaks. The default configuration of many VPN clients leaks DNS, WebRTC, or IPv6. Users assume the VPN works because the client shows "connected." They don't run our DNS leak test, WebRTC leak test, or IPv6 leak test — and they're identified just as clearly as if they had no VPN.
Granting geolocation permission reflexively. Most users grant location to any site that asks, then forget. The result: dozens of sites can query their precise location indefinitely. Periodic permission audits (every few months in browser settings) catch this.
Conflating privacy and anonymity. Privacy is "what specific entities can learn about me." Anonymity is "whether any entity can identify me at all." VPNs provide privacy from your ISP and destinations but don't provide anonymity if you log into identified accounts. Tor provides anonymity from observation but doesn't provide anonymity if your behaviour or writing style identifies you. Pick the right tool for the right goal.
Ignoring browser fingerprinting. Users obsess over IP masking while their browser fingerprint identifies them just as uniquely. A VPN that masks your IP combined with an unmodified Chrome fingerprint is identifying — you're recognized as "the Chrome user with this fingerprint who today is coming from a VPN IP."
No. A VPN hides your IP from destinations and your destinations from your ISP, but it doesn't address DNS leaks, WebRTC leaks, IPv6 leaks, browser fingerprinting, or account-linked identification. A VPN is a useful component of a privacy setup, not a complete solution.
A DNS leak occurs when your DNS queries travel outside your VPN tunnel — usually to your ISP's DNS servers — even though your other traffic is routed through the VPN. Your ISP can then log every domain you visit, defeating the privacy purpose of the VPN. See our DNS leak test guide.
A WebRTC leak occurs when JavaScript on a webpage uses the browser's WebRTC API to discover and report your real IP address — bypassing your VPN. Most browsers are affected by default. Our WebRTC leak guide shows exactly how it works.
An IPv6 leak occurs when your VPN tunnels only IPv4 traffic but your ISP also provides IPv6 connectivity. Connections to IPv6-capable destinations bypass the VPN entirely, exposing your real IPv6 address. Run our IPv6 leak test to check your setup.
Partially. HTTPS encrypts the content of your connection, but your ISP still sees the destination (the domain you connect to) via DNS queries and via the unencrypted Server Name Indication (SNI) in TLS handshakes. With encrypted DNS plus emerging technologies like Encrypted Client Hello (ECH), even the destination domain is hidden — but ECH adoption is still partial in 2026.
For anonymity against observation, yes — Tor routes your traffic through three relays, none of which knows both your identity and your destination. For everyday privacy with reasonable speed, a VPN is usually more practical. Most users don't need Tor for routine browsing but should know it exists for high-stakes sessions.
Yes, somewhat. All VPNs introduce some overhead from encryption and the added network hop. A well-configured VPN on a fast connection typically retains 80–95% of baseline speed; a slow or distant server can cut speeds dramatically. See our VPN speed test guide for the methodology to benchmark this.
Yes, typically. Corporate IT usually installs monitoring software that captures browsing history at the device level — which a personal VPN does not defeat because the monitoring happens before traffic leaves the device. Personal browsing on work devices should be assumed to be visible to the employer.
For everyday use, Firefox with strict tracking protection enabled, or Brave with default shields. For maximum protection, Tor Browser. Chrome and Edge are weakest by default. See our browser fingerprinting guide for the detailed comparison.
Generally no. Free VPNs cover their costs through means that often undermine your privacy — logging traffic, selling data, injecting ads, or limiting performance to push paid upgrades. Reputable paid VPNs at $3–10/month are dramatically better. If cost is a concern, Proton VPN's free tier (from a company with a paid model) is one of few defensible options.
Yes, this is one of the strongest VPN use cases. On public WiFi, anyone on the same network can potentially observe your unencrypted traffic. A VPN encrypts everything between your device and the VPN server, making the local network operator and other users unable to see your activity. Always use a VPN on untrusted networks.
Only against people with physical access to your device. Incognito prevents local storage of cookies and history but doesn't hide your activity from websites, ISPs, employers, or fingerprinters. The "private" name is misleading; Incognito is a local-cleanup feature, not a privacy tool.
Run a privacy audit covering all five leak categories: DNS leak, WebRTC leak, IPv6 leak, geolocation, and IP exposure. If your VPN is active and all five tests show the expected privacy state, your basic configuration is sound. Then check browser fingerprinting separately, since that's an orthogonal layer.
No. A VPN provides privacy from your ISP and destinations, but you are still identifiable to the VPN provider (who sees your real IP and destinations) and to any service you log into with identified accounts. True anonymity requires Tor plus careful operational security to avoid behavioural identification.
VPNs, encrypted DNS, and Tor are legal in most countries. Some authoritarian governments restrict or ban VPNs entirely; others require licensed providers. Using these tools for legitimate privacy is universally legal in democratic countries. Using them to commit crimes is illegal regardless of the tools.
Part of the Vatha network — guides, tools, and analyses across the SpeedIQ family.