Your DNS requests, which are like asking for directions to a website, often travel outside your VPN's protection. With OllaVPN, your DNS requests are encrypted and stay inside the secure tunnel, all the way to our private, zero-log DNS servers. This means your internet provider can't see what sites you're trying to visit, even if your connection briefly drops.
Many VPNs rely on your operating system's default DNS settings, which can leave you vulnerable to leaks or manipulation. We've built DNS directly into the OllaVPN tunnel. This ensures all your requests are handled securely and privately from the moment you connect, without you needing to do any extra configuration.
This in-tunnel DNS is a core feature for all OllaVPN users, whether you're on our free 10 Mbps plan or OllaVPN Plus. It works seamlessly with our post-quantum ready encryption and the always-on kill switch to provide comprehensive privacy and security, helping us deliver on our promise of a truly free and private internet experience.
What is in-tunnel DNS and why is it so important?
In-tunnel DNS means your requests to translate website names into IP addresses happen securely within the VPN's encrypted tunnel, preventing your internet service provider (ISP) from seeing your browsing activity.
Normally, when you type a website address like "ollavpn.com" into your browser, your device sends a request to a Domain Name System (DNS) server, usually operated by your internet service provider (ISP), to find the corresponding numerical IP address. This happens *before* your connection to the website is made. If you're using a VPN but your DNS requests aren't handled by the VPN itself, your ISP can still see every website you try to visit, even if the content of those websites is encrypted by your VPN. This is what's known as a DNS leak, and it pretty much defeats the purpose of using a VPN for privacy. OllaVPN solves this by routing all your DNS requests directly through the encrypted VPN tunnel. This means your device asks OllaVPN's DNS servers for IP addresses, not your ISP's. Because this request travels inside the secure tunnel, your ISP can't see what websites you're looking up. It's fully encrypted from your device to our network, ensuring your browsing habits remain private from anyone who might be monitoring your internet connection. This in-tunnel DNS is a fundamental part of our privacy-first approach. It's not just about encrypting your data; it's about protecting the metadata too — the information *about* your data. Without it, even with a strong VPN, a significant part of your online activity could still be exposed. It's automatically enabled and always on with OllaVPN, so you don't have to worry about configuring it or accidentally exposing yourself to a DNS leak.How does OllaVPN's in-tunnel DNS work, step-by-step?
OllaVPN intercepts your DNS requests on your device, encrypts them, and sends them through the secure VPN tunnel to our private, no-log DNS resolvers, which then fetch the IP addresses for the websites you want to visit.
When you connect to OllaVPN, our app takes over your device's DNS settings. This means that instead of sending your domain name requests (like "ollavpn.com") to your internet provider's DNS servers, all those requests are immediately redirected to OllaVPN. From the moment you hit "connect," every bit of traffic, including your DNS queries, travels through our encrypted tunnel, making it impossible for your ISP or anyone else to see what sites you're trying to reach.
Once inside the tunnel, your DNS queries are sent directly to OllaVPN's private DNS resolvers. These aren't just any public DNS servers; they're infrastructure we operate ourselves, specifically designed to uphold our strict no-logs policy. They don't keep records of your activity, ensuring your browsing habits remain private. Using our own resolvers, rather than relying on third parties, is a critical part of how we protect your privacy end-to-end. Your requests stay within our trusted network until the very last step.
After our resolvers look up the IP address for the website you're visiting, that information is sent back to your device, still protected within the secure tunnel. Only then does your device know where to send the actual request for the website's content. This whole process happens incredibly fast, thanks to the efficiency of the WireGuard protocol that OllaVPN uses. Even in restrictive network environments, our QUIC option helps ensure your DNS queries and regular traffic continue to flow smoothly and securely, bypassing common blocking techniques.
What do other VPNs often get wrong with DNS, and how is OllaVPN different?
Many VPNs leave your DNS requests vulnerable to leaks or use third-party servers, while OllaVPN encrypts and routes all your DNS traffic directly through its own secure, private resolvers inside the VPN tunnel.
A lot of VPNs, especially the free ones from ad-funded free VPNs or freemium throttled VPNs, often overlook DNS security or cut corners. What happens is that even if your internet traffic is encrypted, your DNS requests – which are basically the phonebook lookups for websites – might still go through your internet provider or some third-party DNS server. This means your ISP can still see what sites you're trying to visit, even if they can't see the content of those sites. This is a pretty significant privacy hole, and it's called a DNS leak. Some VPNs try to fix this by using publicly available DNS resolvers like Cloudflare or Google. While these are often faster than your ISP's, they're still external entities that see your DNS traffic. Plus, if the VPN client doesn't properly force all DNS traffic through the tunnel, your operating system might default to its own OS-level DNS settings, leading to leaks. Imagine having a secure tunnel for your car, but the map you're using is still being read by someone outside the tunnel – that's what a DNS leak feels like. OllaVPN takes a different, more secure path. We operate our own private, zero-log DNS resolvers that are physically located within our VPN infrastructure. When you connect to OllaVPN, all your DNS requests are not only encrypted, but they're also routed exclusively through these resolvers, staying entirely within the secure VPN tunnel. This means your ISP, advertisers, or anyone else monitoring your network can't see your DNS lookups. There's no risk of DNS hijacking or accidental leaks because your operating system simply isn't allowed to use external DNS servers while OllaVPN is active. It's a complete, end-to-end privacy solution for your internet activity.What real-world threats does in-tunnel DNS protect you against?
In-tunnel DNS protects your online activity from being snooped on by your internet provider, bypasses government or corporate content filters, and helps prevent you from landing on malicious websites.
When you type a website address like "ollavpn.com" into your browser, your computer needs to translate that into an IP address (like 192.0.2.1) to find the server. This translation is handled by something called a Domain Name System, or DNS. Normally, your internet service provider (ISP) handles this for you, and because they do, they see every single website you try to visit. That's a huge privacy hole, letting them build a detailed profile of your online habits.
ISP tracking is a big concern for many people, especially when ISPs can legally sell anonymized browsing data in some regions. When you use OllaVPN, your DNS requests don't go to your ISP at all. Instead, they travel securely inside the encrypted VPN tunnel to OllaVPN's own DNS servers, which are designed to be privacy-friendly. This means your ISP only sees encrypted traffic going to our servers, not the specific sites you're visiting.
Beyond privacy, in-tunnel DNS is crucial for bypassing DNS censorship, which is when governments or corporations block access to certain websites by manipulating DNS requests. Because your requests are resolved within our network, you can often access content that would otherwise be blocked in your location. It also adds a layer of defense against phishing attacks. If you accidentally click on a link to a fake website designed to steal your login credentials, our DNS servers can sometimes identify and block access to known malicious domains, preventing you from ever reaching the dangerous site. Couple this with our always-on kill switch, and your connection is really buttoned up.
Are OllaVPN's DNS features on by default, and can you customize them?
Yes, OllaVPN's in-tunnel DNS is on by default, and while we handle the secure defaults, you retain control over your DNS server choice.
OllaVPN routes all your DNS queries through our secure, encrypted tunnels by default. This means you don't need to configure anything yourself; it just works. This setup prevents DNS leaks, which is a common vulnerability where your internet provider could still see the websites you're trying to visit, even if your actual traffic is encrypted by the VPN. We believe that true privacy means protecting *all* your data, and that includes your DNS requests. Our system is designed to provide this protection silently in the background, requiring no user input to keep you safe. While we manage the secure defaults, we also understand that some users prefer more user control over their network settings. If you want to use a specific DNS provider, like a privacy-focused public DNS or a content-filtering service, you absolutely can. You'll find the option to customize your DNS servers within the OllaVPN app settings. Just enter the IPs of your preferred DNS servers, and your OllaVPN connection will use those instead, still routing them securely through our tunnel. It's worth noting that our in-tunnel DNS works hand-in-hand with the kill switch, which is also on by default. If your VPN connection ever drops unexpectedly, the kill switch immediately blocks all internet traffic, preventing any data — including DNS requests — from leaking outside the secure tunnel. This combination ensures your online activity remains private and protected, whether you stick with our defaults or choose to customize them.How can you verify that OllaVPN's in-tunnel DNS is working?
You can verify OllaVPN's in-tunnel DNS by running a DNS leak test and checking that your DNS requests resolve to your chosen OllaVPN server location, not your real IP address.
The easiest way to confirm our in-tunnel DNS is doing its job is to use a DNS leak test website. Before connecting to OllaVPN, visit one of these sites and make a note of the IP addresses and locations shown for your DNS servers. They'll likely be from your internet service provider (ISP).
Now, connect to OllaVPN. Choose any server location you like. Once you're connected, go back to the DNS leak test website and refresh the page. What you should see is that all the DNS servers listed now match the country of your chosen OllaVPN server location, and the IP addresses should be different from what you saw before — they'll be OllaVPN's DNS resolvers. If you still see your ISP's DNS servers or any others from your actual location, you might have a DNS leak, but our app's always-on kill switch should prevent this.
This test confirms that your device is sending all DNS queries through the encrypted OllaVPN tunnel, preventing your ISP or anyone else from seeing what websites you're trying to visit. It's a quick and effective way to ensure your privacy is intact and that our in-tunnel DNS is fully functional.
What are the limitations of in-tunnel DNS, and what doesn't it solve?
In-tunnel DNS protects your DNS requests from being spied on by your ISP or local network, but it doesn't solve broader privacy issues like browser fingerprinting, website tracking, or malware.
While in-tunnel DNS is a powerful privacy tool, it's not a magic bullet for all online privacy concerns. Its primary job is to encrypt your domain name requests and route them through the VPN tunnel, preventing your Internet Service Provider (ISP) or anyone on your local network from seeing which websites you're trying to visit. This stops them from collecting data on your browsing habits or censoring access to specific sites based on DNS lookups.
However, it doesn't prevent websites themselves from tracking you. Once your connection is established, the website you visit can still use various methods like website tracking (cookies), supercookies, or browser storage to identify you and monitor your activity. Your browser's unique configuration and settings can also lead to browser fingerprinting, where websites gather enough information about your device and software to create a unique profile, even without traditional cookies. In-tunnel DNS simply doesn't touch these layers of interaction.
Think of it this way: in-tunnel DNS gets you to the front door of a website securely and privately, but it doesn't change what happens once you're inside. It won't protect you from malware if you download a malicious file, nor will it obscure your user behavior on a site once you've logged in or started interacting with its content. For those broader protections, you'd need additional tools and practices, like using privacy-focused browsers, ad blockers, and exercising caution about what you click and where you share personal information.
How does in-tunnel DNS integrate with OllaVPN's other privacy features?
OllaVPN's in-tunnel DNS is a fundamental part of our comprehensive privacy approach, working with features like post-quantum ready encryption, the kill switch, and 4-layer peer isolation to ensure your online activity remains truly private.
Think of in-tunnel DNS as making sure no part of your internet request ever leaves the secure VPN tunnel unprotected. When you type a website address, your device needs to translate that human-readable name (like ollavpn.com) into an IP address (like 104.26.1.189) that computers understand. This translation is handled by a DNS server. If that request goes outside the VPN, even for a split second, it's a privacy leak. With OllaVPN, your DNS requests travel securely inside the encrypted tunnel to our own private, zero-log DNS servers, meaning your ISP or anyone else can't see what sites you're trying to reach.
This integration is crucial for comprehensive privacy. For instance, the kill switch ensures that if your VPN connection ever drops unexpectedly, your internet access is immediately cut off. This prevents any data, including those sensitive DNS requests, from being sent over your unencrypted connection even for a moment. Combine that with our post-quantum ready encryption, which secures all data — including DNS traffic — against even future, more powerful computers, and you have a robust defense against various snooping attempts.
Furthermore, in-tunnel DNS works hand-in-hand with our 4-layer peer isolation. This advanced security measure ensures that even within our own network, your traffic is kept completely separate from other users. So, not only are your DNS requests hidden from external observers, but they're also isolated from anyone else using our service. It's all about building layers of protection, where each feature reinforces the others to create a genuinely private online experience, whether you're on our free plan or enjoying 10 Gbps on OllaVPN Plus.
Does in-tunnel DNS impact my connection speed or latency?
No, OllaVPN's in-tunnel DNS has a minimal impact on your connection speed or latency.
When you use OllaVPN, your DNS requests are handled securely within the VPN tunnel itself, rather than by your internet provider's DNS server. This means your DNS queries are encrypted and routed through our network, preventing your ISP from seeing what sites you're trying to visit. You might think adding this step would slow things down, but it's designed for efficiency. We use highly optimized DNS resolvers that are physically close to our VPN servers. This setup ensures fast DNS resolution, meaning the time it takes to look up a website's IP address is incredibly short. The overhead introduced by handling DNS within the tunnel is truly minimal, often unnoticeable for most everyday use. For OllaVPN's free plan, where your speed is capped at 10 Mbps, this barely registers. Even if there were a fractional delay, it wouldn't impact your overall experience because your bandwidth is the primary limiting factor. If you're on the 10 Gbps OllaVPN Plus plan, you're looking at speeds where the extra milliseconds for secure DNS are still negligible compared to the massive bandwidth available.Is OllaVPN's in-tunnel DNS future-proof against evolving threats?
Yes, OllaVPN's in-tunnel DNS is designed with future-proofing in mind, especially when combined with our post-quantum ready encryption.
When you use OllaVPN, your DNS requests don't just go to a public DNS server; they travel securely within the encrypted VPN tunnel. This means that even if a public DNS provider were compromised, or if your local network tried to snoop on your DNS lookups, that information remains private. This approach is inherently more secure than relying on external DNS resolvers, as it ensures your entire connection, from your device to the VPN server, is under our protection.
Our commitment to long-term privacy extends to how we handle the encryption protecting that tunnel. We're already post-quantum ready, meaning we've implemented quantum-resistant algorithms alongside traditional encryption. This makes your connection more resilient against potential future attacks from advanced adversaries, including those who might develop quantum computers capable of breaking current encryption standards. So, even as evolving threats emerge, your DNS traffic, along with all your other data, stays secure.
This combined approach ensures that your browsing history and online activity, which can often be inferred from DNS requests, are shielded not just today, but also well into the future. It's about making sure your connection remains forward-secure, meaning that even if an encryption key were somehow compromised in the future, past communications would remain protected. We believe this proactive stance is crucial for true online privacy.
Is in-tunnel DNS available on OllaVPN's free plan?
Yes, in-tunnel DNS is fully available on OllaVPN's free plan, just like every other core privacy feature.
You don't have to worry about your DNS requests leaking outside the VPN tunnel, even if you're using our free plan. In-tunnel DNS is a fundamental part of how OllaVPN protects your privacy, ensuring that all your internet traffic—including those initial requests to look up websites—stays encrypted and routed through our secure servers. It's not an add-on or a premium feature; it's just how we do things.
We believe core privacy shouldn't be paywalled. That's why features like in-tunnel DNS, the kill switch, and our post-quantum-ready encryption are available to everyone, whether you're on the $0 forever plan with its 10 Mbps speed cap, or you've upgraded to Plus. There's no card required to get started, and no hidden features locked behind a paywall; what you see is what you get.
How can you verify your DNS isn't leaking?
A three-step test using free OllaVPN tools that takes about five minutes. The test proves that DNS queries originate from the in-tunnel resolver (not your ISP's resolver, not Google's 8.8.8.8, not Cloudflare's 1.1.1.1) while OllaVPN is connected.
Step 1 — Baseline. Without OllaVPN connected, open our DNS lookup tool in your browser and resolve example.com. The resolver IP returned will typically be your ISP's resolver — something in your ISP's IP range. Note it down.
Step 2 — Connected. Connect OllaVPN. Resolve example.com again with the same tool. The resolver IP should now be a CGNAT address in the 100.64.0.0/10 range (e.g., 100.64.0.1) — that's our in-tunnel unbound resolver. If you see your ISP's resolver again, the in-tunnel DNS configuration has failed and traffic is leaking at the DNS layer.
Step 3 — Confirm with a second tool. Visit dnsleaktest.com (an independent third-party DNS-leak testing service) while connected. Run the "Extended test." Every resolver returned should be an OllaVPN tunnel resolver, not your ISP, not Google, not Cloudflare. If you see any non-tunnel resolver in the list, that's a leak.
What the test proves. If both tools show only OllaVPN's in-tunnel resolver while connected, every DNS query your device makes is going inside the tunnel — invisible to your ISP, invisible to the local network operator, invisible to anyone observing the network you're physically connected to. That's what "no DNS leaks" actually means at the technical level.
How does OllaVPN's DNS posture compare to other free VPNs?
The substantive comparison is two-fold: where the DNS resolver runs (operator-controlled inside the tunnel vs third-party like Cloudflare or Google) and whether the OS DNS path is firewall-blocked. OllaVPN clears both bars; many competitors don't.
Operator-controlled vs third-party resolver. A real in-tunnel DNS implementation runs the resolver on infrastructure the VPN operator controls — so the resolver behavior (no query logging, no commercial analytics, no cross-referencing with the operator's other products) is entirely under the operator's policy. OllaVPN runs its own unbound resolver on every exit. Some competitors route DNS through the tunnel but to a third-party resolver (Cloudflare 1.1.1.1, Google 8.8.8.8, OpenDNS) — this is better than no in-tunnel DNS, but the user has now shifted DNS trust to a third party who has their own privacy posture and their own data-handling practices.
OS DNS path firewall-blocked vs just preferred. A weak in-tunnel DNS implementation installs the tunnel resolver as the system's preferred DNS server but allows the OS resolver as a fallback. Apps that bypass the system resolver (notably anything using dnssd for mDNS, browsers using DNS-over-HTTPS, system-level updaters that hardcode resolver IPs) silently bypass the in-tunnel DNS. A strong implementation, like OllaVPN's, additionally installs firewall rules that block all DNS-port-53 traffic to non-tunnel resolvers — so even if some app or OS component tries to bypass the system resolver, the packet never leaves the device. This is what we mean by "in-tunnel DNS that actually doesn't leak."
DNS-over-HTTPS handling. DNS-over-HTTPS sends DNS queries over port 443 (HTTPS) instead of port 53 (DNS), which means a naive firewall-blocking implementation won't catch DoH leaks. OllaVPN's in-tunnel resolver supports DoH for upstream queries (to Cloudflare and Quad9), but the client-side DoH bypass risk is real: Firefox in particular ships its own DoH client that can bypass the system DNS configuration entirely. We document this in our Mac and Windows pages: turn off Firefox's "Enable DNS over HTTPS" in Settings → Privacy & Security → Network Settings while using a VPN, so DNS goes through the tunnel resolver instead of Firefox's own DoH path.
What our DNS layer deliberately doesn't ship
No custom DNS server selection on free, no built-in tracker/ad blocker on free (yet), no per-domain routing. Each non-feature has a reason — included so you can pick a different VPN if any of these is critical.
No custom DNS server selection on free. Some VPNs let you pick which DNS resolver the tunnel uses (Cloudflare, Google, your own DoH provider). We don't ship this on free because the in-tunnel resolver is part of the trust boundary — letting users pick an arbitrary external resolver re-introduces the trust question we just answered by running our own. Pro-tier users may get this as a power-user option.
No built-in tracker/ad blocker on free yet. A resolver-level tracker blocker (the Windscribe R.O.B.E.R.T. pattern) sits exactly where DNS is processed — so it's the natural place to drop known tracker domains. We have not yet shipped this on free because tracker blocklists have a high false-positive rate and we did not want to break sites for users who did not opt into the tradeoff. uBlock Origin in your browser handles the great majority of web ads and trackers in the meantime. The resolver-level blocker is a planned Pro-tier feature.
No per-domain routing. Some advanced setups want specific domains to bypass the tunnel and use the underlying network resolver (typically for accessing internal corporate resources while connected to a personal VPN). This is split-tunneling at the DNS layer; it's a planned Pro-tier feature paired with the broader split-tunneling roadmap.
Common DNS questions, answered straight
Direct answers to the questions readers most often ask about VPN DNS handling and OllaVPN's specific implementation.
What exactly is a DNS leak? A DNS leak happens when a DNS query (the lookup that converts example.com into the IP address your device actually connects to) goes outside the VPN tunnel instead of through the in-tunnel resolver. The leak reveals the destination to your ISP or whoever else can observe your real network — defeating one of the core privacy properties a VPN should provide. The traffic itself is still encrypted via the tunnel; the metadata (which sites you're visiting) is what leaks.
Why does in-tunnel DNS matter if the rest of my traffic is already encrypted? Because DNS is metadata, and metadata is often more revealing than content. If your ISP sees you resolved weight-loss-clinic.example, job-search-site.example, and visa-application-portal.example in sequence, they have a pretty clear picture of your circumstances even if they can't see any of the actual page contents. DNS leaks defeat the privacy purpose of a VPN even when the encrypted-tunnel part is working perfectly.
What's the difference between DNS-over-HTTPS (DoH) and in-tunnel DNS? DoH encrypts DNS queries between your device and a chosen DoH server (typically Cloudflare or Google), but the DoH server still sees the query. In-tunnel DNS sends the query through the VPN tunnel to a resolver the VPN operator runs, so neither your ISP nor a third-party DoH provider sees the query — only the operator does, and a no-logs operator like OllaVPN doesn't log it. DoH is better than plain DNS; in-tunnel DNS is better than DoH for VPN users.
Why does Firefox sometimes bypass my VPN's DNS? Firefox ships its own DNS-over-HTTPS client (called "Trusted Recursive Resolver") that, when enabled, sends DNS queries directly to Cloudflare regardless of your system DNS configuration. The queries still go through the VPN tunnel (since they're HTTPS), but they go to Cloudflare's resolver instead of your VPN's in-tunnel resolver — meaning Cloudflare sees the queries even when your VPN is supposed to be handling DNS. To force Firefox to use the system DNS resolver (which on OllaVPN is the in-tunnel resolver), disable "Enable DNS over HTTPS" in Firefox Settings → Privacy & Security → Network Settings.
What does the in-tunnel resolver actually log? Nothing per-query. Our unbound configuration sets log-queries: no and log-replies: no; the resolver process does not write per-query records to disk. Aggregate operational metrics (total queries per second per resolver, cache hit rate, average response time) are collected for capacity planning but cannot be tied back to any specific user or query.
What happens if the in-tunnel resolver is slow? macOS in particular has a tendency to fall back to the system's pre-VPN DNS resolver if the configured tunnel resolver is slow or unresponsive. Without firewall blocking, this would cause silent DNS leaks. OllaVPN handles this by blocking all port-53 traffic to non-tunnel resolvers at the firewall layer — so even if the OS tries to fall back, the packets cannot escape. The user-visible result of a slow in-tunnel resolver is "DNS takes a bit longer" rather than "DNS silently leaks."
Does OllaVPN's resolver support DNSSEC? Yes. The upstream-from-the-resolver path (our unbound to the public roots and TLDs) validates DNSSEC signatures where they exist. The resolver returns SERVFAIL for bogus (signed but invalid) responses, which is the correct behavior. Most consumer domains are not yet DNSSEC-signed in 2026, but the protection works where it's available.
Can the resolver block specific domains for me? Not on the free tier today. We deliberately don't ship resolver-level domain blocking on free because the false-positive rate on tracker/ad blocklists is high enough that it would silently break some sites for users who didn't opt in. Pro-tier users will get an optional resolver-level blocker (a Windscribe R.O.B.E.R.T.-style feature) when we ship it. uBlock Origin in your browser handles the great majority of web ads and trackers in the meantime — and runs entirely on your device, no DNS request needed.
How does in-tunnel DNS interact with IPv6? The tunnel is IPv4-only. DNS queries inside the tunnel use IPv4 to reach the in-tunnel resolver (which itself is an IPv4 address in the CGNAT range). The resolver supports AAAA-record lookups (returning IPv6 addresses for sites that have them), but the actual IPv6 traffic doesn't have anywhere to go — IPv6 is disabled on the tunnel interface, so apps fall back to IPv4 for the actual connection. The resolver still handles the lookup correctly; the connection just routes via IPv4.
About this guide
Maintained by Nathan Pratt, OllaVPN's Privacy & Security Lead. Fact-checked by Hannah Wu, Senior Security Engineer. The DNS-layer implementation details (unbound configuration, scutil supplemental keys on macOS, NRPT on Windows, VpnService DNS configuration on Android, port-53 firewall blocking) were verified against the production codebase in the June 2026 update cycle. Quarterly refresh; last full re-evaluation 23 June 2026.
For deeper context: the technology stack page covers OllaVPN's full architecture including DNS interaction with kill switch and peer isolation. The DNS leak pillar blog explains the category fundamentals in plain English. The DNS lookup tool is the fastest way to verify your current DNS resolver in any session.
Why we document this depth. Most VPN marketing claims about DNS stop at "we prevent DNS leaks" without specifying which OS APIs are involved (scutil on macOS, NRPT on Windows, VpnService DNS configuration on Android), which firewall layer enforces the blocking (Packet Filter, Windows Filtering Platform, Android's VpnService block-mode), or what specifically happens when an app tries to bypass the system resolver. The privacy-conscious reader has been burned enough times by under-specified marketing that the default response to "no DNS leaks" is skepticism. The remedy for skepticism is verifiable detail. This page exists to provide that detail, so the verification effort that follows takes minutes rather than days.
A final note on integrity. If at any point our in-tunnel DNS implementation regresses — a new macOS version breaks the scutil priority, a Windows feature update changes how NRPT is honored, an Android API revision allows DoH bypass we didn't account for — we will update this page to reflect that, including any temporary leak window before the fix ships. The honesty calculus on a privacy product is the same as for a backup product: the time to find out it didn't work is not when you needed it. We would rather lose a reader to an honest disclosure of a temporary regression than retain them through silence about an issue we knew but didn't say.
Want this on your device?
OllaVPN is free forever for 1 device. No card, no email tricks.
Get OllaVPN free → Or see all plans