A VPN is not a privacy solution. It is one layer of a much larger, more fragile system - and most of that system sits completely outside the VPN's control. From DNS requests slipping through unencrypted, to a few lines of JavaScript capable of unmasking your real IP address, the gap between what people believe a VPN does and what it actually does is wide enough to render the entire exercise pointless. If you use a VPN for privacy rather than simply to bypass geographic restrictions, the mechanics of how you're being exposed are worth understanding in detail.
DNS Leaks: The Requests That Escape Before You Notice
Every time you visit a website, your device first sends a DNS request - a query that translates a domain name like example.com into a numerical IP address. This request often travels in plain text. If it leaves your machine through your physical network interface rather than the VPN tunnel, anyone monitoring that connection - your ISP, a network administrator, or a passive observer on a shared network - can see exactly which domains you're querying, when, and how often. That alone constitutes a detailed profile of your behavior.
DNS leaks occur for several distinct reasons, and a well-built VPN application should address most of them. Your router may act as a DNS proxy, confusing your operating system into sending requests outside the tunnel. On Windows, a feature called Smart Multi-Homed Name Resolution sends DNS queries across every available network interface simultaneously - including your physical one - in the name of speed. Third-party security software, including some antivirus products, hijacks DNS traffic and redirects it to their own resolvers, which may never touch the VPN at all. Before assuming your VPN protects your DNS traffic, test it. Tools exist specifically to verify which DNS server your queries reach.
The most robust protection against DNS leaks is not software configuration but architecture: a dedicated VPN gateway - a separate system that routes all outbound traffic through the VPN service, enforced by firewall rules that physically prevent packets from leaving any other way. For most users, this is impractical. Choosing a VPN provider that operates its own DNS service, combined with DNS over HTTPS or a protocol like DNSCrypt, offers meaningful protection. DNSCrypt is particularly valuable because it supports anonymous relays, which obscure not just the content of your DNS requests but their origin.
WebRTC and IPv6: Two Holes Most Users Never Patch
WebRTC is a browser technology designed to enable peer-to-peer connections - video calls, file transfers, and similar functions. To establish those connections, it enumerates every network interface on your device and reads their IP addresses directly from the operating system. It also contacts external STUN servers, which report back the public IP address they see on the incoming request. Any website hosting a short JavaScript snippet can trigger this process silently, collect both your VPN IP and your real IP, and log them together. This is not a theoretical attack; it requires no special access and works in every major browser by default.
IPv6 presents a related problem. Many VPN services either do not support IPv6 or handle it inconsistently. When your device initiates an IPv6 connection that the VPN cannot route, your operating system falls back to the physical interface. The traffic exits without protection. The fix is either to use a VPN that explicitly supports and tunnels IPv6, or to disable IPv6 entirely on your system and firewall it as a backstop. Neither option is glamorous, but both are straightforward.
Disabling WebRTC in your browser - available natively in Firefox and through extensions in Chrome-based browsers - eliminates the JavaScript IP-exposure risk entirely. This is one of the few privacy measures that costs nothing in usability for most users and provides a direct, measurable benefit.
Browser Fingerprinting and Authenticated Sessions: The Identity Problem VPNs Cannot Touch
Changing your IP address does not change who you are to the companies that track you. Your browser has a fingerprint: a composite of your screen resolution, installed fonts, rendering engine behavior, hardware configuration, time zone, language settings, and dozens of other attributes. This fingerprint is mathematically derived, statistically unique in most cases, and entirely outside the VPN's reach. When you change IP addresses, tracking scripts operated by advertising networks, social platforms, and analytics providers recognize the same fingerprint and continue building the same profile.
The problem deepens when you log in to any service - a social platform, an email provider, a shopping account - from a browser that also carries your fingerprint. That login event ties your fingerprint to your verified real identity. From that point forward, every site those companies' trackers appear on, which is most of the web, links your browsing behavior to your name. Cookies maintain that connection persistently. A VPN does not interfere with any of this.
Practical defenses exist, but they require discipline:
- Use a browser with active fingerprint randomization. Brave currently does this by periodically altering the values that fingerprinting scripts read, making cross-session linkage significantly harder.
- Separate your identity contexts completely. Keep any browser session where you log in to real-identity accounts entirely separate - different browser, ideally a different network path - from your general browsing.
- Enable built-in tracker blocking. Both Firefox and Brave include this by default; it limits the surface area available to cross-site profiling scripts.
- Treat incognito mode as a weak last resort. It clears cookies on close but does not change your fingerprint, and it does nothing about WebRTC or DNS.
What Actually Works: Defense in Depth Over Any Single Tool
The honest conclusion is that no single application - VPN or otherwise - provides comprehensive privacy. A VPN encrypts traffic between your device and its server and masks your IP from the sites you visit. That is useful but narrow. DNS requests, IPv6 traffic, WebRTC calls, browser fingerprints, and authenticated sessions each represent a separate channel through which your identity or behavior can be observed, and each requires a separate countermeasure.
A kill switch - built into most serious VPN applications - prevents your device from sending traffic over the physical interface if the VPN connection drops. This is worth enabling unconditionally. Firewall rules that restrict outbound traffic to the VPN service provide a harder guarantee. DNS over HTTPS or DNSCrypt protects your name-resolution traffic even when other defenses slip. And behavioral discipline - not restoring browser sessions with the VPN off, not mixing real-identity logins with anonymous browsing - prevents the correlations that technical tools cannot.
The goal is not perfection. The goal is making passive, automated profiling expensive enough that it fails. That requires understanding what each tool actually does, rather than assuming that one application handles everything. Most VPN marketing implies the latter. The technical reality does not support it.
