When using Proton VPN on Windows, you might want only specific applications or domains to route through the VPN tunnel, while the rest use your regular internet connection. This is called split DNS. Without proper configuration, all traffic goes through the Proton VPN, impacting performance for non-sensitive activities. Incorrect DNS settings can also lead to DNS leaks, defeating the purpose of using a VPN.
The core idea behind split DNS with Proton VPN involves configuring your Windows system to use different DNS servers based on the destination domain. This can be achieved by modifying the DNS settings for your network adapter or using PowerShell commands.
DNS Leaks: Your real DNS server is still being used for all queries.
No Internet Access: Incorrect DNS server addresses cause resolution failures.
Slow Performance: All traffic is routed through the Proton VPN, even when it shouldn't be.
Conflicting Configurations: Multiple DNS settings interfere with each other.
Check your current DNS settings using ipconfig /all in Command Prompt. Note the DNS servers being used by your active network adapter.
Use online DNS leak test tools (outside the scope of this document) to verify if your real DNS server is exposed when connected to Proton VPN.
Ping specific domains that should be routed through the VPN and those that shouldn't. Compare the IP addresses resolved.
The following PowerShell commands can be used to configure split DNS:
Identify your Proton VPN adapter name:
Get-NetAdapter | Where-Object {$_.InterfaceDescription -like "*Proton VPN*"}
Set DNS servers for the Proton VPN adapter (replace <VPN_ADAPTER_NAME> with the actual name and <DNS_SERVER_1>, <DNS_SERVER_2> with your preferred DNS servers, e.g., Proton's DNS servers):
Set-DnsClientServerAddress -InterfaceAlias "<VPN_ADAPTER_NAME>" -ServerAddresses ("<DNS_SERVER_1>","<DNS_SERVER_2>")
Add a DNS suffix search list for domains you want to resolve through the VPN:
Set-DnsClientGlobalSetting -SuffixSearchList "example.com,example.net" -PassThru
For domains that should not be routed through the VPN, ensure your primary network adapter uses your regular DNS servers (usually obtained automatically via DHCP).
Disable IPv6 DNS if you are not using IPv6 to prevent leaks.
Set-DnsClientNrptRule -DAEnable $False -DAProbeType None -DAQueryInterval 0 -InterfaceAlias "<VPN_ADAPTER_NAME>"
Consider using a firewall to restrict specific applications to only use the Proton VPN adapter. (This is beyond the scope of this document).
After applying the changes, flush your DNS cache: ipconfig /flushdns
Test DNS resolution for domains in your suffix search list. They should resolve to IP addresses associated with the Proton VPN's DNS servers.
Test DNS resolution for domains not in your suffix search list. They should resolve to IP addresses associated with your regular internet connection's DNS servers.
Run a DNS leak test again to confirm no leaks are present.