Norton 360 VPN Causing DNS Leaks on macOS and the Split-Tunnel + DNS Override That Restored Privacy

For users prioritizing online privacy and anonymity, VPNs are indispensable. Norton 360, one of the leading antivirus suites, includes a VPN as part of its offering. But in some recent cases, particularly on macOS, users have noticed a troubling issue: DNS leaks, even while connected to the Norton 360 VPN. This not only undermines the security promise of a VPN but potentially exposes user activity to ISPs or other observing entities. Fortunately, a combination of split-tunneling and DNS override offered a workable solution to restore digital privacy.

TL;DR

On macOS, Norton 360 VPN was found to cause DNS leaks, allowing DNS requests to route outside the encrypted tunnel and exposing user activity. Despite the VPN connection showing as active, real DNS queries were still made to the user’s ISP. This issue significantly compromised user privacy. By applying a split-tunnel configuration and manually overriding the DNS settings, users managed to route both data and DNS queries securely, finally sealing the leak.

What Is a DNS Leak and Why Does It Matter?

A DNS leak occurs when your system sends DNS requests outside the VPN tunnel. So even though your web traffic is encrypted, the domains you’re visiting can still be revealed to your Internet Service Provider (ISP) or other parties. For those seeking anonymity or trying to evade censorship, this is a problematic exposure.

VPNs are supposed to handle DNS queries via their own secure servers. When this fails, the consequences can include:

• The identifiable logging of visited websites by ISPs.
• Compromised location obfuscation, revealing real geographic regions.
• Increased vulnerability to DNS-based censorship or surveillance.

Typically, VPNs use systems like DNS leak protection to prevent such issues, but Norton 360 on macOS seemed to bypass this protection in some setups — a major red flag for privacy enthusiasts.

Norton 360 VPN on macOS: A False Sense of Security

Users running Norton 360 on macOS have reported a peculiar behavior: when the VPN is enabled, it appears to function normally. Traffic is routed via a secure tunnel, and a change in IP address is observed on most public-facing IP checkers. However, upon running a DNS leak test from sites like DNSLeakTest.com or ipleak.net, the user’s ISP-based DNS servers still show up — a clear sign that DNS resolution is not going through Norton’s encrypted channels.

This behavior likely stems from how macOS handles VPN tunnels compared to Windows. macOS networking has a unique routing mechanism, and Norton’s VPN client might lack the necessary precision in DNS management on this platform. This issue isn’t always apparent at first glance, which makes it particularly insidious.

Diagnosing the Leak

To verify the DNS leak, users performed the following steps:

1. Activate Norton 360 VPN on macOS.
2. Visit dnsleaktest.com.
3. Run the extended test.
4. Observe the DNS servers listed — in multiple cases, these included the user’s home ISP like Comcast or AT&T, rather than Norton’s secure servers.

Because Norton’s UI confidently claims that the connection is secure, many users may never check for leaks unless they’re particularly privacy-conscious. It’s a stark reminder that not all security software works flawlessly out of the box — especially on ecosystems with stricter controls like macOS.

Implementing a Split-Tunnel with DNS Override

Once the problem was identified, a solution had to be engineered. Since the issue stemmed from DNS requests escaping the VPN tunnel, one workaround was to apply a split-tunnel configuration — usually used to exempt certain apps from VPN coverage — but in reverse. The goal: ensure all traffic used the tunnel, including DNS, and manually assign trusted, encrypted DNS servers.

1. Enable Full Traffic Routing

First, users checked that split tunneling wasn’t allowing any app to bypass the VPN. In this case, split-tunneling features in Norton were limited, but on a system level, users ensured that no route allowed traffic through non-tunneled interfaces.

2. Manual DNS Override

Next came overriding the default macOS DNS settings:

1. Go to System Settings > Network.
2. Select the active network interface (Wi-Fi or Ethernet).
3. Click Details then the DNS tab.
4. Remove any listed DNS servers from the ISP.
5. Add secure DNS services like 1.1.1.1 (Cloudflare) or 9.9.9.9 (Quad9), which promise not to log DNS queries.

This simple override ensured that even if macOS routed DNS requests outside the VPN, they wouldn’t go to tracking-prone ISP servers, but to third-party DNS resolvers with better privacy policies and encryption support.

3. Verify the Fix

After configuration was complete:

• Norton VPN was turned on.
• DNS leak tests were repeated.
• Only the IPs belonging to Cloudflare or Quad9 appeared — no trace of ISP servers like Comcast or AT&T DNS.

The workaround had worked. Privacy was restored.

Lessons Learned and Recommendations

The Norton 360 VPN DNS leak issue highlights the importance of never fully trusting software defaults — particularly with privacy tools. VPN users should routinely check DNS leak status using independent websites. Without that step, a silent DNS leak can go unnoticed for months, all while the user believes they’re anonymous.

Here are key takeaways for users of macOS VPNs:

• Always test your VPN connection beyond IP lookup; check DNS as well.
• Avoid default DNS settings from your ISP — override them with encrypted alternatives.
• Use reliable leak-testing tools to independently confirm all data is routed securely.
• Check for differences across platforms — a VPN might behave differently on macOS, Android, Windows, or Linux.

Should You Rely on Norton 360’s VPN?

Norton’s VPN service is marketed as a user-friendly privacy tool, especially suitable for non-technical users. While it provides the convenience of integrating with antivirus solutions, the DNS leak issue suggests that its VPN capabilities may be insufficient for high privacy needs. The lack of granular control, detailed logs, and support for custom configurations puts it behind more robust options like ExpressVPN, Mullvad, or ProtonVPN.

That said, once the DNS override was applied, Norton VPN did function more reliably — but this was only after user intervention, not out-of-the-box behavior.

Conclusion

What began as a routine use of Norton 360’s built-in VPN turned into an eye-opening lesson in modern privacy pitfalls. DNS leaks are among the most overlooked vulnerabilities in VPN usage — and on macOS, they can occur without flashing red warnings. The combination of split-routing awareness and DNS override not only solved the problem but empowered users with more insight into how their systems negotiate internet connections.

For the truly privacy-conscious, it’s a stark reminder: even with brand-name software, don’t let your guard down.