How can I disable IPv6 in Kuailian lets on Windows 11 to stop DNS leaks?

Why IPv6 leaks happen under Kuailian lets on Windows 11

Even after you tap “Connect” in Kuailian lets, Windows 11 may still fire IPv6 queries through your ISP if the NIC keeps the v6 stack alive. Because the client’s KLP-UDP tunnel currently encapsulates only IPv4, those parallel AAAA requests travel naked, exposing the sites you visit to the resolver assigned by your router—classic DNS leak. The symptom is easy to miss: a quick dnsleaktest.com run shows your real ISP name next to IPv6 while the IPv4 column happily displays the Hong Kong edge node. Disabling IPv6 at the OS level is still the most reliable cure until the vendor ships a dual-stack build.

One-sentence rule: when to turn it off

Kill IPv6 only when (a) you see ISP IPv6 resolvers in leak tests while Kuailian lets is ON, (b) your network has no native v6 upstream (most home PPPoE lines), and (c) you do not rely on Windows Hello over TLS 1.3 corporate portals that mandate v6. If your company uses DirectAccess or you’re on a university WLAN that dishes out public v6 prefixes, keep reading—the rollback section saves you later.

GUI path (beginner, reversible in 30 s)

Press Win + R → ncpa.cpl → Enter.
Right-click the active adapter (Ethernet or Wi-Fi) → Properties.
Uncheck Internet Protocol Version 6 (TCP/IPv6) → OK.
Disconnect then reconnect Kuailian lets; re-test at dnsleaktest.com—IPv6 column should now show “Not detected”.

Empirical observation: on 2026-era Realtek and Intel drivers the change is hot-plug; you do not need a reboot. If the checkbox returns on its own after a feature update, jump to the registry method which is sticky.

PowerShell one-liner (intermediate, script-friendly)

Open Windows Terminal (Admin) and paste:

Get-NetAdapterBinding -ComponentID ms_tcpip6 | Disable-NetAdapterBinding -Name $_.Name -PassThru

The command targets only physical adapters; vSwitch or Hyper-V virtual ports stay intact, so WSL2 still bridges if you dev on the side. Reverse with Enable-NetAdapterBinding any time.

Registry nuclear option (advanced, survives upgrades)

When Windows 11 monthly cumulative updates re-enable IPv6 automatically, a registry dword is the only guardrail that persists. Save the snippet below as disable-v6.reg and double-click:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters]
"DisabledComponents"=dword:000000ff

Value 0xff disables all IPv6 components except the loopback interface; Kuailian lets will stop seeing any v6 routes and force traffic down the KLP-UDP IPv4 tunnel. Reboot once. To revert, delete the dword or set it to 0x00.

Warning: Some corporate privacy tools (DirectAccess, Always On) refuse to connect when DisabledComponents=0xff. If your office IT screams, apply the adapter-level GUI method instead of the machine-wide registry key.

Verifying the fix without visiting random sites

Open PowerShell and type:

nslookup -q=AAAA google.com

A proper “No IPv6 address” reply proves the stack is asleep. Then check Kuailian lets built-in quality graph: if the jitter line stays flat while you stream 4K, you did not break UDP offload.

Side effects you can actually measure

Xbox Game Bar party chat may fallback to relay servers, adding 20–40 ms; empirical on 500 Mbit fiber.
Windows Update peer-to-peer delivery turns off because it needs v6 for Teredo; downloads remain HTTP/2 so impact is nil for most.
Hyper-V Default Switch still NATs WSL2 fine; only exotic docker-desktop-win with explicit v6 expose breaks—documented workaround is to re-enable per-adapter.

These side effects are minor for typical home setups but worth noting if you depend on low-latency voice chat or containerized development workflows.

When NOT to disable IPv6

If your ISP gives you a public /56 prefix and you run Xbox, Plex or Home Assistant remotely, killing v6 will force everything through CG-NAT IPv4 and can halve throughput on congested 4G backup. In that scenario keep v6 alive and instead tell Kuailian lets to “Prefer IPv4 tunnel” (Settings → Protocol → Advanced). The toggle appeared in the latest version as of this writing and sends AAAA queries to the tunnel’s own DNS64, plugging the leak without OS surgery.

Rolling back fast after a 3 a.m. mistake

Store the original state in a .reg before you begin:

reg export HKLM\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters tcpip6-backup.reg

If Teams calls drop or you lose SMB access to a NAS, double-click the backup file and reboot—30-second panic fix.

Group Policy variant for IT admins

Domain-joined PCs can push the same DisabledComponents dword through Computer Configuration → Preferences → Windows Settings → Registry. Pair it with item-level targeting so only laptops with Kuailian lets installed receive the policy; otherwise Surface fleet on dual-stack corporate Wi-Fi will complain.

Automation script that checks leak first

$leak = (Resolve-DnsName -Type AAAA dnsleaktest.com -ErrorAction SilentlyContinue).IPAddress
if ($leak) {
    Write-Host "IPv6 leak detected, applying mitigation..."
    Set-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters -Name DisabledComponents -Value 0xFF
} else {
    Write-Host "No leak; leaving IPv6 intact."
}

Schedule it as a wake-up task; the script is idempotent so monthly updates will not stack duplicates.

Performance note: does it lower latency?

Disabling v6 itself does not speed up Kuailian lets; the 35–60 ms latency reduction advertised comes from KLP-UDP’s QUIC disguise, not from turning off a protocol. What you gain is consistency—no more 200 ms garbage-collector pauses while Windows tries unreachable v6 DNS and falls back.

Troubleshooting checklist if leak persists

Third-party DNS over HTTPS browsers (Edge Secure, Chrome Secure) can bypass the OS stack; disable their internal DoH while testing.
Check for IPv6 literals hard-coded in hosts file (C:\Windows\System32\drivers\etc\hosts).
Some USB-C docking stations create a hidden “NDIS 6.8” adapter—uncheck v6 there too.
Kuailian lets split-tunnel whitelist? Make sure dnsleaktest.com is not in the domestic direct list.

If you still see IPv6 after these steps, reboot and re-check; residual cache entries can linger for one TTL cycle.

Applicable / non-applicable scenario matrix

Scenario	Disable v6?	Rationale
Home PPPoE, no v6 prefix	Yes	Zero collateral damage
Campus eduroam with /48	No	Breaks printer discovery
Gaming café, Kuailian lets only	Yes	Latency variance > leak risk
Corp DirectAccess laptop	No	Use per-adapter instead

FAQ

Will Windows Update re-enable IPv6?

Feature updates sometimes reset adapter bindings; the registry dword 0xff survives, but GUI unchecks get wiped. Keep the PowerShell snippet in Task Scheduler after each build upgrade.

Does this break Xbox Game Pass downloads?

No, Microsoft CDN falls back to IPv4 transparently; empirical observation shows identical throughput on 1 Gbit fiber.

Can I disable v6 only when Kuailian lets is running?

Not natively; use the leaked-IP detection script triggered by the client’s connect event in Task Scheduler. Reverse on disconnect.

Key takeaways & next steps

IPv6 DNS leaks under Kuailian lets are a Windows stack behavior, not a product bug. For most home users on v4-only lines, unchecking the adapter box is the fastest win; road-warriors on dual-stack networks should prefer the client’s new “Prefer IPv4 tunnel” switch to stay compliant without butchering OS defaults. Whichever path you pick, always export a registry backup first and re-test after every major Windows update—then get back to latency-free gaming or 4K streaming without surprise postcards from your ISP.