Home/Blog/DNS Leaks With Proxies
Proxy Technology

DNS Leaks With Proxies: Causes, Tests, Fixes

Your traffic can exit a proxy IP while the DNS lookup still runs on your own machine - quietly exposing your real resolver and location. Here's how local versus remote resolution works, how to test for a leak, and how to force DNS through the proxy in curl, Python, Node, and browsers.

9 min read·Last updated: July 2026

Quick Answer

A DNS leak is when your client resolves hostnames locally instead of through the proxy. The page traffic exits the proxy IP, but the DNS query goes to your own resolver, revealing your real network and region. The fix is remote resolution: use the socks5h scheme (not socks5) so the proxy does the lookup.

  • socks5 resolves DNS locally; socks5h resolves it at the proxy
  • Test with browserleaks.com/dns or dnsleaktest.com and read the resolver region
  • A leaked resolver in the wrong region undermines mobile geo-targeting

This is a neutral, technical explainer. It complements our SOCKS5 vs HTTP proxy comparison, which explains the protocols but leaves out the detail that trips people up most: where the DNS lookup actually happens. A proxy changes the path your connection takes, but it does not automatically change where names get resolved. Get that wrong and you leak - even when everything else looks correct.

What a DNS leak actually is

Every request to a hostname like example.com needs a DNS lookup to turn that name into an IP address before a TCP connection can open. The question is who performs that lookup. If your client resolves the name itself, the query goes to whatever resolver your operating system is configured to use - typically your ISP or a public resolver on your real network. That happens before the proxied connection is established, so the lookup never touches the proxy.

The result is a split identity. Your HTTP(S) traffic exits the proxy IP, but the DNS query traveled a different road. As BrowserLeaks puts it, incorrect network configuration or faulty VPN/proxy software can send DNS requests directly to your ISP's server, exposing your browsing activity. In practical terms, the destination's DNS infrastructure and the resolver logs see a lookup that originates from your real network, not the proxy exit.

A leak is not always about privacy. For proxy work it is also a consistency problem: a well behaved session should present one coherent network identity end to end. A resolver that disagrees with the exit IP is a mismatch, and mismatches are exactly what detection systems look for - see how websites detect proxies.

Local vs remote resolution: socks5 vs socks5h

SOCKS5 supports two ways of handling the hostname, and the client picks which one by the scheme it uses. The curl project documents four SOCKS schemes, split by where the name is resolved:

SchemeWho resolves DNSLeak risk
socks4Client (local)Leaks
socks4aProxy (remote)No leak
socks5Client (local)Leaks
socks5hProxy (remote)No leak

The h stands for hostname. With socks5h, the client sends the raw hostname to the proxy and the proxy performs the lookup; with plain socks5, the client resolves the name first and only sends an IP. Same protocol, two behaviors - and the wrong one leaks silently, because the connection still works. HTTP proxies do not have this fork: for an HTTP proxy the client hands over the hostname (a full URL, or a CONNECT host:port for HTTPS), so the proxy resolves it by design.

Forcing remote DNS in curl, Python, and Node

The fix in code is almost always a one character change: add the h. Below is the same idea across three common clients.

curl

# Local DNS: curl resolves the hostname, then connects via the proxy (can leak)
curl --proxy socks5://user:pass@proxy:1080 https://example.com

# Remote DNS: the proxy resolves the hostname (the "h" is for hostname)
curl --proxy socks5h://user:pass@proxy:1080 https://example.com

# Equivalent explicit flag
curl --socks5-hostname user:pass@proxy:1080 https://example.com

Python (requests + PySocks)

The requests[socks] extra installs PySocks, whose rdns flag controls remote resolution. The urllib3 SOCKS docs recommend the socks5h:// (or socks4a://) scheme so DNS is done on the server side.

# pip install "requests[socks]"   (pulls in PySocks)
import requests

proxies = {
    "http":  "socks5h://user:pass@proxy:1080",
    "https": "socks5h://user:pass@proxy:1080",
}
requests.get("https://example.com", proxies=proxies)

# socks5h -> PySocks resolves DNS at the proxy (rdns=True)
# socks5  -> DNS resolved locally on your machine (rdns=False)

For a fuller walkthrough with auth, sessions, and rotation, see our Python requests SOCKS5 example.

Node.js (socks-proxy-agent)

The socks-proxy-agent package accepts the scheme in the proxy URL and supports socks5h, resolving DNS at the proxy rather than locally.

// npm i socks-proxy-agent
import { SocksProxyAgent } from "socks-proxy-agent"

// socks5h:// -> DNS resolved at the proxy; socks5:// -> resolved locally
const agent = new SocksProxyAgent("socks5h://user:pass@proxy:1080")

await fetch("https://example.com", { agent })

If you are working from the command line first, our mobile proxy with curl guide shows the full request setup end to end.

How to test for a leak (and read the result)

Testing is the only way to know for sure, because a leaking configuration still loads pages normally. Two long standing, real tools do the job:

  • browserleaks.com/dns - reports which DNS servers your browser used to resolve names, and flags when queries are going to your ISP instead of through your VPN or proxy.
  • dnsleaktest.com - forces lookups of a batch of unique, randomly generated hostnames and lists every resolver that answered, so you can see exactly which networks handled your DNS.

Reading the result: run the test while routed through the proxy. Compare the resolver location the tool reports against your proxy exit region. If the resolvers sit in the same country and network neighborhood as your exit IP, DNS is going through the proxy. If they show your home ISP or your real city, the lookup leaked - go back and switch the scheme to socks5h or enable remote DNS in your client.

A subtlety worth knowing: these tools measure the resolver that answered, which is not always the same as the machine that first asked. Public resolvers and geo-DNS can shift where an answer appears to come from. Treat a clear mismatch (your real ISP or country showing up) as a confirmed leak, and a clean match as a good sign rather than absolute proof.

Why a leak breaks mobile geo-targeting

This is the part most privacy write ups miss. The whole point of a mobile proxy is to present a real carrier IP in a specific region - a US 4G exit, say. But geo-aware CDNs and DNS services often decide where to route you, and which localized answer to return, based on the resolver that made the lookup, not only on the IP that finally connects.

So if your traffic exits a carrier IP in one country while your DNS is resolved by a resolver in another, the two signals disagree. The destination can steer you to the wrong edge, serve content localized to the resolver's region, or simply log a lookup that never matched the exit. The carefully chosen carrier geography is undercut by a DNS query you forgot to route through the same path.

The state you want is boring and coherent: the resolver, the DNS answer, and the exit IP all point at the same region. Remote resolution through the proxy is what keeps them aligned - which is why forcing socks5h matters as much for accuracy as it does for privacy.

Fixes for browsers and antidetect setups

Browsers are trickier than command line tools because they have their own DNS behavior layered on top of the proxy. Two settings matter.

Firefox - proxy the DNS through SOCKS

Under Network Settings, choosing Manual proxy configuration with a SOCKS host and then ticking "Proxy DNS when using SOCKS v5" sets network.proxy.socks_remote_dns to true, so names are resolved at the proxy instead of locally.

Secure DNS / DNS-over-HTTPS (DoH)

Chrome exposes "Use secure DNS" at chrome://settings/security, and Firefox offers DNS over HTTPS with protection levels in Privacy & Security. DoH encrypts the lookup and hides it from your ISP, but the query still leaves over the browser's own connection to the DoH provider, which need not follow your SOCKS proxy. In Firefox, DoH and the SOCKS remote-DNS option can even conflict. Treat DoH as a privacy feature, not a substitute for resolving at the proxy exit.

For antidetect browsers, rely on the app's own proxy field rather than a system proxy, and confirm the profile is set to resolve DNS through the assigned proxy. Then verify the same way you would anywhere else: open a leak test inside that exact profile and check that the resolver region matches the proxy exit. The principle is identical to matching a fingerprint to its IP - every signal, including DNS, should agree.

Sources

Frequently asked questions

What is a DNS leak when using a proxy?

It is when your client resolves a hostname through your own operating system or ISP resolver instead of through the proxy. Your web traffic exits the proxy IP, but the DNS lookup exposes your real resolver and, often, your real region.

What is the difference between socks5 and socks5h?

With socks5, the client resolves the hostname to an IP locally and then connects through the proxy. With socks5h, the client sends the hostname to the proxy and the proxy performs the DNS resolution. Use socks5h to resolve remotely and avoid a leak.

Do HTTP proxies leak DNS the way SOCKS5 can?

Generally no. With an HTTP proxy the client hands the destination hostname to the proxy - a full URL for plain HTTP, a CONNECT host:port for HTTPS - so the proxy resolves it. The local versus remote DNS fork is specific to SOCKS.

How do I test for a DNS leak?

Route your traffic through the proxy, then open browserleaks.com/dns or dnsleaktest.com. The tools force lookups of unique hostnames and report which resolvers answered. If the resolver region matches your proxy exit, DNS is going through the proxy; if it shows your ISP or home region, you have a leak.

Does browser DNS-over-HTTPS stop a proxy DNS leak?

Not by itself. DoH encrypts the lookup and hides it from your ISP, but the query still leaves over the browser's own connection to the DoH resolver, which may not follow your SOCKS proxy. In Firefox, DoH and "Proxy DNS when using SOCKS v5" can conflict. To resolve at the exit, force remote DNS through the proxy.

Why does a DNS leak break mobile geo-targeting?

Geo-aware CDNs and DNS services choose an edge or response based on the resolver that asked. If your traffic exits a 4G IP in one region but DNS is resolved elsewhere, the site can route or localize content to the wrong region, and its logs see a resolver that does not match the carrier exit.

Keep DNS and the exit IP in the same region

Real 4G/5G carrier IPs with API rotation and sticky sessions - resolve DNS through the proxy and every signal lines up. Test it for $5.