DNS Leak Test: How to Check If Your Proxy Is Leaking

A DNS leak occurs when your device sends DNS queries outside the proxy tunnel, revealing your real IP address or geographic location to DNS servers. Even if all your HTTP and HTTPS traffic routes through the proxy correctly, a single leaked DNS request can expose who you are and where you are located.

For anyone using proxies for privacy, data collection, or account management, DNS leaks undermine the entire purpose of the proxy. This guide explains how DNS leaks happen, how to detect them, and how to seal every leak.

How DNS Leaks Happen

When you type a domain name into your browser or make an HTTP request, your device must first resolve the domain to an IP address through a DNS query. In a properly configured proxy setup, DNS resolution should happen on the proxy server side. The flow should look like this:

Correct flow: Your device > Proxy server > DNS resolution > Target website

Leaked flow: Your device > Your ISP’s DNS server (leak!) AND Your device > Proxy server > Target website

In the leaked scenario, the website receives traffic from the proxy IP, but your ISP’s DNS server sees which domains you are resolving. Anyone monitoring DNS traffic (your ISP, network administrator, or an adversary) can see every domain you visit.

Why Leaks Occur

HTTP proxies without remote DNS: Standard HTTP proxies may resolve DNS locally before sending the request
SOCKS4 proxies: SOCKS4 does not support remote DNS resolution; the client must resolve domains locally
Operating system DNS caching: The OS may cache DNS results and bypass the proxy for cached lookups
IPv6 DNS queries: Even if IPv4 traffic routes through the proxy, IPv6 DNS queries may leak on the local interface
Browser-level DNS prefetching: Browsers preemptively resolve domains mentioned on a page, often bypassing proxy settings
Smart Multi-Homed Name Resolution (Windows): Windows may send DNS queries to all available interfaces simultaneously

How to Test for DNS Leaks

Method 1: Online DNS Leak Test Tools

The simplest approach is to use a DNS leak test website while connected through your proxy:

Configure your proxy
Visit a DNS leak test site through the proxy
The test sends multiple DNS queries and reports which DNS servers resolved them
If any DNS server belongs to your ISP or local network, you have a leak

Popular DNS leak test services include dnsleaktest.com and ipleak.net. Run the extended test rather than the standard test, as some leaks only appear when multiple DNS queries are sent in sequence.

Method 2: Command-Line Testing

For more control, test DNS resolution directly from the command line:

# Check which DNS server resolves a query (without proxy)
nslookup example.com

# Compare with resolution through a SOCKS5 proxy
# Using proxychains on Linux
proxychains nslookup example.com

# Using curl to check your apparent IP through the proxy
curl -x socks5h://user:pass@proxy:1080 https://httpbin.org/ip

Note the socks5h:// prefix. The h indicates that DNS resolution should happen on the proxy server, not locally. Using socks5:// (without the h) resolves DNS locally, which causes a DNS leak.

Method 3: Packet Capture

For a definitive test, capture all DNS traffic leaving your machine:

# Capture DNS queries on all interfaces
sudo tcpdump -i any port 53 -nn

# On macOS
sudo tcpdump -i en0 port 53 -nn

With the capture running, browse the web through your proxy. If you see DNS queries in the capture output, those queries are leaking outside the proxy tunnel. In a properly configured setup, you should see zero DNS queries on port 53 from your local interface.

Method 4: Wireshark Analysis

For a graphical analysis:

Open Wireshark and start capturing on your active interface
Apply the display filter dns
Browse through your proxy
Examine the captured DNS packets to see which DNS servers your machine is querying

If you see queries going to your ISP’s DNS server or your router’s IP, you have a DNS leak.

How to Fix DNS Leaks

Fix 1: Use SOCKS5 with Remote DNS

If you are using SOCKS5 proxies, always use the socks5h:// protocol prefix to ensure DNS resolution occurs on the proxy server:

# Leaks DNS (local resolution)
curl -x socks5://proxy:1080 https://example.com

# No DNS leak (remote resolution)
curl -x socks5h://proxy:1080 https://example.com

In Python:

import requests

# Correct: remote DNS resolution
proxies = {
    "http": "socks5h://user:pass@proxy:1080",
    "https": "socks5h://user:pass@proxy:1080",
}

Fix 2: Disable Browser DNS Prefetching

Chrome, Firefox, and Edge prefetch DNS for links on a page, which can bypass the proxy:

Chrome:

Navigate to chrome://settings/security
Disable “Use secure DNS” or configure it to use a DNS server consistent with your proxy

Firefox:

Navigate to about:config
Set network.dns.disablePrefetch to true
Set network.proxy.socks_remote_dns to true (for SOCKS proxies)

Fix 3: Disable Smart Multi-Homed Name Resolution (Windows)

Windows may send DNS queries to all network adapters simultaneously:

Open Group Policy Editor (gpedit.msc)
Navigate to Computer Configuration > Administrative Templates > Network > DNS Client
Enable “Turn off smart multi-homed name resolution”

Alternatively, via PowerShell:

Set-DnsClientGlobalSetting -UseSuffixSearchList $false

Fix 4: Configure DNS-over-HTTPS Through the Proxy

If your proxy supports HTTPS traffic, configure your browser to use DNS-over-HTTPS (DoH) through the proxy. This encrypts DNS queries and routes them through the proxy tunnel:

Firefox:

Navigate to Settings > General > Network Settings
Enable “DNS over HTTPS”
Select a DoH provider

This ensures DNS queries are treated as regular HTTPS traffic, flowing through the proxy like any other request.

Fix 5: Disable IPv6

If IPv6 DNS queries are leaking while IPv4 traffic is properly proxied:

Windows:

# Disable IPv6 on all adapters
Get-NetAdapter | ForEach-Object { Disable-NetAdapterBinding -Name $_.Name -ComponentID ms_tcpip6 }

macOS:

sudo networksetup -setv6off Wi-Fi

Linux:

sudo sysctl -w net.ipv6.conf.all.disable_ipv6=1

Fix 6: Use Proxychains with Proxy DNS

On Linux, proxychains forces all traffic through a proxy. Configure it with the proxy_dns option:

# /etc/proxychains.conf
strict_chain
proxy_dns
[ProxyList]
socks5 proxy-host 1080 username password

The proxy_dns directive ensures DNS queries are routed through the proxy chain.

Testing After Fixes

After applying fixes, retest using all four methods described above. DNS leaks can be intermittent, so test multiple times and under different conditions:

Test with multiple websites
Test during DNS cache expiration (clear your DNS cache first)
Test with both IPv4 and IPv6 enabled
Run a packet capture for at least 5 minutes while actively browsing

For a comprehensive verification process, use the proxy testing checklist to ensure no leaks remain.

DNS Leaks and Mobile Proxies

When using mobile proxies, DNS leak prevention is especially important. Mobile proxies provide IP addresses from mobile carrier networks, which gives you a high trust score on target websites. However, if your DNS queries leak to your local ISP’s DNS server, sophisticated websites can detect the mismatch between your apparent mobile IP and your local DNS resolver, flagging the traffic as suspicious.

To maintain the integrity of mobile proxy traffic:

Always use HTTPS proxy connections with remote DNS resolution
Avoid SOCKS4, which does not support remote DNS
Test for DNS leaks before starting any data collection or account management tasks

Conclusion

DNS leaks are a silent threat that can completely undermine your proxy setup. Your HTTP traffic may route through the proxy flawlessly while DNS queries quietly reveal your real identity to anyone monitoring the network. Test for DNS leaks using multiple methods, apply the appropriate fixes for your platform and proxy type, and retest after every configuration change. The few minutes spent on DNS leak testing can save you from compromised data collection campaigns, burned accounts, and exposed identities.