Retour au blog
Anti-detection

DNS Leak Prevention: Keep Your Real Location Private

DNS queries can reveal your real location even when using a proxy. Learn how DNS leaks happen and how cloud browsers prevent them.

Introduction

When your browser loads a webpage, it first needs to resolve the domain name to an IP address through DNS. If this DNS query goes through your local DNS resolver rather than through your proxy, it reveals your real ISP and approximate location to the DNS server operator, even though the actual page load goes through the proxy.

This is a DNS leak, and it is one of the most common ways that proxy-based privacy setups fail silently.

How DNS Leaks Happen

Standard DNS Resolution

Without proxy DNS support, the resolution flow is:

  1. Browser requests example.com
  2. OS sends DNS query to your configured DNS server (ISP or public DNS)
  3. DNS server resolves and returns the IP
  4. Browser connects to the IP through the proxy

The problem: the DNS query in step 2 goes directly from your machine to the DNS server, bypassing the proxy entirely. The DNS server sees your real IP and knows which domains you are visiting.

SOCKS5 vs SOCKS5H

The critical difference between SOCKS5 and SOCKS5H is where DNS resolution happens:

  • SOCKS5: Your machine resolves DNS locally, then sends the resolved IP to the proxy
  • SOCKS5H: Your machine sends the domain name to the proxy, which resolves DNS on its side

SOCKS5H keeps DNS resolution within the proxy tunnel, preventing leaks.

Browser DNS Prefetching

Browsers aggressively prefetch DNS records for links on the page to speed up navigation. These prefetch queries can bypass proxy configuration, leaking domain names to your local DNS resolver even for pages you never visit.

Detection Methods

Detection systems check for DNS leaks by:

  1. Loading a resource from a unique subdomain (e.g., abc123.leak-test.example.com)
  2. Checking which DNS resolver queried for that subdomain
  3. Comparing the resolver's location with the proxy IP's location

If the DNS resolver is in a different location from the proxy, the user is leaking DNS.

How BotCloud Prevents DNS Leaks

BotCloud configures DNS handling at the engine level:

  • All DNS queries route through the proxy when a SOCKS5H proxy is configured
  • DNS prefetching is controlled to prevent out-of-tunnel queries
  • Secure DNS (DoH) is configured consistently with the session's geographic identity
  • No local resolver exposure - The machine's DNS configuration is never visible to websites

This happens automatically when you configure a proxy with your BotCloud session.

Verification

Test DNS leak prevention:

const page = await browser.newPage();
await page.goto('https://browserleaks.com/dns');
// All DNS servers should be consistent with your proxy location

You can also use:

  • dnsleaktest.com
  • ipleak.net
  • bash.ws/dnsleak

Best Practices

  1. Always use SOCKS5H (not SOCKS5) for automation to keep DNS within the tunnel
  2. Test for DNS leaks after configuring proxies, not just IP leaks
  3. Check that DNS resolver location matches proxy location - A US proxy with a German DNS resolver is suspicious
  4. Consider DNS over HTTPS (DoH) for additional encryption of DNS queries
#dns#leak-prevention#proxy#privacy