DNS Leak Test: Check If Your Proxy or VPN Is Exposing You

You've set up a proxy or VPN to stay anonymous online — but are your DNS requests quietly betraying your real location? A DNS leak exposes the websites you visit to your ISP, even when the rest of your traffic is encrypted and routed through a proxy. In this guide, we'll explain what DNS leaks are, how to test for them, and how to fix them.

What Is DNS?

The Domain Name System (DNS) translates human-readable domain names like zentislabs.com into IP addresses that computers use to connect. Every time you visit a website, your device sends a DNS query to a resolver. Normally, your ISP provides this resolver — which means your ISP can see every site you visit, even if the connection itself is encrypted with HTTPS.

What Is a DNS Leak?

A DNS leak happens when your DNS queries bypass your proxy or VPN tunnel and go directly to your ISP's DNS resolver instead. This means:

• Your ISP can see which websites you visit — even though your traffic appears to route through a proxy.
• Target websites can detect your real location — the DNS resolver's geography often matches your ISP region, not your proxy's.
• Your anonymity is compromised — fingerprinting services combine DNS data with other signals to identify you.

How DNS Leaks Happen

DNS leaks occur in several common scenarios:

• HTTP proxies without DNS tunneling: Most HTTP proxies only tunnel HTTP/HTTPS traffic. DNS queries are sent directly from your machine to the OS-configured resolver.
• SOCKS4 proxies: SOCKS4 doesn't support remote DNS resolution, so DNS always leaks.
• Misconfigured VPNs: Split-tunnel VPN configurations may exclude DNS traffic from the tunnel.
• WebRTC leaks: Even when proxy/VPN is properly configured, WebRTC in browsers can bypass the tunnel and reveal your real IP and DNS.
• OS-level DNS caching: Windows and macOS cache DNS results and may use the cached (non-proxied) result even after enabling a proxy.

How to Test for DNS Leaks

The easiest way to check is with our free DNS Leak Test tool. It sends DNS queries to unique subdomains and checks which resolver responds. If the responding server belongs to your ISP rather than your proxy provider, you have a leak.

You can also test manually from the command line:

# Check which DNS resolver your system is using
nslookup zentislabs.com

# On Linux/macOS, check resolv.conf
cat /etc/resolv.conf

# Test with a specific DNS server (should match your proxy location)
nslookup zentislabs.com 8.8.8.8

If the DNS server in the response belongs to your ISP (e.g., your local Comcast, Vodafone, or Telekom resolver) rather than the proxy's network, your DNS is leaking.

SOCKS5 vs HTTP Proxies: DNS Leak Differences

SOCKS5 proxies support remote DNS resolution. When configured correctly, the proxy server resolves DNS on your behalf, preventing leaks. This is why SOCKS5 is preferred for privacy-sensitive tasks.

HTTP/HTTPS proxies handle DNS at the protocol level — the CONNECT method sends the hostname to the proxy, which resolves it. However, the browser or application may still perform its own DNS lookup before connecting, causing a leak. Always verify with a test.

How to Fix DNS Leaks

1. Use SOCKS5 with Remote DNS

When using SOCKS5 proxies, ensure remote DNS resolution is enabled. In most clients, this is a configuration flag:

import requests

# SOCKS5 with remote DNS resolution (hostname sent to proxy)
proxies = {
    "http": "socks5h://USER:PASS@gate.zentislabs.com:1080",
    "https": "socks5h://USER:PASS@gate.zentislabs.com:1080",
}
# Note: socks5h:// = remote DNS, socks5:// = local DNS (leaks!)

r = requests.get("https://httpbin.org/ip", proxies=proxies)
print(r.json())

2. Configure DNS-over-HTTPS (DoH)

DNS-over-HTTPS encrypts DNS queries and sends them over HTTPS, preventing your ISP from seeing them. Configure your browser or OS to use a DoH provider like Cloudflare (1.1.1.1) or Google (8.8.8.8) as a secondary protection layer.

3. Flush DNS Cache After Connecting

# Windows
ipconfig /flushdns

# macOS
sudo dscacheutil -flushcache; sudo killall -HUP mDNSResponder

# Linux
sudo systemd-resolve --flush-caches

4. Disable WebRTC in Browsers

WebRTC can leak your real IP even behind a proxy. In Firefox, set media.peerconnection.enabled to false in about:config. For Chrome, use an extension like WebRTC Leak Prevent.

5. Use ZentisLabs Residential Proxies

ZentisLabs residential proxies handle DNS resolution server-side by default. When you connect through our gateway at gate.zentislabs.com, DNS queries are resolved on the proxy server in the target region — so your ISP never sees the domains you're accessing.

Why DNS Leaks Matter for Web Scraping

For web scraping and automation, DNS leaks are especially dangerous. Anti-bot systems compare the geographic location of your IP address with the location of your DNS resolver. If your proxy IP is in Germany but your DNS resolver is in the US, that mismatch is a clear signal that you're using a proxy — and your requests get blocked.