INFO

Common DNS Leak Questions and Testing Sites

DNS Leak Testing Sites

https://browserleaks.com/dns
https://ipleak.net
https://www.dnscheck.tools/ (Tests whether your DNS resolution results are validated by DNSSEC)
https://www.cloudflare.com/zh-cn/ssl/encrypted-sni/ (Cloudflare ESNI test — ideally, all 4 checkmarks should be green)

DNS (Domain Name System): Converts a domain name into an IP address (e.g., baidu.com → 110.242.68.66); TCP/IP connections require IPs to establish communication.
DNS Leak: When DNS queries that should be handled by a proxy (VPN or relay) are instead sent from the local network, exposing your browsing activity.
FakeIP: Returns a placeholder (fake) IP to the local device (commonly 198.18.x.x). The local system connects using this fake IP, while the proxy performs the real DNS resolution — preventing local leaks.

Before creating a TCP connection, the system performs a DNS query. If the proxy or routing configuration is incorrect, DNS resolution may occur locally.
Some routing rules require resolving a domain into an IP for IP-based matching (the “fallback” case), which is a common cause of local DNS requests.

Privacy Exposure: Local ISPs or network admins can see which sites you visit.
Service Availability Issues: Target websites may infer your location from DNS and block access (common in streaming or certain AI services).
Risk Variation: Negligible for normal websites, but significantly higher when visiting sensitive or restricted content.

First Query (Connection Setup): The browser initiates a connection → triggers FakeIP → receives a fake IP → connection established (safe).
Second Query (Routing Stage): When routing logic requires an IP to match a rule, it may trigger a DNS query to get the real IP. If this happens locally, a leak occurs.
The second type — where “domain resolution occurs locally for IP matching” — is the most dangerous.

Prefer Tun + FakeIP mode, allowing the local system to use only fake IPs while real DNS resolution happens on the proxy side.
Use domain-based routing whenever possible; for scenarios that trigger local DNS lookups, enable no-resolve (skip local DNS, match by domain only).
Optionally, Global Mode can prevent most leaks but sacrifices flexibility and performance — not recommended as the first choice.
For hijacked or sensitive domains, force them through a proxy node or specify a dedicated nameserver-policy (custom DNS server).

Is Global Mode completely safe? Generally yes, but some protocols (like QUIC or other UDP-based ones) can still leak; disable QUIC in browsers if needed.
Should I use mosdns? Not just for leak prevention — its rules often overlap with proxy routing. Only consider it if you need DNS caching or IP optimization.
Will local apps pinging random external addresses cause leaks? They usually ping FakeIPs, so no direct exposure — but it depends on the routing setup.

Domains classified as Direct (non-proxied) may be tampered with or hijacked during local resolution.
Solution: Force such domains through the proxy or assign them a dedicated DNS server (nameserver-policy).

Different users care about different aspects:
- Streaming / Strict Anti-Fraud Sites: Care about availability (avoiding access blocks).
- Privacy / Regulatory Concerns: Care about security and anonymity (avoiding traceability).
- Corporate / Campus Users: Care about privacy and anti-audit protection (avoiding being caught “browsing casually”).

The risk level of DNS leaks depends on the use case — minimal for most users but critical for cross-border e-commerce, privacy-focused users, and researchers.
Recommended configuration:
1. Use Tun + FakeIP mode.
2. Prefer domain-based routing and enable no-resolve.
3. For hijacked or sensitive domains, set dedicated DNS or enforce proxy routing.