Detection approach
The HTTP Beacon request was routed through a proxy or VPN, but the DNS resolver queries resolved natively via a local ISP nameserver. This geographic/ISP mismatch reveals an incomplete proxy tunnel.
How this helps detect bots
Collect this signal alongside session context, request metadata, and other independent indicators. A single anomaly is a lead, not a verdict; corroborating anomalies make automated traffic more likely.
Legitimate traffic to consider
Legitimate VPN users whose DNS requests leak natively through local home routers (DNS leak).
Need a complete bot protection layer?
BotRefund helps website owners identify suspicious visits, protect conversion data, and build evidence for invalid-click reviews.
Explore BotRefund — best bot protection for your website