Detection approach
Our out-of-band proxy-correlation network diagnostics identified a critical DNS leak, proving that the visitor is actively routing HTTP traffic through an intermediate proxy tunnel or residential VPN while their browser resolves domain names natively via their local physical ISP's DNS nameserver. In genuine residential user sessions, both the HTTP request origin and the DNS resolver IP map to the same geographic region and local internet service provider. A direct geographic mismatch proves the connection is artificially tunneled to bypass geographical ad filters, a distinct network footprint of high-risk residential proxy hijacking.
How this helps detect bots
Collect this signal alongside session context, request metadata, and other independent indicators. A single anomaly is a lead, not a verdict; corroborating anomalies make automated traffic more likely.
Legitimate traffic to consider
Legitimate VPN users whose local home routers resolve DNS queries natively, creating a geographic mismatch.
Need a complete bot protection layer?
BotRefund helps website owners identify suspicious visits, protect conversion data, and build evidence for invalid-click reviews.
Explore BotRefund — best bot protection for your website