Leak Tests

Proxy & VPN Detection Test

Check whether websites can detect that you're using a VPN, proxy, or Tor. Tests 8 real detection signals used by streaming services, banks, and fraud prevention systems — and shows you a composite anonymity score.

Proxy & VPN Detection Test
8 signals · ASN · Blacklists · rDNS · Timezone · Tor · Headers
No data stored
Run the test to check your anonymity level
Click the button above to begin the 8-signal detection test
-- Score
Unknown
Detection signal matrix
Signal
Detected value
Status
Weight
ASN type — datacenter vs residential
Waiting…
--
Pending
High
Blacklist membership — abuse & spam lists
Waiting…
--
Pending
High
Reverse DNS — hostname reveals provider
Waiting…
--
Pending
Medium
Timezone mismatch — browser vs IP location
Waiting…
--
Pending
Medium
IP classification — hosting, mobile, residential
Waiting…
--
Pending
High
Proxy HTTP headers — X-Forwarded-For leaks
Waiting…
--
Pending
High
Geolocation mismatch — IP country vs locale
Waiting…
--
Pending
Low
Tor exit node detection
Waiting…
--
Pending
High
Signal results will appear here after running the test

Anonymity score weighted across 8 detection signals. View methodology

What this test checks — 8 detection signals
ASN type — datacenter vs residential
Commercial VPN providers and datacenters own ASN ranges that are publicly catalogued. If your IP belongs to a known hosting company (AWS, Vultr, OVH, Hetzner, Mullvad, NordVPN) rather than an ISP that serves residential customers, this signal is flagged immediately.
Blacklist membership — abuse & spam lists
Your IP is checked against major public threat intelligence lists: Spamhaus, Firehol, StopForumSpam, and AbuseIPDB. VPN exit nodes and proxy servers accumulate blacklist entries from other users' activity — your IP may be flagged even if you have never done anything wrong.
Reverse DNS — hostname reveals provider
The rDNS hostname of your IP often names the VPN provider directly. Hostnames like nl-1.mullvad.net, fr123.nordvpn.com, or exit.torproject.org are conclusive identifiers. Even generic datacenter hostnames like static.123.45.67.89.clients.your-server.de confirm VPN use.
Timezone mismatch — browser vs IP location
Your browser's JavaScript Intl.DateTimeFormat().resolvedOptions().timeZone reports your device's configured timezone. If it doesn't match the country your VPN IP is geolocated in, websites score this as a strong anonymity signal. A user in Tokyo connecting through a German VPN shows Europe/Berlin vs Asia/Tokyo.
IP classification — hosting, mobile, residential
IP intelligence databases classify every IP range as residential, mobile, datacenter, or business. Datacenter classification is a near-certain indicator of VPN or proxy use. Residential proxies are specifically designed to use IP ranges classified as residential to evade this check.
Proxy HTTP headers — X-Forwarded-For leaks
Misconfigured proxies and some VPN implementations insert HTTP headers that expose the real IP behind the proxy. Headers like X-Forwarded-For, X-Real-IP, Via, Forwarded, and CF-Connecting-IP can reveal your actual address to any web server.
Geolocation mismatch — IP country vs locale
Your browser's language (navigator.language) and system locale are compared to the country your IP geolocates to. A browser set to en-US connecting from a Japanese IP, or de-DE from a US datacenter, creates a detectable inconsistency.
Tor exit node detection
Tor Project publishes a complete, up-to-date list of all active Tor exit node IP addresses at check.torproject.org/torbulkexitlist. Your IP is checked against this live list. Tor exit nodes are also catalogued in Firehol and other threat intelligence feeds independently.
How websites detect VPNs and proxies
IP intelligence databases
Companies like MaxMind, IP2Location, IPinfo, and IPQS maintain commercial databases that classify every public IP address by type (residential/datacenter/mobile), country, city, ISP, and connection type. Sites like Netflix and banking apps purchase API access and query your IP on every connection.
Traffic pattern analysis
VPN servers handle traffic from many users simultaneously. A single IP making thousands of requests per hour, or connecting to many different services in short time windows, matches the statistical pattern of a shared VPN exit node rather than a single residential user.
Browser fingerprint cross-referencing
Even if your IP changes, your browser fingerprint — canvas hash, fonts, screen resolution, WebGL renderer, audio context — may remain identical across sessions. Services like Stripe and Google cross-reference IP location with the browser fingerprint to detect VPN users who log in from "different" countries.
Timing and latency analysis
VPNs add measurable latency to connections. A user geolocated in Singapore but with ping latency consistent with a European connection is detectable. Some services use WebRTC STUN round-trip timing relative to the claimed geographic location to flag implausible latencies.
How detectable is each connection type?
Connection type Example Detectability Anonymity score Why
Commercial VPN NordVPN, ExpressVPN, Mullvad Easy to detect
25
Fixed ASN ranges, published server lists, rDNS naming conventions, and high blacklist density make commercial VPN IPs trivially detectable by any IP intelligence service.
Datacenter Proxy AWS, DigitalOcean, Vultr proxies Easy to detect
20
Datacenter IP classification is nearly universal in commercial databases. Hosting company ASNs are well-documented and flagged automatically regardless of the specific use.
Tor Browser Tor Project exit nodes Detected instantly
5
Tor Project publishes the complete list of all exit nodes. Any site checking this list identifies Tor users in milliseconds. Tor Browser's unique fingerprint also distinguishes it regardless of exit IP.
Residential Proxy Bright Data, Oxylabs, IPRoyal Hard to detect
75
Uses real residential ISP IP ranges — the IP classification check passes. However, behavioural anomalies, velocity patterns, and timezone mismatches still reveal proxy use to sophisticated fraud detection.
Mobile Data (no VPN) Direct 4G/5G connection Not detected
95
Mobile carrier IP ranges are classified as mobile — not datacenter. Unless you've connected from a previously flagged IP, no proxy or VPN signals are present.
Home Broadband (no VPN) Direct residential ISP Not detected
98
Residential broadband IPs are classified as residential with a real ISP name and no blacklist entries. Timezone, locale, and geolocation all match — zero anomaly signals.
Frequently asked questions