Technical

Telegram Proxies and DNS Leaks: What to Know

A proxy hides your traffic, but DNS lookups can leak metadata. Here is how Telegram handles it.

MTProto Proxy Engineers · Censorship Circumvention Researchers

Published April 27, 2026 Updated May 15, 2026 8 min read 376 words

What is a DNS leak?

When your phone or computer needs to reach an internet host, it first asks a DNS server for the IP address. By default, this DNS query goes to your ISP's DNS server in plaintext. Even with a fully encrypted application connection, the DNS query reveals which hostnames you are looking up. This is called a "DNS leak".

How Telegram handles DNS

Telegram's clients hardcode IP addresses for the data centres rather than relying on DNS. This means once Telegram is connected, it does not do DNS lookups for telegram.org or related hostnames. Any leaks are limited to the initial app launch.

Get a free TGFast proxy

Browse the live country grid on the home page and tap any card to connect Telegram in one second — no signup, no logs.

Open the fleet

How TGFast handles DNS

When you add a TGFast proxy via tg://link, Telegram does need to resolve our hostname (e.g. your TGFast card hostname) once at startup. This DNS lookup goes through your normal DNS server. So your ISP can see "this user looked up your TGFast card hostname". After that, all traffic is encrypted MTProto.

Eliminating the DNS leak

Use DNS-over-HTTPS (DoH) or DNS-over-TLS (DoT) to encrypt your DNS queries. On iOS: Settings → General → VPN & Device Management → DNS → Cloudflare or NextDNS. On Android: Settings → Network → Private DNS → cloudflare-dns.com. After enabling DoH, even your initial proxy hostname lookup is hidden from your ISP.

Stay updated

Join @FastTGProxyMT for instant alerts when servers move or new proxies launch.

Join Telegram Channel

Using TGFast IPs directly

For maximum privacy, you can configure TGFast in Telegram using IP addresses instead of hostnames. Email support@tgfast.top to receive the current IPs for each server. The downside: when we rotate IPs, your config will need updating manually. We recommend hostname + DoH instead.

WebRTC leaks (desktop)

Telegram Desktop's built-in voice/video calls use WebRTC, which can leak your real IP via STUN/TURN. The proxy covers MTProto signaling but the media stream may go directly. To prevent this, disable "P2P calls" in Telegram Desktop settings — calls will route through Telegram's servers via the proxy instead. Latency is slightly higher (typically 20-50 ms) but no IP leak.

Threat model summary

Without the proxy: ISP sees Telegram traffic patterns, channels you read (via packet sizes), all metadata. With the proxy + DoH: ISP sees only that you connected to a single non-Telegram hostname. With proxy + DoH + Secret Chats: even Telegram's servers cannot read your sensitive messages.

Frequently Asked Questions

How is MTProto different from SOCKS5 or Shadowsocks?

MTProto is Telegram's native protocol, so traffic looks indistinguishable from a normal Telegram connection to deep packet inspection. SOCKS5 is a generic proxy with a recognizable handshake; Shadowsocks adds obfuscation but still requires the operator to defend their port and keys against probing. MTProto with Fake-TLS adds a TLS-1.3-mimicking handshake that has proven the hardest of the three to fingerprint.

Why does the secret start with "dd" or "ee"?

The leading byte is a magic prefix that tells the Telegram client which obfuscation mode to negotiate. "dd" enables MTProto 2.0 random padding to defeat traffic analysis; "ee" indicates Fake-TLS mode where the entire session is wrapped in a TLS 1.3 handshake. Both are interoperable with all modern Telegram clients.

Can a network operator detect that I am using an MTProto proxy?

A determined operator can sometimes flag suspicious flows by timing analysis, but the encrypted payload itself is opaque. Fake-TLS makes detection significantly harder because the handshake mimics a real HTTPS site (including SNI, ALPN and certificate exchange). Even when flagged, blocking is per-IP, not per-protocol — which is why TGFast rotates IPs continuously.

Does an MTProto proxy add real cryptography or only obfuscation?

Both. The MTProto 2.0 transport adds AES-256-IGE encryption between client and server with per-session keys derived from the shared secret, and Fake-TLS wraps that channel inside a real TLS 1.3 handshake. Even if the proxy operator were malicious, they could not decrypt the inner Telegram session — that key is negotiated end-to-end with Telegram's data centres.

How does TGFast pick which servers to deploy and where?

We monitor latency and packet loss from probe nodes in 14 cities across the regions hit hardest by Telegram restrictions. New servers are spun up where the median latency to nearby ISPs falls below 80 ms and where the upstream provider has historically resisted ISP take-down requests. Capacity is rebalanced weekly.