← Back to signal log

SOCKS5 vs HTTP Proxies: Choosing the Right Protocol

KillNode exposes both. Here is when to use each one and what the differences actually mean.

The two proxy protocols KillNode exposes

| | HTTP proxy (:9742) | SOCKS5 gateway (:9741) | |-|-------------------|------------------------| | Layer | Application (L7) | Session (L5) | | Protocols | HTTP, HTTPS (via CONNECT) | TCP, any protocol | | DNS | Resolved by the proxy | Resolved by the proxy | | IPv6 | Depends on client | Supported (v0.2.0+) | | Client support | Universal | Requires SOCKS-aware client |

HTTP proxy — :9742

The HTTP proxy bridge uses proxy-chain to accept standard HTTP proxy requests and forward them over Tor SOCKS. Clients connect to http://127.0.0.1:9742, and the bridge translates the HTTP CONNECT method for HTTPS tunnels.

Use this when: - Your application only understands HTTP proxy settings (most browsers, curl, wget). - You want the simplest possible configuration: one address, one port, works everywhere. - You are using a language runtime that reads http_proxy / https_proxy environment variables.

Limitation: This proxy speaks HTTP between your client and KillNode. The traffic is then tunneled over Tor. There is an extra translation hop versus SOCKS5 direct.

SOCKS5 gateway — :9741

The SOCKS5 gateway is a purpose-built server that accepts any TCP connection and forwards it to Tor's SOCKS port. It supports all three address types defined in RFC 1928: IPv4 (atyp 0x01), domain name (atyp 0x03), and IPv6 (atyp 0x04).

Use this when: - Your application supports SOCKS5 natively (many privacy-aware apps do). - You need to tunnel non-HTTP protocols (SSH, custom TCP services). - You want the minimum latency — fewer protocol translation steps.

Note: SOCKS5 itself does not encrypt anything between your application and KillNode. The encryption layer is provided by Tor's circuit. Since both endpoints are on localhost (127.0.0.1), this is not a practical concern.

Tor SOCKS direct — :9050

You can also point clients directly at Tor's own SOCKS port on 9050. This bypasses KillNode's gateway entirely. Use this if you trust the client to speak SOCKS5 correctly and you do not need KillNode's error handling or IPv6 shim.

DNS leak prevention

Both KillNode's proxies forward DNS resolution through Tor. The SOCKS5 gateway sends the domain name (atyp 0x03) to Tor's SOCKS port, which resolves it inside the Tor network. The HTTP proxy similarly tunnels hostname resolution through the bridge.

Applications that perform their own DNS lookup before connecting — and only send the IP address to the proxy — will leak DNS queries to your local resolver. This is rare with properly implemented SOCKS5 clients but common with naive HTTP clients.

Test: Check that check.torproject.org reports a Tor exit IP, and separately check a DNS leak test site like dnsleaktest.com through the proxy.

← All posts