SOCKS is a general purpose proxy protocol that forwards raw TCP and, in version 5, UDP as well. If you are deciding between transport protocols, compare them in the SOCKS vs HTTP proxy comparison.
What is SOCKS
SOCKS is a transport-layer proxy that relays TCP and, with SOCKS5, UDP without adding HTTP headers. It is protocol agnostic and presents the app with a raw socket to the target.
Unlike HTTP proxies, a SOCKS proxy does not parse higher level protocols. The client opens a control session to the proxy, requests a destination, and the proxy pipes bytes in both directions.
SOCKS4 vs SOCKS5
SOCKS4 handles TCP only and usually lacks auth and proxy-side DNS; SOCKS5 adds Username/Password auth, IPv6, proxy-side DNS, and UDP via UDP ASSOCIATE. Use SOCKS5 unless a legacy tool hard-requires SOCKS4.
SOCKS4 is a mid-1990s protocol that forwards TCP only. Providers still ship SOCKS4 because some older or infrequently maintained apps hard-require it.
| Capability | SOCKS4 | SOCKS5 |
| TCP CONNECT | Yes | Yes |
| UDP forwarding | No | Yes, via UDP ASSOCIATE |
| DNS resolution on proxy | Rare or via hacks | Yes |
| Username/Password auth | Typically No | Yes |
| IPv6 addresses | No | Yes |
| BIND for inbound connections | Partial, vendor specific | Standard |
| Fingerprint surface | Low, no HTTP headers | Low, no HTTP headers |
IPv6 support
SOCKS4 does not support IPv6 addressing, while SOCKS5 can pass IPv6 end to end if the client, proxy gateway, and destination all support it. Use socks5h so hostnames are resolved on the proxy and AAAA responses are used, and confirm your provider actually offers IPv6 egress on your plan. For planning tradeoffs between IPv4 and IPv6, see the guide to IPv4 and IPv6 proxy versions.
Authentication and connection formats
SOCKS supports Username/Password and IP allowlisting; use credentials for portability or allowlisting for stable egress. Most tools accept socks5h://USERNAME:PASSWORD@host:port.
SOCKS services usually support Username/Password or IP allowlisting. For options and risks, see proxy authentication methods and formats.
Common connection strings
- Host and port only: socks5://proxy.example.com:1080
- With auth for URL-aware tools: socks5://USERNAME:[email protected]:1080
- Split fields in app UI: host proxy.example.com, port 1080, protocol SOCKS5, auth USERNAME and PASSWORD
DNS handling with SOCKS5
Use proxy-side DNS to prevent local DNS leaks. In CLIs use socks5h or --socks5-hostname; in Firefox enable “Proxy DNS when using SOCKS v5”.
In Firefox, set Manual proxy configuration, SOCKS v5, and tick Proxy DNS when using SOCKS v5 or set network.proxy.socks_remote_dns=true.
CLI examples that push DNS to the proxy:
curl --socks5-hostname USERNAME:[email protected]:1080 https://example.com/curl --preproxy socks5h://USERNAME:[email protected]:1080 https://example.com/
The socks5h or --socks5-hostname variants send hostnames to the proxy; plain --socks5 resolves DNS locally.
UDP and QUIC with SOCKS5
SOCKS5 can forward UDP via UDP ASSOCIATE, but availability depends on the provider gateway and plan. Verify UDP before relying on QUIC or other UDP-based traffic.
Browsers often fall back to TCP if UDP is blocked. Test with an app known to use UDP through SOCKS5 or with the provider’s utility.
Common pitfalls
DNS leaks from using SOCKS4 or --socks5 instead of socks5h are the most frequent issue. Assuming UDP is enabled everywhere or mixing IPv6 targets with SOCKS4 also breaks.
Other mistakes include using HTTP-only tools for a SOCKS workflow and hitting concurrency limits that look like random disconnects.
Quick setup examples
Prefer socks5h strings and environment variables that your tools honor. These minimal configs route traffic via SOCKS5 with proxy-side DNS.
curl
curl --socks5-hostname USERNAME:[email protected]:1080 https://httpbin.org/ip
Environment variables
# Linux, macOS
export ALL_PROXY="socks5h://USERNAME:[email protected]:1080"
# Windows PowerShell
$env:ALL_PROXY = "socks5h://USERNAME:[email protected]:1080"
Python (requests + PySocks)
import requests
proxies = {
"http": "socks5h://USERNAME:[email protected]:1080",
"https": "socks5h://USERNAME:[email protected]:1080",
}
r = requests.get("https://httpbin.org/ip", proxies=proxies, timeout=30)
print(r.text)
Firefox
- Settings, search “proxy”.
- Manual proxy configuration.
- SOCKS Host proxy.example.com, Port 1080, SOCKS v5.
- Tick Proxy DNS when using SOCKS v5.
Chromium-based browsers
chrome --proxy-server="socks5://proxy.example.com:1080" --host-resolver-rules="MAP * ~NOTFOUND , EXCLUDE proxy.example.com"
Behavior varies by version and OS. Confirm DNS path with a resolver check.
Troubleshooting checklist
First confirm a basic HTTPS fetch with socks5h, then test DNS and UDP separately. Intermittent resets often indicate bad credentials or concurrency ceilings.
- Test DNS on proxy: compare --socks5-hostname with plain --socks5.
- Verify UDP status if your workflow expects it.
- Switch to SOCKS5 from SOCKS4 when you need auth, IPv6, or proxy-side DNS.
- Reduce fingerprint spikes by avoiding extra HTTP headers that HTTP proxies may add.
FAQs
Is SOCKS5 always better than SOCKS4?
If you need proxy-side DNS, Username/Password, IPv6, or UDP, pick SOCKS5. Use SOCKS4 only when a specific legacy tool requires it.
Does SOCKS5 guarantee UDP or QUIC will work?
No. The protocol supports UDP, but providers may disable it and many targets still expect TCP. Confirm UDP on your plan.
Will SOCKS5 reduce blocks compared with HTTP proxies?
SOCKS does not add HTTP headers, which can lower some signals. Real block rates depend on the IP pool, routing, and target rules.
How do I avoid DNS leaks with SOCKS5?
Use socks5h or --socks5-hostname in CLI tools and enable remote DNS in apps like Firefox.
Can I tunnel HTTP over SOCKS5?
Yes. HTTP stacks and browsers can use a SOCKS5 transport. Choose HTTP proxies only when you need HTTP-specific features.
Related in this topic