"Private DNS" Isn't as Private as You Think

The rise of DNS‑over‑TLS (DoT) and DNS‑over‑HTTPS (DoH) has been marketed as a simple privacy upgrade for smartphones and laptops. By moving DNS queries from clear‑text UDP to encrypted channels, providers like Cloudflare, Google, and Quad9 eliminate the most obvious eavesdropping point. However, the term "private DNS" is a misnomer; it secures only a thin slice of the connection handshake, leaving the rest of the traffic exposed to network observers.

Even with encrypted lookups, the ISP or any on‑path observer can still see the IP address of the server a device contacts. Modern browsers also transmit the requested hostname in the Server Name Indication (SNI) field of the TLS handshake, which remains unencrypted in most implementations. These data points allow a savvy adversary to reconstruct a fairly accurate picture of a user’s browsing habits, undermining the illusion of total privacy. For businesses, this residual visibility can expose corporate traffic patterns, potentially violating internal policies or regulatory requirements.

To achieve genuine privacy, users must adopt a layered approach. Pairing private DNS with a reputable VPN masks both IP and SNI, while browsers that support encrypted SNI (ESNI) further reduce leakage. Regular DNS‑leak tests help verify that no application or router is bypassing system settings. As the ecosystem evolves, providers are beginning to offer DNS resolvers that enforce no‑log policies and operate under strong jurisdictional safeguards, but the onus remains on users to choose trusted services and configure their devices correctly.