Does Encrypted DNS Keep Your Traffic Private?
Why It Matters
DoH hides DNS queries but leaves metadata like SNI exposed, so relying on it alone can give a false sense of privacy; businesses and users need comprehensive solutions, such as VPNs, to protect all traffic aspects.
Key Takeaways
- •DNS over HTTPS encrypts DNS queries but not all traffic metadata.
- •Wireshark reveals SNI leaks exposing visited domain names.
- •HTTPS protects payload, yet handshake data remains observable.
- •Relying solely on DoH isn’t a VPN substitute for privacy.
- •Test privacy claims yourself with packet captures before trusting statements.
Summary
The video tests the popular claim that using DNS‑over‑HTTPS (DoH) together with HTTPS makes all of your internet traffic private, eliminating the need for a VPN. The presenter sets up two PCs, taps the network traffic, and captures packets with Wireshark to see exactly what leaves the browser.
By configuring Firefox for strict privacy and routing DNS queries through Cloudflare’s DoH, the DNS lookups are indeed encrypted and invisible to the observer. However, the TLS handshake still leaks the Server Name Indication (SNI) and client‑hello data, which reveal the destination host (e.g., Nvidia, Microsoft) even though the payload remains encrypted.
The demonstrator calls out the “always private” mantra, showing that while DNS queries disappear, the SNI field in the clear‑text handshake betrays the sites visited. This concrete example counters the notion that DoH alone provides end‑to‑end privacy.
The takeaway is that DoH improves privacy but does not replace a VPN for full anonymity. Users should verify privacy claims with their own packet captures and consider layered defenses when sensitive browsing is required.
Comments
Want to join the conversation?
Loading comments...