Encrypted DNS Explained: What DoH and DoT Actually Hide — and Why Your VPN's DNS Matters

Encrypted DNS Explained: What DoH and DoT Actually Hide — and Why Your VPN's DNS Matters
Every time you visit a website, your device first performs a quiet lookup that most people never think about: it asks "what's the IP address for this domain name?" That's DNS — the internet's phonebook — and for most of the web's history that question and its answer traveled in plain text, readable by anyone between you and your DNS server. Encrypted DNS fixes that. This guide explains how it works, precisely what it protects, what it leaves exposed, and how it relates to the VPN you may already be running.
Why plaintext DNS is a privacy problem
When you connect to a site over HTTPS, the content of your session is encrypted. But the DNS lookup that happens first usually is not. Your internet provider — or anyone on the same network — can watch those lookups and build a complete list of the domains you visit, even though they can't read the pages themselves.
Plaintext DNS enables two distinct harms. The first is surveillance: your ISP can log and even monetize your browsing history through the domains you resolve. The second is tampering: because the query is unauthenticated, a network can redirect or block lookups — the mechanism behind a lot of DNS-based censorship and the fake login pages served on hostile Wi-Fi. Encrypted DNS addresses both by wrapping the lookup in encryption and integrity protection.
DoH vs DoT: two ways to encrypt the lookup
There are two mainstream standards, and the difference between them is mostly about which port they use and therefore how visible they are on the network.
DNS over HTTPS (DoH) sends your DNS queries inside ordinary HTTPS traffic on port 443, standardized in RFC 8484. Because it looks like any other web request, it's hard for a network to single out and block — which is exactly why browsers adopted it. It's the option you'll most often toggle on in Firefox, Chrome, or Edge.
DNS over TLS (DoT) wraps the same queries in TLS but on a dedicated port 853. That makes it cleaner to manage on a network — administrators can see and control DoT traffic distinctly — but also easier for a restrictive network to block outright. DoT is common at the operating-system and router level (Android's Private DNS, for instance).
Both give you the same core protection: the queries are encrypted in transit and authenticated so they can't be silently altered. DoH prioritizes blending in; DoT prioritizes clean network management. For an individual chasing privacy, DoH is usually the more resilient choice.
What encrypted DNS actually hides — and what it doesn't
This is where honesty matters, because encrypted DNS is often oversold. It solves one specific problem well and leaves others untouched.
What it hides:
The content of your DNS lookups from your ISP and anyone else on your local network — they can no longer read which domains you're resolving.
The integrity of the answer — a network can't quietly redirect your lookup to a malicious or censored destination.
What it does NOT hide:
The destination IP address. After the lookup, your device still connects to that IP, and your ISP sees the connection. From a well-known IP alone, they can often infer the site.
The server name in the TLS handshake (SNI). Unless Encrypted Client Hello is in use, the domain you're connecting to is still visible in the first packet of the HTTPS connection itself — separate from DNS.
Your queries from the resolver. Encrypted DNS moves your trust, it doesn't remove it. Whoever runs the resolver — Cloudflare's 1.1.1.1, Google's 8.8.8.8, Quad9, or your ISP — now sees every lookup. Choose one with a real privacy policy.
Metadata generally. Timing, volume, and connection patterns still leak information even when the lookups are encrypted.
Encrypted DNS hides which sites you look up from your network — but the connection that follows still reveals plenty, and the resolver you pick sees everything. It's a baseline, not a cloak.
Encrypted DNS vs a VPN: they solve different layers
People often ask whether encrypted DNS replaces a VPN. It doesn't — they operate at different scopes, and understanding that prevents a common mistake.
Encrypted DNS protects only your DNS lookups. A VPN encrypts and tunnels all of your traffic — the lookups and the connections that follow — to the VPN server, so your ISP sees only an encrypted tunnel to your provider and nothing about the destinations inside it. A properly configured VPN also handles DNS for you, routing those queries through the tunnel to the provider's own resolver.
That last detail is where things go wrong. If your browser or OS is configured to send DoH to a different provider while a VPN is active, your DNS can slip outside the tunnel — a classic DNS leak that exposes your lookups to a resolver you didn't intend, undermining the VPN. The fix is to let the VPN manage DNS, or to point encrypted DNS at the VPN's own resolver, and then verify.
How to check and set it up
Test for leaks first. Run a DNS leak test — including the encrypted-DNS and leak tools on this site — to see exactly which resolver is answering for you and whether it's the one you expect. If you're on a VPN and see your ISP's resolver, you have a leak.
Turn on encrypted DNS deliberately. In Firefox, Chrome, or Edge, enable Secure DNS / DNS over HTTPS and pick a reputable resolver. On Android, use Private DNS (DoT); on modern Windows and Apple systems, encrypted DNS is available at the OS level.
When using a VPN, let it own DNS. Prefer the VPN's built-in DNS so lookups stay inside the tunnel, and disable a conflicting browser DoH setting that would route them elsewhere.
Choose your resolver like it matters — because it does. Cloudflare, Google, and Quad9 publish privacy policies and offer filtering variants; your ISP's resolver generally offers the least privacy. The resolver sees your lookups, so trust is the whole decision.
The takeaway
Encrypted DNS is one of the cheapest privacy upgrades available: it stops your ISP and local network from reading and tampering with your lookups, and every modern browser and OS supports it. But it's a single layer. It doesn't hide the connections that follow, and it shifts your trust to whichever resolver you choose. Pair it with a well-configured VPN — one that owns your DNS so nothing leaks — and you close the gap that either tool leaves open on its own. As always, don't assume it's working; test it and confirm.
Frequently Asked Questions
What is the difference between DoH and DoT?
Both encrypt your DNS lookups, but DNS over HTTPS (DoH) sends them inside normal HTTPS traffic on port 443, which makes it blend in and hard to block, while DNS over TLS (DoT) uses a dedicated port 853, which is cleaner for networks to manage but easier to block. Browsers typically use DoH; operating systems and routers often use DoT, such as Android's Private DNS.
Does encrypted DNS hide my browsing from my ISP?
Partly. It hides the content of your DNS lookups so your ISP can't read which domains you resolve, and it prevents tampering. But it does not hide the destination IP address you then connect to, nor the server name in the TLS handshake unless Encrypted Client Hello is used. For fuller protection your ISP can't see, you need a VPN, which tunnels all traffic.
Do I still need a VPN if I use encrypted DNS?
They solve different layers. Encrypted DNS protects only your DNS lookups; a VPN encrypts and tunnels all of your traffic, including the lookups and the connections that follow, and hides your IP address. Encrypted DNS is a useful baseline, but it is not a substitute for a VPN when you want your ISP and local network to see nothing about your destinations.
What is a DNS leak?
A DNS leak happens when your DNS queries travel outside your VPN tunnel — for example, when your browser or operating system is set to send DNS over HTTPS to a different provider while the VPN is active. The result is that a resolver you didn't intend sees your lookups, undermining the VPN. You can detect it with a DNS leak test and fix it by letting the VPN manage DNS.
Who can see my DNS queries when I use encrypted DNS?
The resolver you choose — such as Cloudflare's 1.1.1.1, Google's 8.8.8.8, Quad9, or your ISP — still sees every lookup. Encrypted DNS moves your trust to that resolver rather than removing it, so it's important to pick one with a clear, privacy-respecting policy. Your local network and ISP, however, can no longer read the encrypted lookups in transit.



