Back to guides
Privacy

Can Your ISP Still See the Sites You Visit?

Your provider carries every packet you send, so it sits in the perfect spot to watch where you go. Encrypted DNS takes one of the most revealing signals off the table. It does not take all of them. Here is exactly what your ISP can read at each stage, and what changes once your lookups are encrypted.

WHAT YOUR ISP CAN READ ON THE WIRE You your device Your ISP Site example.com DNS LOOKUP example.com TLS SNI example.com DESTINATION IP 93.184.x.x WHEN & HOW MUCH timing, size, who is online Four signals, no encryption to break. The provider just reads what crosses the wire.

By default your ISP can name the site four different ways. The lookup and the SNI both spell it out; the IP usually points to it; and the timing alone says when you are online and how much you are doing.

The short answer

With plain DNS, yes, easily. Your ISP can see the name of every site you visit without breaking any encryption, because the lookup hands it over in the clear.

Encrypted DNS closes that one channel. Your provider can no longer read the lookup, which is the single clearest record of your browsing. That is a real, worthwhile change.

But the site name can still leak through the TLS SNI until Encrypted Client Hello is in play, and the destination IP is always visible. Encrypted DNS is one strong layer, not a cloak. The rest of this page shows exactly which signals it covers.

The four ways your ISP can tell where you went

1. The DNS lookup

Before loading a site your device asks "what is the address for example.com?". With plain DNS that question travels in the clear, so the ISP reads the exact name. This is the easiest signal to capture, and the one encrypted DNS removes.

2. The TLS SNI

When the HTTPS connection opens, your browser still writes the site name in the first handshake message, in plaintext, so a shared server knows which site to serve. The ISP can read it there too, unless Encrypted Client Hello seals it.

3. The destination IP

Your packets have to be addressed to somewhere, so the ISP always sees the IP you connect to. On a big shared host that IP points at thousands of sites and reveals little; on a dedicated server it can still name the destination on its own.

4. Timing and volume

Even with everything else sealed, the ISP sees that you are online, when, and how much data moves. Patterns of size and timing can hint at what kind of activity is happening, though not the content itself.

WHAT ENCRYPTED DNS ACTUALLY SEALS DNS lookup SNI Dest. IP Timing PLAIN DNS default visible visible visible visible ENCRYPTED DNS sealed visible until ECH visible visible ENCRYPTED DNS + ECH sealed sealed partial * visible Encrypted DNS seals the lookup; ECH also seals the SNI. The IP narrows, the timing stays.

Three rows, honestly drawn. Encrypted DNS darkens the lookup; Encrypted Client Hello also seals the site name in the SNI. The destination IP narrows but never fully disappears, and the timing always shows.

* partial: your packets still carry a destination IP, so it is never hidden. On a large shared host or CDN that one IP serves thousands of sites, so it points at a crowd and reveals little. On a dedicated IP serving a single site, it still names exactly where you went.

Who sees what, setup by setup

Each column is a setup. Visible means your ISP can read it, partial means it depends, hidden means it cannot.

What can be read Plain DNS Encrypted DNS Encrypted DNS + ECH VPN
Site name via DNS lookup Visible Hidden Hidden Hidden
Site name via TLS SNI Visible Visible Hidden Hidden
Destination IP address Visible Visible Partial Hidden
That you are online, timing, volume Visible Visible Visible Visible
Page content / what you do on the site Hidden Hidden Hidden Hidden

Page content has been encrypted by HTTPS for years, so the ISP never saw what you typed or read, only where you went. A VPN does not make the leaks vanish; it moves them to the VPN provider, who then sits where your ISP did. The "destination IP" is marked partial with ECH because a shared front-end hides it well while a dedicated IP still points at one site, as covered in what your IP address reveals.

What encrypted DNS changes, and what it does not

Of the four signals, the DNS lookup is the cleanest and most complete. It is a tidy, timestamped list of every name your device asked about, trivial to log and to keep. Removing it is the highest-value single change you can make, which is why it is worth doing even though it is not the whole picture.

What stays is the harder, noisier stuff. The SNI exposes the name again at the TLS layer until ECH seals it, and the two depend on each other: ECH needs encrypted DNS to fetch its key, so encrypting your lookups is the first step toward closing the SNI gap as well. The destination IP is always on the envelope, though on shared hosting it points at a crowd rather than a person. And timing is unavoidable for anyone carrying your packets.

The honest summary: encrypted DNS stops your provider from keeping an easy, name-by-name log of your browsing. It does not make you invisible to the network, and no single setting does. It is the foundation the other layers build on.

Take the lookup off the table

Encrypting your DNS is the one change that removes your ISP's clearest record of where you go. It takes a couple of minutes and covers every app on the device.

Encrypt your DNS

Want to confirm it worked? Run the DNS leak test to see which resolver actually handles your lookups.

Back to all guides