Back to guides
Privacy

Your DNS Is Encrypted. The Site Name Still Leaks.

You did the right thing and encrypted your DNS lookups. A fraction of a second later your browser opens the HTTPS connection and writes the hostname out in plaintext anyway, inside the TLS handshake. Anyone watching the wire still sees which site you opened. Encrypted Client Hello is the piece that finally closes that gap.

By Ozy-666, creator and operator of dnsdoh.art · Published · 7 min read
CAN THE NETWORK SEE THE SITE NAME? You DNS lookup encrypted (DoH) WITHOUT ECH site name: example.com SNI sent in plaintext network sees example.com WITH ECH site name: sealed SNI encrypted by ECH network cannot see (hidden)

The DNS lookup is encrypted either way. What differs is the site name in the TLS handshake: sent in the clear, the network reads it; encrypted with ECH, it cannot.

Encrypting DNS and encrypting the site name are two different jobs. Doing the first without the second leaves the most revealing detail, which site, in plain view.

The two acronyms, in plain words

SNI — Server Name Indication
A field in the TLS handshake where your browser writes the site name (for example dnsdoh.art) so a server that hosts many sites knows which one to answer for. By default it is sent in plaintext, before any encryption starts, so anyone on the network can read it. SNI is the thing being exposed.
ECH — Encrypted Client Hello
The feature that encrypts that opening handshake message, the part carrying the SNI and more. With ECH on, the site name is sealed inside and only the server can read it. There is no other way to encrypt the SNI today; ECH is the lock.

How the sealing works, in one line: the server publishes a public key in DNS, your browser uses that key to lock the handshake before sending it, and only the server, holding the matching private key, can unlock it. So the browser does the encrypting; the server just supplies the key and decrypts. The step-by-step is below.

Why the name is sent in the clear

It is not an oversight. A single IP address often hosts thousands of different sites behind a CDN or shared host. When your browser connects, the server has to know which site you want so it can present the right certificate, and it has to know this before the encrypted channel exists. So the browser announces the hostname in the very first message of the TLS handshake, a field called SNI (Server Name Indication), in the clear.

That solves the server's problem and creates yours. Your DNS query was encrypted, the page content is encrypted, but the one line that says where you are going travels unprotected. A network in the middle, your ISP, a workplace, an airport, does not need to break any encryption to log the sites you visit. It just reads the SNI.

From ESNI to ECH

The first attempt, ESNI, encrypted just the SNI field. It helped, but the rest of the handshake still leaked clues, and it was retired. Its successor, Encrypted Client Hello (ECH), takes the whole opening message of the handshake, the part that carries the SNI and more, and encrypts it with a public key that belongs to the server's front-end.

To an observer the handshake now starts with a generic, shared outer name instead of your real destination. Everyone connecting through the same front-end looks the same on the wire. The real site name is sealed inside, readable only by the server.

HOW ECH USES DNS Browser you DNS (HTTPS record) publishes the ECH key Server holds the private key 1 fetch ECH key 2 encrypted Client Hello (SNI sealed inside) OBSERVER SEES ONLY: an encrypted handshake to a shared front-end

The key that makes ECH possible is published in DNS. That is why encrypted DNS and ECH belong together.

Why ECH needs encrypted DNS

Notice where the ECH key comes from: a DNS record (the HTTPS, or SVCB, record) for the site. Your browser has to look that up before it can build the protected handshake. If that DNS lookup happens in the clear, an observer watching it can often infer the destination anyway, which undoes much of what ECH set out to protect.

So the two are a pair. Encrypted DNS hides the lookup; ECH hides the handshake. Run one without the other and you have only closed half the gap. If you have not encrypted your DNS yet, that is the first step, our setup guide covers it, and the protocols comparison explains the options.

What ECH still does not hide

ECH hides the name, not the address. Your browser still opens a connection to an IP, and the observer still sees that IP. Whether that gives the site away depends entirely on who else is behind it. On a large shared front-end where thousands of sites sit on the same address, the IP reveals almost nothing, the crowd is the protection. On a dedicated IP that hosts a single site, the IP alone still identifies the destination, and ECH buys you little on its own.

In other words, ECH is most effective when many sites share an address, and weakest when a site stands alone. It is a real improvement, not an invisibility cloak. What an IP does and does not reveal is covered in what your IP address reveals.

Where ECH stands today

Browser

Chrome and Firefox support ECH, switched on when encrypted DNS is in use. It is on by default in recent versions.

Server

The site must publish an ECH key in its DNS HTTPS record and support it at the TLS layer. Large CDNs do this already; self-hosting is still early.

Both needed

ECH only happens when browser and server both support it. If either side does not, the handshake falls back to plaintext SNI.

For most people there is nothing to configure: use an up-to-date browser with encrypted DNS, and ECH happens automatically on sites that support it. ECH protects the name in the handshake; post-quantum key exchange protects the session key behind it, so a recording cannot be decrypted later. On the server side, the ECH key this site publishes rotates monthly; how that key lives in the DNS HTTPS record is shown in Anatomy of a Hardened DNS Zone.

Close the first half of the gap

ECH needs encrypted DNS to mean anything. Start there: encrypt your lookups, then a modern browser handles the rest.

Encrypt your DNS