Back to guides
Privacy

Encrypted DNS vs VPN: What Each One Actually Does

These two get pitched as rivals, as if you have to pick one. You do not. They work in different places: encrypted DNS seals a single signal on the wire, while a VPN moves your whole view to a new provider. Here is what each one hides, who you end up trusting, and why running both is a reasonable answer.

The short answer

They solve different problems. Encrypted DNS stops your provider, and anyone else on the path, from reading the names you look up. A VPN wraps all of your traffic in one tunnel to a single exit, so your ISP sees only that tunnel.

The catch with a VPN is that the watching does not stop, it just relocates. Whoever runs the VPN now sits exactly where your ISP did, and sees the same things, including your lookups unless you do something about it.

That is why the two fit together. Run encrypted DNS to keep your lookups private from whoever carries your packets, and reach for a VPN when you specifically want to move trust off your ISP or change where you appear to connect from.

WHERE THE WATCHER SITS ENCRYPTED DNS You Your ISP Site DNS lookup sealed ISP still reads SNI + IP VPN encrypted tunnel VPN reads lookups, SNI, IP You Your ISP sees a tunnel VPN provider Site Encrypted DNS removes one signal in place. A VPN moves the whole view to a new provider.

Top row: encrypted DNS seals the lookup, but your ISP stays on the wire and still reads the SNI and the destination IP. Bottom row: a VPN blinds the ISP to all of it, and hands the same view to whoever runs the VPN.

What each one is actually for

Encrypted DNS seals a signal

Your DNS lookups are the cleanest record of where you go: a tidy, timestamped list of names. Encrypted DNS (DoH, DoT, DoQ) wraps that one exchange so nobody on the path can read or tamper with it. It is light, covers every app on the device, and does not change how or where you connect. It does not touch the rest of the connection, so the SNI and destination IP still show.

A VPN moves the vantage point

A VPN wraps all of your traffic in one tunnel to an exit server, then sends it onward from there. Your ISP sees only an encrypted link to the VPN, and sites see the VPN's address instead of yours. That is genuinely useful for changing your apparent location or getting off an untrusted local network. But the VPN provider now sits where your ISP did, so you have swapped one watcher for another.

WHO CAN READ THE NAMES YOU LOOK UP Your ISP Your VPN Your resolver ENCRYPTED DNS on its own cannot read no VPN answers them VPN on its own cannot read reads them answers them ENCRYPTED DNS + VPN cannot read cannot read answers them Someone always answers your queries. The point is choosing who, instead of handing them to whoever runs the tunnel.

A VPN on its own routes your lookups through its own resolver, so the VPN provider sees them. Running your own encrypted DNS inside the tunnel flips that last column: the VPN carries sealed packets it cannot read, and your chosen resolver, not the provider's, answers the query.

On "answers them": a resolver has to see the query to return an address, so this is by design rather than a leak. The choice that matters is which resolver you trust with it.

Side by side

What you get from each, and from running both together. Cyan is the privacy win, amber depends, pink is the gap.

  Encrypted DNS VPN Both together
Hides your lookups from the ISP Yes Yes Yes
Hides the site name (SNI) from the ISP Only with ECH Yes Yes
Hides the destination IP from the ISP No Yes Yes
Keeps your lookups private from the VPN No VPN involved No Yes
Changes your apparent IP / location No Yes Yes
Covers every app on the device Yes Yes Yes
Speed cost Negligible An extra hop An extra hop
Typical cost Free Often paid Depends

Timing and volume stay visible to whoever carries your packets in every column, because the existence of traffic cannot be hidden by either tool. A free VPN is rarely free in practice: if you are not paying, the watching position you handed over is usually the product.

When each one makes sense

Encrypted DNS is the baseline. It is the cheapest, lightest change with the clearest payoff: your provider stops keeping an easy name-by-name log of your browsing. There is little reason not to have it on all the time, on every device, whether or not you also use a VPN.

A VPN earns its place for specific jobs. Getting off an untrusted network like public Wi-Fi, keeping a particular ISP from profiling your traffic, or appearing to connect from somewhere else. Those are real needs a VPN handles well. Just go in clear-eyed that you are choosing to trust the VPN provider in your ISP's old seat, so pick one whose logging policy and track record you actually believe.

Used together, they cover each other's gaps: the VPN hides the SNI and IP that encrypted DNS leaves exposed, and encrypted DNS keeps your lookups private from the VPN itself. If you want the SNI sealed without a VPN, the path is Encrypted Client Hello, which needs encrypted DNS to work in the first place. And if you do run a VPN, it is worth confirming your lookups actually go where you expect, which is exactly what a VPN DNS leak can quietly break.

Start with the baseline

Whether or not you use a VPN, encrypting your DNS is the one change that keeps your lookups private from whoever carries your packets. It takes a couple of minutes and covers every app on the device.

Encrypt your DNS

Already running a VPN? Run the DNS leak test to confirm which resolver actually handles your lookups.

Back to all guides