Everything on the left is cleared from your machine when the window closes. Everything on the right never went through incognito at all, it travels the network the same way a normal window's traffic does.
Incognito is privacy from the people who share your device, not from the internet. The two get confused constantly, and the gap is where the trouble starts.
What "private" actually means here
- Local privacy — what incognito gives you
- A session that leaves no trace on this computer or phone. No history entry, no saved cookies, no cached files, nothing in autofill. Built for a shared or borrowed device: close the window and the next person finds a clean slate. This is real and it works.
- Network privacy — what it does not give you
- Hiding where your traffic goes from everyone between you and the site: your ISP, your DNS resolver, the network you are on, and the sites themselves. Incognito changes none of this. Your requests leave the device exactly as they would normally, and everyone on that path sees the same thing.
What incognito does well
Give it credit for its actual job. On a shared family laptop, a library machine, or a friend's phone, a private window keeps your session out of the history, signs you out when you close it, and leaves no cookies or cached pages behind. It is also handy for logging into two accounts at once, or seeing a site as a logged-out visitor would.
All of that is about the device. It is genuine privacy from the next person who picks up the same machine. Nothing in that list reaches past the keyboard.
What it does not touch
The moment your browser needs to load a page, it has to ask "where is this site?" and then connect to it. That conversation happens out on the network, and incognito has no say in it. Your device still asks a DNS resolver to turn the site name into an address, and that lookup, in a plain setup, is sent in the clear. Your ISP can see it. The network you are on can see it. The site you land on still sees your IP address, and if you sign in, it sees exactly who you are.
So the popular idea that incognito hides your browsing from your ISP, your employer, or your school is simply wrong. Those parties watch the network, and incognito never changes what crosses the network.
The part incognito leaves wide open: your DNS
Of everything on the network side, the DNS lookup is the most revealing, because it names every site you visit before the page even loads. In a normal setup those lookups go to whatever resolver your operating system is configured for, usually your ISP's, and they travel unencrypted. Private window or not, that resolver ends up with a timestamped list of every domain you opened. This is also why a DNS leak shows up identically in incognito.
This is the gap encrypted DNS actually closes. With DoH or DoT, the lookup is sealed between you and the resolver you chose, so the network and your ISP can no longer read it. That is a real, network-level change, the kind incognito was never able to make. And even then the site name can still leak in the TLS handshake unless Encrypted Client Hello is in play. Encrypted DNS is the first and biggest step; our setup guide walks through it.
What actually hides each thing
| What you want to keep private | Incognito | What actually does it |
|---|---|---|
| Traces on a shared or borrowed device | Yes | Incognito, this is its real job |
| Which sites you visit, from your ISP and network | No | Encrypted DNS (DoH or DoT) |
| Your IP address and rough location, from sites | No | A VPN or Tor |
| Your identity on a site you log into | No | Do not sign in, or use a separate identity |
| Being re-recognised without cookies | No | Anti-fingerprinting measures |
No single tool covers the whole row. Incognito owns the top one and nothing below it. Each network-level item needs a tool that works on the network.
Close the gap incognito leaves open
Private mode keeps your device clean. Encrypting your DNS is what keeps the sites you visit off your ISP's and your network's record. Start there.
Encrypt your DNS