Encrypted DNS vs VPN — Why DoH and DoT Won't Hide Your Browsing in 2026

If you turned on encrypted DNS in your browser or operating system and assumed your ISP could no longer see what websites you visit — you're not alone. It's one of the most common privacy misconceptions in 2026.

In mid-April, security instructor David Bombal published a hands-on demonstration that's been making the rounds: even with DNS-over-HTTPS (DoH) turned on, even with TLS encrypting every connection, he could still identify the exact websites a target was visiting just by tapping the network. The encrypted DNS lookup hid almost nothing useful.

If you're relying on DoH or DoT alone to keep your browsing private, this article is for you. Let's break down what encrypted DNS actually hides, what it leaks, and why a VPN is still the only reliable way to keep your traffic out of your ISP's logs.

---

A Quick Refresher: What Is DNS?

Every time you type example.com into your browser, your device first asks a DNS resolver to translate that name into an IP address like 93.184.216.34. Without DNS, the internet is just a phone book full of numbers no one remembers.

For decades, DNS queries were sent in plaintext over UDP port 53 — completely unencrypted. Anyone watching your network (your ISP, the coffee shop Wi-Fi admin, a government agency) could read every single domain you looked up.

Encrypted DNS was designed to fix that one specific problem.

---

What Is Encrypted DNS?

"Encrypted DNS" is an umbrella term covering three modern transport protocols:

All three wrap your DNS queries in an encrypted tunnel between your device and the resolver. Big providers like Cloudflare (1.1.1.1), Google (8.8.8.8), Quad9, and NextDNS all support these protocols. Most modern browsers (Firefox, Chrome, Edge, Safari) and operating systems (Windows 11, macOS, iOS, Android) can enable encrypted DNS in a few clicks.

Encrypted DNS solves the DNS plaintext problem. It does not solve the larger problem of network surveillance.

---

What Encrypted DNS Actually Hides

Let's give credit where it's due. When you enable DoH or DoT, the following things become invisible to your ISP and any local network observer:

• The DNS query itself — the literal name example.com is no longer sent in plaintext
• The DNS response — the IP address returned by the resolver is also encrypted
• DNS hijacking is harder — your ISP can no longer rewrite responses to redirect you to a different page

If you live somewhere with aggressive DNS-based censorship, encrypted DNS can sometimes get you around the simplest blocking schemes. That's a real benefit.

But here's the catch: hiding the DNS query is only one tiny part of the privacy picture.

---

What Encrypted DNS Doesn't Hide

This is where almost everyone's mental model breaks down. After your device resolves example.com to 93.184.216.34, it has to actually connect to that IP address to load the website. That connection is the part your ISP cares about — and encrypted DNS does absolutely nothing to hide it.

There are three big leaks left wide open:

1. The Destination IP Address

Every packet you send carries a destination IP in its header. Routers — including your ISP's — read that IP to forward the packet. There is no way to hide it from your ISP without putting another network layer (a VPN, Tor, or a proxy) on top.

Once your ISP sees you connecting to a Netflix IP block, a Google IP block, or a known adult-site CDN, they don't need DNS to know roughly where you're going.

2. The TLS SNI Field

When your browser opens an HTTPS connection, the very first message — the TLS ClientHello — contains a field called SNI (Server Name Indication). SNI tells the server which website you're asking for, because one IP address often hosts thousands of sites behind a CDN.

The problem? SNI is sent in plaintext. Even though everything after the handshake is encrypted, the hostname itself flies across the wire in the clear. Your ISP can read it as easily as a postcard.

This is the single biggest reason encrypted DNS doesn't actually hide your browsing. As David Bombal put it in his April demo: "Just because your DNS is now encrypted, doesn't mean that your ISP — or another person tapping the network — can't see which website you're going to."

3. Traffic Patterns and Timing

Even if a domain is somehow obscured, the size, timing, and frequency of packets leak a surprising amount. Researchers have shown that with nothing more than packet metadata, an observer can fingerprint specific YouTube videos, identify which streaming service you're using, and even guess what page you're reading.

---

What About ECH? Doesn't It Fix SNI?

Good question — and it's the right one to ask. Encrypted Client Hello (ECH) is the successor to the old ESNI proposal. It encrypts the entire ClientHello, including the SNI field, so the hostname is no longer leaked at the start of a TLS handshake.

ECH is genuinely the cleanest fix for the SNI problem. The catch is adoption:

• ECH only works if both the client (browser) and the server (or its CDN) support it
• In practice, most ECH-enabled traffic in 2026 is on Cloudflare — a single CDN
• Many large sites (banks, airlines, government, regional services) don't sit behind an ECH-capable CDN at all
• Some networks actively block ECH-flagged ClientHellos to force fallback

In Bombal's experiment, the SNI field exposed the destination domain on almost every site he tested, with the rare exceptions being Cloudflare-fronted sites that had ECH enabled. The technology is real, but it isn't yet a full answer.

---

Encrypted DNS vs VPN: The Real Comparison

Here's how the two technologies actually stack up against the threats most people care about:

A VPN works at a fundamentally lower layer than DNS. It builds an encrypted tunnel from your device to a VPN server, and every packet — DNS lookups, IP-level routing, TLS handshakes, SNI, traffic patterns — travels through that tunnel. Your ISP only sees a single encrypted stream to a VPN endpoint. They can't read it, can't fingerprint individual destinations, and can't sell what they don't have.

---

Why "I Just Use DoH" Isn't Enough

Let's run through the situations where people most often assume encrypted DNS is protecting them, and what's actually happening:

On home Wi-Fi. Your ISP still sees every IP and SNI you connect to. They can build a complete browsing profile and, in many countries, sell or share it.

On public Wi-Fi. Anyone running the access point — or an attacker on the same network — can read your SNI in plaintext. They learn every site you visit, even if your DNS is encrypted to Cloudflare.

On a corporate or hotel network. The network admin can see all your destinations and often actively logs them. Some networks even block known DoH resolvers to force you back to plaintext DNS.

Under government-level surveillance or censorship. SNI inspection is one of the cheapest, most widely deployed filtering techniques in the world. Encrypted DNS alone won't bypass it.

In none of these cases does DoH meaningfully change what an observer can learn about you.

---

The Right Stack: Encrypted DNS and a VPN

This isn't an "either/or" choice. The strongest setup combines both:

1. A VPN carries 100% of your traffic — DNS, IP, SNI, everything — through an encrypted tunnel, hiding it all from your ISP and the local network.
2. Encrypted DNS inside the VPN ensures your DNS queries are also protected from the VPN provider's upstream resolvers, and reduces fingerprinting if the VPN ever drops briefly.
3. ECH where available adds one more layer for sites that support it — useful, but not a replacement for the tunnel.

A trustworthy VPN should also handle DNS automatically: when you connect, all your DNS traffic should be routed through the VPN's own resolvers (or your chosen encrypted DNS provider) inside the tunnel, with DNS leak protection to make sure no query ever escapes to your ISP's resolver by accident.

---

How to Verify Your Setup Isn't Leaking

Before you trust any of this, test it:

1. Connect to your VPN.
2. Visit dnsleaktest.com and run the extended test. You should see your VPN provider's resolver, not your ISP's.
3. Visit browserleaks.com/ip and confirm your public IP matches the VPN server, not your real address.
4. Optionally, use browserleaks.com/tls to see what your TLS ClientHello (including SNI/ECH support) looks like to a server.

If any of these tests show your real ISP, real IP, or your real location, your setup is leaking. Good VPN clients fix this automatically with kill switches and built-in DNS leak protection — but it's worth verifying once.

---

The Bottom Line

Encrypted DNS is a real improvement over plaintext DNS, and you should turn it on. But it solves a narrow problem: hiding the literal text of your DNS queries from anyone watching the wire.

It does not hide:

• The IP addresses you connect to
• The hostnames revealed in unencrypted SNI fields
• Your traffic patterns and metadata
• Anything from a determined ISP, network admin, or surveillance actor

If your goal is genuine browsing privacy — keeping your ISP, public Wi-Fi operators, and casual snoopers out of your activity — you need a VPN. Encrypted DNS is a useful complement on top, not a replacement.

---

How Mosaic VPN Keeps Your Browsing Private

Mosaic VPN is built around the realities described above:

• AES-256 encryption wraps every packet — DNS, SNI, and all — in a low-overhead encrypted tunnel that your ISP and local network simply cannot read
• Built-in DNS leak protection routes every query through the tunnel, so no lookup ever escapes to your ISP's resolver
• A reliable kill switch instantly cuts your internet if the tunnel drops, preventing the brief plaintext window that would otherwise expose your traffic
• A strict no-logs policy means there's no browsing record to subpoena, sell, or breach
• A global server network lets you exit to a region of your choice, neutralizing IP-based tracking and unlocking geo-restricted content

Encrypted DNS is a great first step. Pair it with Mosaic VPN, and the gap your ISP has been quietly exploiting finally closes.