The idea that using DNS over HTTPS or DNS over TLS makes you invisible to your ISP has circulated for years. It’s a flawed oversimplification, and David Bombal, a networking and security-focused YouTuber, decided to dismantle it with a practical demonstration: real traffic, a physical tap on Ethernet, and Wireshark open.<\/p>\n\n\n\n
The video, published April 17th, runs about thirty minutes and is worth watching if you have the time. It’s only on YouTube, which I won’t embed here, so here’s the link: https:\/\/www.youtube.com\/watch?v=46hy3r_1VqY<\/a> so you can open it wherever you prefer.<\/p>\n\n\n\n Encrypting DNS queries hides requests to the resolver, but it’s not enough to hide the domain name you’re reaching. When your browser starts an HTTPS connection, during the TLS handshake it sends the Bombal demonstrates it live: even with DNS encryption via Google or Cloudflare, and even with TLS 1.3, visited domains can still appear in plain text in the traffic if the site doesn’t use additional protections. Microsoft, Cisco, Nvidia, ChatGPT: all visible.<\/p>\n\n\n\n In the final section, Bombal activates and repeats the captures: domains are no longer visible on the local network, replaced instead by encrypted WireGuard traffic to the VPN server. In practice, it’s the simplest way to prevent your ISP, corporate networks, or anyone else observing that connection from directly seeing which sites you visit.<\/p>\n\n\n\n The video uses Proton for the demo, but the concept applies to any serious VPN. This doesn’t make you “invisible” in absolute terms though: it simply shifts trust from your Internet provider to your VPN provider, which should be chosen carefully. The key is picking a trustworthy service with a verifiable no-log policy and credible track record. Mullvad is another solid choice here, with a deliberately minimal business model and no accounts tied to user identity. You’ll find an updated list of legitimate VPNs on Le Alternative<\/a>.<\/p>\n\n\n\n The video is on YouTube and you’ll find it below. If you have ten minutes, jump straight to the Wireshark packet capture section: seeing your own domains scroll past in plain text is more convincing than any written explanation.<\/p>\n\n\n\n \n The Problem: SNI in the ClientHello<\/h2>\n\n\n\n
ClientHello<\/code> message, which normally contains the SNI field, Server Name Indication<\/code>, readable by anyone observing the traffic. It tells the server which domain you want to reach, because many different sites can coexist on the same IP address.<\/p>\n\n\n\nECH: A Partial Solution<\/h2>\n\n\n\n
Encrypted Client Hello<\/code> attempts to close this exact gap by encrypting that part of the handshake as well. In Bombal’s packet capture, sites that use it correctly expose only cloudflare-ech.com<\/code> instead of the real domain. It’s an important step forward, but it doesn’t solve everything: not all sites support it, and even when active, other side-channel clues can remain useful for figuring out where you’re going, starting with the destination IP address.<\/p>\n\n\n\nThe Most Practical Solution<\/h2>\n\n\n\n