A little more privacy centric DNS setup for home users (opens in new tab)

(thelazysre.com)

6 pointsvoioo6mo ago7 comments

7 comments

"DNS encryption doesn’t hide your IP from websites. Pair with a VPN or Tor if you need full anonymity."

In other words; encrypting DNS is an exercise in futility if the resulting IP is fully exposed.

Anyone who cares is fully capable of doing a reverse lookup if they must know the name of the domain you're connecting to.

The easy, all encompassing approach for the casual user --- just use a VPN as needed.

A decent VPN will encrypt DNS requests and route them through their servers --- thus obscuring all your "sensitive" network traffic.

https://whoismydns.com/

voiooOP6mo ago

You are rightt that DNS encryption doesn’t hide the IP from the destination website and that’s a limitation by design. If the goal is full anonymity, then yes, a VPN or Tor is the way to go.

But I’d push back on the “futility” part. For me (and probably a lot of home users), encrypted DNS solves a different problem:

ISP Snooping & Profiling: Without DNS encryption, my ISP gets a complete log of every hostname I query. That’s valuable metadata even if the actual traffic is HTTPS. Encrypted DNS cuts them out of the loop.

Censorship & Filtering: Many ISPs or countries block sites by poisoning or hijacking DNS. DoT/DoH3 bypasses that without needing to route all traffic through a third party.

Performance & Control: Local caching with AdGuard means faster load times, plus I can filter ads, trackers, and telemetry at the DNS layer, something a VPN alone won’t do.

Reduced Trust Surface: With a VPN, I’m moving all trust to the VPN provider (and hoping they’re honest about logs). With encrypted DNS, I can split that trust between my own AdGuard instance and NextDNS, instead of funneling everything through a single exit point.

So in my view:

VPN = anonymity & hiding your IP

Encrypted DNS = privacy from intermediaries & control over resolution

They solve related but different problems. For “serious” privacy, I agree a VPN or Tor is needed. But for everyday use, encrypted DNS is a huge step up from plain-text queries and actually improves performance

jqpabc1236mo ago

Without DNS encryption, my ISP gets a complete log of every hostname I query.

With DNS encryption, your ISP still gets a complete log of every IP you visit. And from your IP log, they can easily get the host names if they want them.

In fact, I'd be surprised if they even bother logging DNS at all. It's much easier, more efficient and just as effective to log IPs.

Used by itself, encrypting DNS doesn't really hide anything and is thus an exercise in futility. Used with a more comprehensive solution like a VPN, it is even more so.

2 more replies

dongcarl6mo ago

Actually, they don’t need to do a reverse lookup at all.

They can just look at the TLS SNI field and the hostname is there in plaintext.

It’s _more_ trouble to do the reverse lookup.

jqpabc1236mo ago

It’s _more_ trouble to do the reverse lookup.

It’s _more_ trouble to even bother with hostnames at all.

Just log IPs. By doing so, you're capturing the same essential data in a more compact form.

j / k navigate · click thread line to collapse

7 comments

jqpabc1236mo ago

"DNS encryption doesn’t hide your IP from websites. Pair with a VPN or Tor if you need full anonymity."

In other words; encrypting DNS is an exercise in futility if the resulting IP is fully exposed.

Anyone who cares is fully capable of doing a reverse lookup if they must know the name of the domain you're connecting to.

The easy, all encompassing approach for the casual user --- just use a VPN as needed.

A decent VPN will encrypt DNS requests and route them through their servers --- thus obscuring all your "sensitive" network traffic.

https://whoismydns.com/

voiooOP6mo ago

You are rightt that DNS encryption doesn’t hide the IP from the destination website and that’s a limitation by design. If the goal is full anonymity, then yes, a VPN or Tor is the way to go.

But I’d push back on the “futility” part. For me (and probably a lot of home users), encrypted DNS solves a different problem:

Censorship & Filtering: Many ISPs or countries block sites by poisoning or hijacking DNS. DoT/DoH3 bypasses that without needing to route all traffic through a third party.

Performance & Control: Local caching with AdGuard means faster load times, plus I can filter ads, trackers, and telemetry at the DNS layer, something a VPN alone won’t do.

So in my view:

VPN = anonymity & hiding your IP

Encrypted DNS = privacy from intermediaries & control over resolution

jqpabc1236mo ago

Without DNS encryption, my ISP gets a complete log of every hostname I query.

With DNS encryption, your ISP still gets a complete log of every IP you visit. And from your IP log, they can easily get the host names if they want them.

In fact, I'd be surprised if they even bother logging DNS at all. It's much easier, more efficient and just as effective to log IPs.

Used by itself, encrypting DNS doesn't really hide anything and is thus an exercise in futility. Used with a more comprehensive solution like a VPN, it is even more so.

2 more replies

dongcarl6mo ago

Actually, they don’t need to do a reverse lookup at all.

They can just look at the TLS SNI field and the hostname is there in plaintext.

It’s _more_ trouble to do the reverse lookup.

jqpabc1236mo ago

It’s _more_ trouble to do the reverse lookup.

It’s _more_ trouble to even bother with hostnames at all.

Just log IPs. By doing so, you're capturing the same essential data in a more compact form.

j / k navigate · click thread line to collapse