Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
jqpabc123 11 hours ago

"DNS encryption doesn’t hide your IP from websites. Pair with a VPN or Tor if you need full anonymity."

In other words; encrypting DNS is an exercise in futility if the resulting IP is fully exposed.

Anyone who cares is fully capable of doing a reverse lookup if they must know the name of the domain you're connecting to.

The easy, all encompassing approach for the casual user --- just use a VPN as needed.

A decent VPN will encrypt DNS requests and route them through their servers --- thus obscuring all your "sensitive" network traffic.

https://whoismydns.com/

voioo 10 hours ago | parent | next [-]

You are rightt that DNS encryption doesn’t hide the IP from the destination website and that’s a limitation by design. If the goal is full anonymity, then yes, a VPN or Tor is the way to go.

But I’d push back on the “futility” part. For me (and probably a lot of home users), encrypted DNS solves a different problem:

ISP Snooping & Profiling: Without DNS encryption, my ISP gets a complete log of every hostname I query. That’s valuable metadata even if the actual traffic is HTTPS. Encrypted DNS cuts them out of the loop.

Censorship & Filtering: Many ISPs or countries block sites by poisoning or hijacking DNS. DoT/DoH3 bypasses that without needing to route all traffic through a third party.

Performance & Control: Local caching with AdGuard means faster load times, plus I can filter ads, trackers, and telemetry at the DNS layer, something a VPN alone won’t do.

Reduced Trust Surface: With a VPN, I’m moving all trust to the VPN provider (and hoping they’re honest about logs). With encrypted DNS, I can split that trust between my own AdGuard instance and NextDNS, instead of funneling everything through a single exit point.

So in my view:

VPN = anonymity & hiding your IP

Encrypted DNS = privacy from intermediaries & control over resolution

They solve related but different problems. For “serious” privacy, I agree a VPN or Tor is needed. But for everyday use, encrypted DNS is a huge step up from plain-text queries and actually improves performance

jqpabc123 8 hours ago | parent [-]

Without DNS encryption, my ISP gets a complete log of every hostname I query.

With DNS encryption, your ISP still gets a complete log of every IP you visit. And from your IP log, they can easily get the host names if they want them.

In fact, I'd be surprised if they even bother logging DNS at all. It's much easier, more efficient and just as effective to log IPs.

Used by itself, encrypting DNS doesn't really hide anything and is thus an exercise in futility. Used with a more comprehensive solution like a VPN, it is even more so.

voioo 6 hours ago | parent [-]

Yes, DNS encryption not hiding IP, that part is true. But still not useless is my point. ISP cannot see exact domains, only IP, and with CDN one IP can be many sites. Also DNS hijack/poison is common, and DoT/DoH stop this cheap attack. VPN is stronger, but DNS encryption is small layer of privacy without moving trust to VPN provider.

6 hours ago | parent | prev | next [-]
[deleted]
dongcarl 8 hours ago | parent | prev [-]

Actually, they don’t need to do a reverse lookup at all.

They can just look at the TLS SNI field and the hostname is there in plaintext.

It’s _more_ trouble to do the reverse lookup.

jqpabc123 8 hours ago | parent [-]

It’s _more_ trouble to do the reverse lookup.

It’s _more_ trouble to even bother with hostnames at all.

Just log IPs. By doing so, you're capturing the same essential data in a more compact form.