Why encrypted DNS is ineffective

Encrypted DNS (DoH, DoT, DNScrypt, etc.) may seem useful at first glance, but it is clear upon further inspection that this is not the case as it doesn't have any real privacy or security benefits.


Normal DNS queries are unencrypted and unauthenticated so they can be modified and examined by an attacker. This may sound like a big issue, but HTTPS has already solved this. If I visit madaidans-insecurities.github.io, my browser expects a valid TLS certificate for that website regardless if an attacker has messed with the DNS query. If the certificate is incorrect, your browser will show a big scary warning.

If you're not using HTTPS, then encrypted DNS still doesn't make a difference. The attacker can just modify anything other than the DNS query and get essentially the same result.


Encrypted DNS does prevent someone monitoring your traffic from seeing what domain you looked up via DNS, but this doesn't really matter since there are so many other ways to get that exact same information anyway.


Server Name Indication (SNI) is an extension to TLS which leaks the hostname that the client is attemping to connect to.

For example, if you connect to this website, someone monitoring the connection can see this:
SNI in Wireshark

There have been efforts to encrypt SNI which solves this issue, but currently, it's not very widespread.


Online Certificate Status Protocol (OCSP) is used to validate TLS certificates and is another way to determine the website that you're visiting. OCSP responses contain the serial number of the website's TLS certificate which can easily be used to lookup what certificate it belongs to.
OCSP in Wireshark Github serial number

There is also a way to prevent this via OCSP stapling, but again, it's not very widespread.

IP Addresses

Even if you are using some form of encrypted DNS, eSNI and OCSP stapling, the IP addresses of the websites you visit are still leaked and they can be used to identify over 95% of websites. Some IP addresses host multiple domains that can obscure this a small bit, but that's not very reliable.


Encrypting your DNS queries alone is not enough to hide the domains you visit and gives no security advantage. It will only help against some very rudimentary censorship systems that rely entirely on DNS blocking, but it isn't hard for those systems to develop workarounds. If you do want to effectively hide the websites you browse, use a VPN or, preferably, Tor.

Go back