Why VPNs Alone Won't Stop Your ISP From Tracking You

Why VPNs Alone Won't Stop Your ISP From Tracking You

Many people assume that using a VPN is enough to keep their internet activity private. And while a VPN does encrypt your traffic and mask your IP address from websites, there is a quieter tracking mechanism that often goes unnoticed: your default DNS settings. A recently published privacy guide highlights how Internet Service Providers use DNS to log your browsing activity, and why switching to encrypted DNS is a critical step that even VPN users should consider.

What Is DNS and Why Does It Matter?

Every time you type a website address into your browser, your device sends a request to a Domain Name System (DNS) server to translate that human-readable address into an IP address that computers can actually use. Think of it as a phone book lookup that happens invisibly in the background, every single time you visit a website.

By default, most devices are configured to use the DNS servers provided by their Internet Service Provider. This means that unless you have changed your settings, your ISP is handling every one of those lookups. And because DNS queries have traditionally been sent in plain text, your ISP can see exactly which domains you are requesting, even if the content of the websites themselves is encrypted via HTTPS.

HTTPS protects the data exchanged between your browser and a website. It does not, however, hide the fact that you visited that website in the first place. That distinction is important, and it is the gap that default DNS settings leave wide open.

The VPN Gap: What Your Tunnel Doesn't Always Cover

A VPN routes your internet traffic through an encrypted tunnel to a server operated by the VPN provider, which then makes requests on your behalf. For most browsing activity, this is effective at preventing your ISP from seeing the content of your connections and the specific pages you visit.

However, DNS can be a weak point depending on how a VPN is configured. If a VPN does not handle DNS requests internally, or if it experiences what is known as a DNS leak, those lookups may still travel through your ISP's servers. The result is that your ISP can continue building a log of the domains you are querying, even while you believe your traffic is fully protected.

This is not a flaw unique to any one provider. It is a structural issue that underscores why privacy protection is best approached in layers, rather than relying on any single tool.

DNS-over-HTTPS: Encrypting the Phone Book

The fix recommended by the privacy guide is switching to DNS-over-HTTPS, often abbreviated as DoH. This protocol encrypts your DNS queries so that they look like ordinary HTTPS web traffic to anyone observing your connection, including your ISP.

With DoH enabled, your ISP can no longer easily read or log the domain names you are looking up. The queries are sent to a DoH-compatible DNS resolver rather than to the ISP's own servers, removing the ISP as the middleman in that part of your browsing.

Many major browsers now support DNS-over-HTTPS natively and allow you to enable it directly in settings without installing any additional software. The guide also notes that adjusting browser performance settings can help reduce other vectors for IP tracking and data collection, adding another incremental layer of protection.

It is worth noting that switching your DNS provider does mean a different organization is handling those queries instead of your ISP. Choosing a resolver with a clear, public privacy policy and a no-logging commitment is an important part of this decision.

What This Means For You

If you currently use a VPN and assumed your DNS traffic was fully covered, it is worth verifying that. Many VPN applications include a DNS leak test tool, and independent testing sites can help you check whether your DNS queries are being routed through your VPN or bypassing it entirely.

If you do not use a VPN, enabling DNS-over-HTTPS in your browser is one of the most straightforward privacy improvements you can make right now. It requires no paid subscription and can be activated in minutes on most modern browsers.

For those who want comprehensive protection, combining a well-configured VPN with encrypted DNS provides meaningfully stronger privacy than either approach alone. The two tools address overlapping but distinct parts of how your browsing activity is exposed.

Actionable Takeaways

• Check your browser settings for a DNS-over-HTTPS or "Secure DNS" option and enable it if it is not already active.
• Run a DNS leak test if you use a VPN, to confirm your DNS queries are being handled within the VPN tunnel.
• Review your DNS resolver choice and look for providers with transparent, publicly available privacy and logging policies.
• Do not rely on HTTPS alone to protect your privacy from your ISP. Encrypted DNS addresses a tracking vector that HTTPS was never designed to cover.

Your ISP has structural visibility into your browsing that most people are not aware of. Understanding how DNS fits into the picture is a practical first step toward closing that gap.