Every time you visit a website, send an email, or open an app, something invisible happens first: a DNS lookup. DNS is one of the internet's most fundamental systems — and one of its quietest privacy leaks. This guide explains what DNS is, how a lookup actually works, who can see your queries, and how encrypted DNS and a VPN protect them.
What DNS is
DNS (Domain Name System) is the internet's phonebook. Computers find each other by numeric IP addresses, but humans remember names — so DNS translates a domain like example.com into the IP your device actually connects to.
Without it, you'd memorise raw IP addresses for every site. Instead, DNS does the lookup automatically, constantly, in the background — every site, app and email depends on it.
How a lookup works
- Your device asks a resolver (often your ISP's, or Cloudflare/Google) for a domain's IP.
- If it's not cached, the resolver queries the root servers, then the TLD servers (
.com,.org…), then the domain's authoritative name server, which returns the IP. - The resolver caches the answer (for its TTL) and hands it back; your device connects.
All in milliseconds, with caching at every level keeping it fast.
The privacy problem: DNS reveals everything
Here's what most people miss: traditional DNS is unencrypted. The resolver you use — usually your ISP's — sees every domain you look up. That's effectively a log of every site you visit, even when those sites use HTTPS (HTTPS hides the page contents, not which site you asked for).
Your ISP can record it, sell it, or be compelled to share it; on public Wi-Fi, others can watch too. DNS is among the biggest unnoticed leaks in everyday browsing — which is why our DNS leak test exists.
How to make DNS private
- Encrypt DNS with DoH (DNS over HTTPS) or DoT (DNS over TLS), pointed at a privacy-respecting resolver — most browsers/OSes now support it. See our DNS over HTTPS setup guide.
- Route everything through a VPN — it handles DNS inside its own encrypted tunnel, so neither your ISP nor the local network sees your queries or destinations.
- Test for leaks to confirm your real resolver isn't exposed.
Encrypted DNS through the tunnel → NordVPN
NordLynx (WireGuard) · DNS resolved inside the encrypted tunnel · Built-in leak protection · 30-day money-back guarantee
DNS also powers geo-tricks: Smart DNS reroutes only the lookups needed to unblock streaming, without encrypting traffic — useful, but not a privacy tool. And the IP that DNS resolves to is the one sites log; see what your IP address reveals.
The bottom line
DNS is the internet's phonebook — it turns domain names into IPs every time you connect, silently and constantly. The catch: by default it's unencrypted, so your resolver (usually your ISP) sees every site you visit. Fix it by encrypting DNS (DoH/DoT) or, more completely, routing it through a VPN that resolves DNS inside the tunnel — and verify with a leak test that it's actually private.
Editorial guide based on how DNS resolution works (resolver, root/TLD/authoritative, caching) and DNS privacy (unencrypted queries, DoH/DoT, VPN-tunnelled DNS, leaks). Commercial links carry the rel="sponsored nofollow" attribute; an affiliate commission may apply at no extra cost to you.
Tools and guides related to DNS and privacy
Get NordVPN
30-day money-back guarantee
