Domain Name System

Domain Name System (DNS) is used to convert domain name to IP address.

For example, if you want to reach http://no-identity-awesome-example-site.com, normally your phone or laptop would contact DNS server of your ISP with a question “What it is the IP address of no-identity-awesome-example-site.com?”

The response would contain the IP address and DNS response validity time. That makes it possible to cache the IP address locally for this validity time.

What is in the request

The request to DNS server contains just the domain part:

  1. http://no-identity-awesome-example-site.com would request just ask about no-identity-awesome-example-site.com.
  2. http://no-identity-awesome-example-site.com/example would request just ask about no-identity-awesome-example-site.com, too.
  3. http://test.no-identity-awesome-example-site.com/example would request just ask about test.no-identity-awesome-example-site.com.

Problems with Virtual Private Networks

When you opt for VPNs, then you might have a few problems:

  1. Some DNS server you have no control of might still record the domain names you request. However, if this traffic goes through VPN, it is more or less safe.
  2. DNS traffic might go outside of a tunnel, making your requests visible to your Internet Service Provider or other owner of DNS server.

What to do with it

The goal is simple: make sure nobody between you and a trusted resolver can read or tamper with your DNS requests, and that those requests never escape your VPN tunnel.

Use encrypted DNS

Plain DNS travels in the open. Modern systems can encrypt it:

  • DNS over HTTPS (DoH) — DNS requests look like ordinary HTTPS traffic.
  • DNS over TLS (DoT) — DNS requests go over a dedicated encrypted port.

Both hide the domain names you ask for from anyone watching the wire. All major browsers and operating systems support at least one of them — turn it on.

Use a trusted resolver

Encryption only protects the path; the resolver itself still sees your requests. Pick one you are willing to trust (for example, a privacy-focused public resolver), or — best of all — run your own resolver on your VPN server.

Make sure DNS goes through the tunnel

This is the part people forget. Even with a VPN active, your device may keep using your ISP’s DNS server, leaking the domains you visit. After connecting:

  1. Confirm your VPN client is set to push its own DNS servers.
  2. Run a DNS leak test (see the pre-flight checks) and verify that the resolver shown belongs to your VPN, not your ISP.

If a leak shows up, fix the VPN configuration before relying on it.