You are rightt that DNS encryption doesn’t hide the IP from the destination website and that’s a limitation by design. If the goal is full anonymity, then yes, a VPN or Tor is the way to go.
But I’d push back on the “futility” part. For me (and probably a lot of home users), encrypted DNS solves a different problem:
ISP Snooping & Profiling: Without DNS encryption, my ISP gets a complete log of every hostname I query. That’s valuable metadata even if the actual traffic is HTTPS. Encrypted DNS cuts them out of the loop.
Censorship & Filtering: Many ISPs or countries block sites by poisoning or hijacking DNS. DoT/DoH3 bypasses that without needing to route all traffic through a third party.
Performance & Control: Local caching with AdGuard means faster load times, plus I can filter ads, trackers, and telemetry at the DNS layer, something a VPN alone won’t do.
Reduced Trust Surface: With a VPN, I’m moving all trust to the VPN provider (and hoping they’re honest about logs). With encrypted DNS, I can split that trust between my own AdGuard instance and NextDNS, instead of funneling everything through a single exit point.
So in my view:
VPN = anonymity & hiding your IP
Encrypted DNS = privacy from intermediaries & control over resolution
They solve related but different problems. For “serious” privacy, I agree a VPN or Tor is needed. But for everyday use, encrypted DNS is a huge step up from plain-text queries and actually improves performance
jqpabc123•4mo ago
Without DNS encryption, my ISP gets a complete log of every hostname I query.
With DNS encryption, your ISP still gets a complete log of every IP you visit. And from your IP log, they can easily get the host names if they want them.
In fact, I'd be surprised if they even bother logging DNS at all. It's much easier, more efficient and just as effective to log IPs.
Used by itself, encrypting DNS doesn't really hide anything and is thus an exercise in futility. Used with a more comprehensive solution like a VPN, it is even more so.
voioo•4mo ago
Yes, DNS encryption not hiding IP, that part is true. But still not useless is my point. ISP cannot see exact domains, only IP, and with CDN one IP can be many sites. Also DNS hijack/poison is common, and DoT/DoH stop this cheap attack. VPN is stronger, but DNS encryption is small layer of privacy without moving trust to VPN provider.
1vuio0pswjnm7•4mo ago
"And from your IP log, they can easily get the host names if they want them."
And each IP may have multiple hostnames associated with it, requiring more work to determine which one was accessed by the internet subscriber
The VPN also has an IP log for jqpabc
If someone wants to explore jqpabc's "sensitive traffic", it's even easier than asking his ISP. Because jqpabc uses a third party VPN, we just subpoena the VPN and they start logging, unbeknownst to jqpabc
Because the VPN uses a third party DNS cache that sends EDNS client subnet and does not encrypt DNS traffic to authoritative DNS servers, we can also get logs from those servers as well as jqpabc's general location
And of course jqpabc sends plaintext SNI so we have another source of hostnames that he has visited, in addition to plaintext DNS
dongcarl•4mo ago
Actually, they don’t need to do a reverse lookup at all.
They can just look at the TLS SNI field and the hostname is there in plaintext.
It’s _more_ trouble to do the reverse lookup.
jqpabc123•4mo ago
It’s _more_ trouble to do the reverse lookup.
It’s _more_ trouble to even bother with hostnames at all.
Just log IPs. By doing so, you're capturing the same essential data in a more compact form.
jqpabc123•4mo ago
In other words; encrypting DNS is an exercise in futility if the resulting IP is fully exposed.
Anyone who cares is fully capable of doing a reverse lookup if they must know the name of the domain you're connecting to.
The easy, all encompassing approach for the casual user --- just use a VPN as needed.
A decent VPN will encrypt DNS requests and route them through their servers --- thus obscuring all your "sensitive" network traffic.
https://whoismydns.com/
voioo•4mo ago
But I’d push back on the “futility” part. For me (and probably a lot of home users), encrypted DNS solves a different problem:
ISP Snooping & Profiling: Without DNS encryption, my ISP gets a complete log of every hostname I query. That’s valuable metadata even if the actual traffic is HTTPS. Encrypted DNS cuts them out of the loop.
Censorship & Filtering: Many ISPs or countries block sites by poisoning or hijacking DNS. DoT/DoH3 bypasses that without needing to route all traffic through a third party.
Performance & Control: Local caching with AdGuard means faster load times, plus I can filter ads, trackers, and telemetry at the DNS layer, something a VPN alone won’t do.
Reduced Trust Surface: With a VPN, I’m moving all trust to the VPN provider (and hoping they’re honest about logs). With encrypted DNS, I can split that trust between my own AdGuard instance and NextDNS, instead of funneling everything through a single exit point.
So in my view:
VPN = anonymity & hiding your IP
Encrypted DNS = privacy from intermediaries & control over resolution
They solve related but different problems. For “serious” privacy, I agree a VPN or Tor is needed. But for everyday use, encrypted DNS is a huge step up from plain-text queries and actually improves performance
jqpabc123•4mo ago
With DNS encryption, your ISP still gets a complete log of every IP you visit. And from your IP log, they can easily get the host names if they want them.
In fact, I'd be surprised if they even bother logging DNS at all. It's much easier, more efficient and just as effective to log IPs.
Used by itself, encrypting DNS doesn't really hide anything and is thus an exercise in futility. Used with a more comprehensive solution like a VPN, it is even more so.
voioo•4mo ago
1vuio0pswjnm7•4mo ago
And each IP may have multiple hostnames associated with it, requiring more work to determine which one was accessed by the internet subscriber
The VPN also has an IP log for jqpabc
If someone wants to explore jqpabc's "sensitive traffic", it's even easier than asking his ISP. Because jqpabc uses a third party VPN, we just subpoena the VPN and they start logging, unbeknownst to jqpabc
Because the VPN uses a third party DNS cache that sends EDNS client subnet and does not encrypt DNS traffic to authoritative DNS servers, we can also get logs from those servers as well as jqpabc's general location
And of course jqpabc sends plaintext SNI so we have another source of hostnames that he has visited, in addition to plaintext DNS
dongcarl•4mo ago
They can just look at the TLS SNI field and the hostname is there in plaintext.
It’s _more_ trouble to do the reverse lookup.
jqpabc123•4mo ago
It’s _more_ trouble to even bother with hostnames at all.
Just log IPs. By doing so, you're capturing the same essential data in a more compact form.