NOTE: DNS or HTTPS / Encrypted DNS won't make you invisible. Watch and find out.

Some people believe that encrypted DNS makes them invisible, but is this video I use a live Wireshark capture to prove that your ISP can still see every website you visit. You will learn how to verify your own privacy leaks and a VPN are necessary to truly go dark on the wire.

In this deep-dive network lab, we use Wireshark and a physical ethernet tap to expose the truth about modern web privacy. You will see firsthand how your ISP can still track every website you visit, even when using encrypted DNS (DNS over HTTPS) and TLS 1.3. We demonstrate how the Server Name Indication (SNI) field in the Client Hello packet leaks your destination in plain text. The video explores advanced privacy technologies like Encrypted Client Hello (ECH) in Firefox and Cloudflare, explains why these features often break corporate filtering, and proves why a VPN remains the only definitive way to hide your traffic from network snooping and government logging.

// YouTube video REFERENCE //
The one BIG mistake you are making with DNS security today:  https://youtu.be/Rrr4HrI8E6g

// Book REFERENCE //
DNS & Bind 4th Edition
US:   https://amzn.to/4s8WaWm
UK:  https://amzn.to/4sztLbB

// David's SOCIAL // 
Discord: https://discord.com/invite/usKSyzb 
X: https://www.twitter.com/davidbombal 
Instagram: https://www.instagram.com/davidbombal 
LinkedIn: https://www.linkedin.com/in/davidbombal 
Facebook: https://www.facebook.com/davidbombal.co 
TikTok: http://tiktok.com/@davidbombal 
YouTube: https://www.youtube.com/@davidbombal
Spotify:  https://open.spotify.com/show/3f6k6gERfuriI96efWWLQQ
SoundCloud:  https://soundcloud.com/davidbombal
Apple Podcast:  https://podcasts.apple.com/us/podcast/david-bombal/id1466865532

// MY STUFF //
 https://www.amazon.com/shop/davidbombal 

// SPONSORS // 
Interested in sponsoring my videos? Reach out to my team here: sponsors@davidbombal.com

// MENU //
0:00 - DNS myths!
01:53 - Jump to the timestamps
02:16 - Debunking DNS myths
02:59 - Interviewing Cricket Liu // Pros & Cons of DNS
06:49 - DNS monitoring demo
10:33 - Changing DNS provider in Chrome
13:00 - Turning off Secure DNS in Chrome
14:43 - TLSv1.3 is still visible // What is SNI?
18:56 - DNS using CloudFlare
22:11 - What is ECH?
22:52 - TLSv1.3 is still visible continued
26:53 - IP address lookup
28:10 - Summary
28:58 - Will using VPN help?
31:32 - Conclusion

Please note that links listed may be affiliate links and provide me with a small percentage/kickback should you use them to purchase any of the items listed or recommended. Thank you for supporting me and this channel! 

Disclaimer: This video is for educational purposes only.

#dns #myths #privacy

David Bombal

Encrypted DNS (DoH, DoT, DoQ) does not fully protect your privacy from ISPs and network observers. Even with encrypted DNS enabled in Chrome or Firefox, the TLS Client Hello message exposes the Server Name Indication (SNI) field in plaintext, revealing which domains you visit. Using Wireshark with a network tap, this is demonstrated live against major sites like Nvidia, Microsoft, Cisco, and ChatGPT. Encrypted Client Hello (ECH) via Cloudflare can mask SNI for some sites, but many popular sites don't implement it, and even ECH-protected sites can leak domain info through third-party requests. IP address visibility is another residual leak even when SNI is hidden. Only a VPN (demonstrated with ProtonVPN/WireGuard) fully hides domain and traffic information from network observers. The post also covers UK ISP data retention laws and the trade-offs of encrypted DNS in enterprise environments.

How your ISP tracks you (even with encrypted DNS)