What Your ISP Actually Sees When You Browse
Every time you type a URL into your browser, your device sends a request to a DNS (Domain Name System) server to translate that human-friendly address into a machine-readable IP address. That tiny lookup — it happens in milliseconds — reveals the exact domain you’re visiting. Your ISP handles that request by default, meaning they log every single site you hit, from the news you read to the streaming service you use at 2 a.m.
This isn’t theoretical. In many countries, ISPs are legally required to store browsing records for months or years. Even where they aren’t, your traffic data is a valuable commodity — sold to advertisers, data brokers, or handed over to law enforcement without a warrant in some jurisdictions.
The scary part? It’s not just the big stuff. Every ad tracker, every embedded image from a third-party CDN, every API call your phone makes — it all shows up in your ISP’s logs. They don’t need to break encryption to know you visited example.com; the DNS lookup alone gives them that.
The Weak Link: Plain DNS Queries
Standard DNS is like sending a postcard. The contents might be visible only to you and the destination server, but the address on the front — the domain name — is written in plain text for anyone along the route to read. Your ISP sits right on that route. They see the postcard, note the address, and file it away.
Even if you use HTTPS (the padlock icon in your browser), the domain name is still exposed during the DNS lookup. Encryption protects the content of your traffic, not the destination. That’s why DNS is the privacy gap that most people don’t know exists.
One Tool That Stops ISP Tracking Cold
The fix is surprisingly simple: encrypt your DNS queries. The most accessible method today is DNS over HTTPS (DoH). Instead of sending your domain lookups in plain text, DoH wraps them inside the same HTTPS encryption that protects your banking and email. Your ISP sees only a connection to a DoH resolver — not the individual sites you visit.
Major browsers already support DoH out of the box. Firefox has it built-in. Chrome and Edge offer it in settings. But browser-level DoH only protects traffic from that specific browser. For full system-wide protection, you need to configure DoH at the operating system or router level.
One tool does this elegantly: dnscrypt-proxy. It’s a lightweight, open-source daemon that sits between your device and the DNS resolver. It encrypts every DNS query on your machine — from browsers, apps, background services, everything. You install it, point your system DNS to 127.0.0.1, and let it handle the rest. It supports DoH, DNSCrypt (another encryption protocol), and even anonymized DNS relays.
How to Set Up dnscrypt-proxy (Quick Guide)
- Linux/macOS: Install via your package manager (
sudo apt install dnscrypt-proxy on Debian/Ubuntu, brew install dnscrypt-proxy on macOS).
- Windows: Download the pre-built binary from the official GitHub repo, extract it, and run the installer script.
- Configuration: Edit the
dnscrypt-proxy.toml file to select your preferred resolver (Cloudflare, Quad9, or custom). Set listen_addresses = ['127.0.0.1:53'].
- Point your system DNS: In network settings, change your DNS server to
127.0.0.1. That’s it.
Once running, you can verify it’s working by visiting a DNS leak test site. If it shows the resolver you configured — not your ISP’s — you’re good.
What This Doesn’t Block (And Why That Matters)
Encrypting DNS stops your ISP from logging the domains you visit, but it’s not a silver bullet. Your ISP can still see the IP addresses you connect to, the volume of traffic, and the timing of your sessions. If you visit a site hosted on a unique IP, they can infer the site regardless of DNS encryption.
For true anonymity, you need a VPN or Tor. But for everyday privacy — stopping the default logging, blocking advertiser tracking via DNS, and preventing your ISP from selling your browsing history — encrypted DNS is a massive improvement with almost zero performance cost.
Bottom line: Your ISP is tracking you. They’ve been doing it for years. But you don’t have to accept it. A five-minute setup with dnscrypt-proxy or even just flipping on DoH in your browser settings cuts off the easiest, most common surveillance channel they rely on. It’s not perfect, but it’s a damn good start.