Private DNS, VPNs, and the bare minimum of privacy in 2026

There's a question that resurfaces every time someone joins airport Wi-Fi or reads a surveillance headline: "do I need a VPN?" The honest answer is less exciting than the marketing. A lot of what you need is already on your phone, free, no subscription attached. The rest depends on a question almost nobody asks before paying: what, exactly, are you hiding from?

Network privacy works in layers. Each layer plugs one specific leak and ignores the rest. Treating one as if it does the job of another is like locking the front door, leaving a window wide open, and calling the house secure. Let's go layer by layer, cheapest first.

Layer 0: turn on encrypted DNS (costs nothing)

Every time you type an address, your device asks a DNS server "what's the IP for this site?" For decades that question traveled in plain text. Your internet provider could read every domain you looked up, like a mail carrier reading the addressee on each envelope.

Two standards fix that. DoT (DNS over TLS) encrypts the query on a dedicated port, 853. DoH (DNS over HTTPS) wraps the query inside ordinary HTTPS traffic on port 443, making it indistinguishable from normal web browsing to anyone watching the network.¹ ² These are open IETF standards, not anyone's product. DoH support landed early, in Firefox 60 and Chrome 83.³

On Android it has a menu name: "Private DNS," under Network & internet, is literally DoT.⁴ It's been there since Android 9 (Pie). Leave it on automatic or point it at a resolver by hand; dns.google or 1.1.1.1 both work.⁵ ⁶ On desktop browsers you can switch on DoH right in settings. It's the highest-return, lowest-effort privacy move available today: zero dollars, two taps.

What encrypted DNS does NOT fix

This is the part the marketing prefers to skip. Encrypting the DNS query hides the name of the site you looked up. It does not hide where you went.

Once DNS hands back the IP, your device opens a direct connection to that address. Your provider still sees the destination IP, the duration, and the volume of traffic.⁷ And in most cases the IP maps straight back to the service — if the connection goes to Netflix's servers, nobody needs to read any DNS to know you're watching Netflix. Privacy Guides puts it bluntly: encrypted DNS with a third-party resolver is for getting around basic DNS blocking, and "will not hide any of your browsing activity."⁸

Worse, traffic analysis knocks out a chunk of the protection. A 2019 study identified domains over encrypted DNS with an F1 score around 0.90, using 124 times less data than attacks on full HTTPS flows.⁹ And it isn't theoretical or solved by turning Private DNS on: a paper at ARES 2021 described an attack that figures out which apps you use purely from the pattern of DoT traffic, hitting up to 72% accuracy even with padding. The same study noted that roughly 81% of so-called privacy resolvers don't implement padding at all.¹⁰ Encrypting the query closes one leak, not the whole trip.

There's one last crumb of metadata, too. Even with DNS encrypted, the HTTPS handshake used to expose the site name in a field called SNI (Server Name Indication), in the clear. ECH (Encrypted Client Hello) encrypts that part of the handshake and closes the gap. In March 2026 it graduated from draft to a published standard, RFC 9849.¹¹ But don't sell ECH as a silver bullet: in practice support is heavily concentrated on Cloudflare, and even there a middlebox can still tell you're on a site hosted by Cloudflare. It just can't tell which one.¹² And ECH is actively blocked in Russia, Iran, and China.¹²

The legal backdrop: retention you don't get to opt out of

In some markets this stops being theory. Brazil's Marco Civil da Internet (Law 12.965/2014) requires connection providers to keep connection logs for at least one year.¹³ More recent rulings — including a 2024 decision from the São Paulo state court — and new decrees went further, also requiring the source logical port so the originating terminal can be identified without ambiguity.¹⁴

The point generalizes: in plenty of jurisdictions, your ISP is legally obliged to keep a record of when you connected and where to. Encrypted DNS doesn't touch that. It's exactly the argument from the people who say the "bare minimum" starts with encrypting the query but doesn't end there.

The VPN layer: moving trust, not becoming invisible

This is where a VPN comes in, and where most people get confused. A VPN routes your connection through another network, so your ISP stops seeing the destination and sees only the tunnel. The catch is that the visibility doesn't vanish: it changes hands. It leaves your ISP and lands with your VPN provider.

The EFF is blunt about it: "a VPN does not provide anonymity online and neither can encrypted DNS or HTTPS."¹⁵ Only Tor delivers real anonymity. A VPN is a trust shift: useful on hostile Wi-Fi, for getting around a block, for taking visibility away from your ISP. It is not an invisibility button.

And "privacy tool" is not a badge of good behavior. In February 2024 the FTC settled with Avast for $16.5 million and barred it from selling browsing data: the company promised to block third-party tracking while selling re-identifiable user histories, through its Jumpshot subsidiary, to more than a hundred third parties.¹⁶ The antivirus was the tracker.

And the tunnel itself isn't bulletproof. In May 2024 Leviathan Security published TunnelVision (CVE-2024-3661): a rogue DHCP server on your local network uses Option 121 (unauthenticated static routes) to divert traffic outside the tunnel, leaking it over the physical interface.¹⁷ The EFF's summary lands the point: VPNs were never designed to mitigate attacks on the local physical network.¹⁵

If you're going to pay for a VPN, the question that matters isn't "which one has the most servers," it's "can it prove it keeps nothing?" Two references set the bar:

• Proton VPN passed its fourth annual no-logs audit, run by Securitum between August 18 and September 19, 2025, with an on-site inspection of production servers in Zurich. The finding: no user activity logged, no connection metadata stored.¹⁸ (Proton has since announced a fifth audit; the exact dates of that one aren't yet confirmed in a public report.)
• Mullvad offered the most concrete proof there is: on April 18, 2023, Sweden's national police showed up with a search warrant seeking customer data. In its official post, Mullvad states that "such customer data did not exist" and that police "left without taking any information."¹⁹ You can't hand over what you never kept.

There's an elegant middle ground: Apple's iCloud Private Relay routes Safari through two separate relays, so no single party (not even Apple) sees both who you are and which site you're visiting at once.²⁰ It covers Safari only, not the whole device, but it's a clean example of two-hop design for people already living in the ecosystem.

What the community is saying

In the privacy forums (r/privacy, r/VPN) the mood is mature skepticism, not denial. Two mantras have repeated for years: a VPN doesn't make you anonymous, and most people don't need one — a position Privacy Guides itself holds.²¹ There's genuine respect for encrypted DNS and for provably no-logs VPNs, and a strong allergy to marketing. The community's biggest irritant isn't the protocols, it's the paid-review industry: affiliate-inflated rankings are why Reddit gets treated as one of the few "transparent" places to research a VPN. Part of the crowd calls the sector's marketing "digital snake oil" — empty phrases like "military-grade encryption." The gripe has a paper trail: a Consumer Reports study (Dec 2021) found that of 16 services tested, 12 made exaggerated claims about how much they protect, and named Mullvad, IVPN, and Mozilla VPN as the best of the lot.²² (The sentiment is community read; the number is fact.)

Both sides come through cleanly. On one, the "turn on the basics and relax" camp: HTTPS already covers the content, Private DNS closes the query, and that handles almost everyone's use case with no subscription. On the other, the "DNS alone is theater" camp: encrypting the query hides neither the destination IP nor your activity from legal log retention; anyone serious about hiding the destination goes to a real no-logs VPN or to Tor. One recurring take sums it up: "a VPN isn't an anonymity button, it's swapping who watches you — log into your real account and fingerprinting and cookies give you up anyway" (r/privacy sentiment). And on trust, the line that orbits the Mullvad case: "the proof that matters isn't the slogan, it's the day the police knock and there's nothing to take."

The verdict

The bare minimum of privacy in 2026 fits in three sentences. Turn on encrypted DNS on your phone and in your browser: it's free, it's two taps, and it plugs a real leak to your provider. Understand that this hides what you looked up, not where you went: the destination IP, and in places like Brazil the year of connection logs, are still standing. And only pay for a VPN once you can answer "what am I hiding from?" When you pay, pick one that has proven, in an audit or in court, that it has nothing to hand over. Real anonymity isn't on this list; that's Tor, and the people who need it already know.

Privacy isn't a product you buy. It's a row of doors, and the trick is knowing which one each of them locks.

Sources

1. RFC 7858 — Specification for DNS over Transport Layer Security (TLS) · IETF Datatracker · https://datatracker.ietf.org/doc/html/rfc7858 · May 2016
2. RFC 8484 — DNS Queries over HTTPS (DoH) · IETF Datatracker · https://datatracker.ietf.org/doc/html/rfc8484 · Oct 2018
3. DNS over HTTPS · Wikipedia · https://en.wikipedia.org/wiki/DNS_over_HTTPS · accessed 2026-06-18
4. DNS over TLS support in Android P Developer Preview · Android Developers Blog (Google) · https://android-developers.googleblog.com/2018/04/dns-over-tls-support-in-android-p.html · Apr 2018
5. DNS-over-TLS · Google Public DNS / Google for Developers · https://developers.google.com/speed/public-dns/docs/dns-over-tls · accessed 2026-06-18
6. Set up 1.1.1.1 on Android · Cloudflare Docs · https://developers.cloudflare.com/1.1.1.1/setup/android/ · accessed 2026-06-18
7. Your ISP can still see every site you visit unless you enable this browser setting · MakeUseOf · https://www.makeuseof.com/your-isp-can-still-see-every-site-you-visit-unless-you-enable-this-browser-setting/ · accessed 2026-06-18
8. DNS Overview · Privacy Guides · https://www.privacyguides.org/en/advanced/dns-overview/ · accessed 2026-06-18
9. Encrypted DNS ⟹ Privacy? A Traffic Analysis Perspective · Siby, Juarez, Diaz, Vallina-Rodriguez, Troncoso · arXiv:1906.09682 · https://arxiv.org/abs/1906.09682 · 2019
10. How Private is Android's Private DNS Setting? Identifying Apps by Encrypted DNS Traffic · Mühlhauser, Pridöhl, Herrmann · ARES 2021 · arXiv:2106.14058 · DOI 10.48550/arXiv.2106.14058 · https://arxiv.org/abs/2106.14058 · 2021
11. RFC 9849 — TLS Encrypted Client Hello · IETF Datatracker · https://datatracker.ietf.org/doc/draft-ietf-tls-esni/ · Mar 2026 (Standards Track)
12. Encrypted Client Hello (ECH) in Censorship Circumvention · PETS/FOCI 2025 (Niere et al.) · https://petsymposium.org/foci/2025/foci-2025-0016.pdf · 2025
13. Law 12.965/2014 (Marco Civil da Internet), art. 13 · Planalto · http://www.planalto.gov.br/ccivil_03/_ato2011-2014/2014/lei/l12965.htm · 2014
14. New Decrees Update Rules and Responsibilities Under the Marco Civil · Souto Correa Advogados · https://www.soutocorrea.com.br/client-alerts/novos-decretos-atualizam-regras-e-responsabilidades-no-marco-civil-da-internet/ · accessed 2026-06-18
15. A Wider View on TunnelVision and VPN Advice · Electronic Frontier Foundation (EFF) · https://www.eff.org/deeplinks/2024/05/wider-view-tunnelvision-and-vpn-advice · May 2024
16. FTC Order Will Ban Avast from Selling Browsing Data for Advertising Purposes, Require It to Pay $16.5 Million · FTC · https://www.ftc.gov/news-events/news/press-releases/2024/02/ftc-order-will-ban-avast-selling-browsing-data-advertising-purposes-require-it-pay-165-million-over · 2024-02-22
17. CVE-2024-3661: TunnelVision · Leviathan Security Group · https://www.leviathansecurity.com/blog/tunnelvision · 2024-05-06
18. Proton VPN Publishes Results of Latest Independent No-Logs Audit · CyberInsider · https://cyberinsider.com/proton-vpn-publishes-results-of-latest-independent-no-logs-audit/ · 2025 (dates Aug 18 – Sep 19, 2025, Zurich)
19. Mullvad VPN was subject to a search warrant. Customer data not compromised. · Mullvad Blog (official) · https://mullvad.net/en/blog/2023/4/20/mullvad-vpn-was-subject-to-a-search-warrant-customer-data-not-compromised · 2023-04-20
20. About iCloud Private Relay · Apple Support · https://support.apple.com/en-us/102602 · accessed 2026-06-18
21. How Do VPNs Protect Your Privacy? · Privacy Guides · https://www.privacyguides.org/en/basics/vpn-overview/ · accessed 2026-06-18
22. VPN Testing Reveals Poor Privacy and Security Practices, Hyperbolic Claims · Consumer Reports · https://www.consumerreports.org/vpn-services/vpn-testing-poor-privacy-security-hyperbolic-claims-a1103787639/ · Dec 2021

Community (opinion, not a source): r/VPN and r/privacy roundups via Cybernews and TechRadar; documented Privacy Guides consensus; "snake oil" critique via Tom's Guide.

Newsroom · Acta Verum