Before your browser can load a single web page, it has to ask a question: “What’s the IP address for this domain?” That question is a DNS lookup, and by default it’s sent in plain text — readable by your ISP, the network you’re on, and anyone else along the way. DNS-over-HTTPS fixes that. Here’s what it protects you from, and how.
First, what DNS actually does
The Domain Name System (DNS) is the internet’s phone book. Humans remember names like veilock.com; computers route traffic using numeric IP addresses like 203.0.113.7. DNS is the translation layer in between.
Every time you visit a site, tap a link, or an app phones home, your device fires off a DNS query to a resolver — usually the one run by your ISP — asking it to look up the matching IP. The resolver answers, and only then does the actual connection begin. It happens hundreds of times a day, invisibly.
Why plain DNS is a privacy problem
Here’s the catch: traditional DNS is unencrypted. Those lookups travel in the clear, which creates two serious problems.
-
Everyone can see where you’re going. Even if the websites you visit use HTTPS (so the content is encrypted), the DNS lookup itself reveals the domain. Your ISP can log that you looked up a health clinic, a dating site, a political forum or a competitor’s website — and many ISPs monetize exactly this data. On public Wi-Fi, the network operator sees it too.
-
Lookups can be tampered with. Because plain DNS isn’t authenticated, an attacker on the network can spoof or hijack responses — sending you to a fake login page instead of the real one. This is a classic tactic on untrusted networks.
Think of plain DNS like mailing every letter on a postcard. Even if the message inside your envelopes is sealed, the postcard’s address panel tells every postal worker exactly who you’re writing to.
What DNS-over-HTTPS changes
DNS-over-HTTPS (DoH), standardized by the IETF in RFC 8484, seals those postcards inside envelopes. Instead of sending your queries as open text, DoH wraps them inside ordinary HTTPS — the same encrypted protocol that secures your online banking — and sends them over port 443.
This delivers two big wins:
- Privacy. Your ISP and local network can no longer read which domains you’re resolving. To them, your DNS traffic looks identical to any other HTTPS connection.
- Integrity and stealth. Because the queries are encrypted and authenticated, they’re extremely hard to tamper with. And because they blend in with normal web traffic on port 443, they’re much harder for a network to single out and block than older encrypted-DNS methods.
DoH vs DoT: a quick clarification
You may also see DNS-over-TLS (DoT), defined in RFC 7858. Both encrypt your DNS. The difference is where the traffic goes:
- DoT uses a dedicated port (853). This makes it easy for a network operator to recognize and block encrypted DNS wholesale.
- DoH rides on port 443 alongside all your other HTTPS traffic, so it’s much harder to isolate or censor.
For privacy and censorship resistance, DoH usually wins — which is why it’s Veilock’s default.
Why DoH alone isn’t enough
DoH is powerful, but it only protects DNS. It doesn’t encrypt the rest of your traffic, and it doesn’t hide your IP address — the network can still see the IPs you ultimately connect to, and websites still see where you’re coming from. If you want to understand what your IP gives away, see our IP address explainer.
That’s why the strongest privacy comes from combining a VPN with DoH: the VPN encrypts all your traffic and masks your IP, while DoH ensures the DNS lookups inside that tunnel are also protected and never leak out to your ISP.
The DNS leak trap
Here’s a subtle risk even VPN users hit: the DNS leak. If your VPN encrypts your traffic but your device still sends DNS lookups to your ISP’s default resolver outside the tunnel, your browsing history leaks anyway — the VPN’s protection is quietly undermined. Many free and poorly configured VPNs have exactly this flaw.
How Veilock handles DNS
Veilock closes the leak by design. Every DNS lookup is:
- Resolved over HTTPS (DoH), so queries are always encrypted end to end.
- Forced through Veilock’s own resolvers inside the VPN tunnel — never your ISP’s — so there’s nothing to leak.
- Filtered by Vortex, Veilock’s DNS filtering system, which can block known malware, phishing and tracker domains at the lookup stage before your device ever connects to them. That’s the same mechanism behind malware blocking.
And because Veilock runs a strict no-logs policy, those encrypted lookups aren’t stored or sold either. The query is resolved and forgotten.
The bottom line
Plain DNS is one of the quietest privacy leaks on the internet: even with HTTPS everywhere, your unencrypted lookups hand your ISP a running list of every site you visit. DNS-over-HTTPS seals those queries inside encrypted HTTPS, so observers can’t read or hijack them. On its own it’s a big upgrade; combined with a VPN that forces all lookups through its own DoH resolvers — as Veilock does with Vortex — it closes the DNS leak for good. Encrypt the tunnel, encrypt the lookups, and there’s nothing left in plain text for your ISP to harvest.
Plain DNS vs DNS-over-HTTPS
| Property | Plain DNS (default) | DNS-over-HTTPS |
|---|---|---|
| Lookups encrypted | No — plain text | Yes — inside HTTPS |
| ISP can read domains | Yes | No |
| Can be tampered with | Yes (spoofing/hijacking) | Very difficult |
| Easy to block/filter | Yes | Hard (blends with HTTPS) |
| Port used | 53 (open) | 443 (HTTPS) |