Encrypted DNS Still Exposes Browsing Data to UK ISPs, Expert Warns

David Bombal has demonstrated that encrypted DNS protocols fail to hide users' browsing history from internet service providers due to unencrypted data fields that leak destination domains.

"In the UK, telecom's operators, in other words, ISPs, are now required by law to keep a log of all our online activity for 12 months," Bombal said. This legal mandate forces providers to retain comprehensive records including websites visited, connection times, location data, and device information.

Bombal argued that even with encrypted DNS protocols like DNS over HTTPS enabled, the Server Name Indication (SNI) field in the TLS handshake reveals the destination domain in plain text. "Just because your DNS is now encrypted doesn't mean that your ISP can't see which website you're going to," he said. The SNI field remains visible because a single physical server may host multiple domains, requiring the client to indicate which domain the traffic is intended for.

The technical expert explained that internet service providers can monitor user activity through both visible IP addresses and the unencrypted SNI field. This exposure occurs even when using the latest encryption standards including TLS 1.3.

While encrypted DNS protocols like DNS over TLS, DNS over HTTPS, and DNS over QUIC make traditional snooping and spoofing attacks more difficult, they create significant challenges for enterprise IT departments that rely on DNS visibility for troubleshooting and security.

Encrypted Client Hello technology exists to encrypt the SNI field, but Bombal said it lacks universal implementation and often breaks corporate filtering systems. Without ECH, even major websites including technology companies and news platforms continue to leak SNI information through standard browsing sessions.

Bombal encouraged users to verify these privacy limitations themselves using network analysis tools. "Encrypted DNS doesn't give you total privacy because the SNI will show which domains you're going to," he contended.

For comprehensive privacy protection, Bombal recommended virtual private networks as the only definitive solution that encrypts all internet traffic including both DNS queries and SNI data.