A Little More Privacy Centric DNS Setup for Home Users
Posted3 months agoActive3 months ago
thelazysre.comTechstory
calmpositive
Debate
20/100
DNSPrivacyHome Networking
Key topics
DNS
Privacy
Home Networking
The article proposes a 3-layer DNS setup for home users to enhance privacy, and the discussion revolves around its effectiveness and potential improvements.
Snapshot generated from the HN discussion
Discussion Activity
Moderate engagementFirst comment
27m
Peak period
6
Day 1
Avg / period
3.5
Key moments
- 01Story posted
Sep 27, 2025 at 6:26 AM EDT
3 months ago
Step 01 - 02First comment
Sep 27, 2025 at 6:53 AM EDT
27m after posting
Step 02 - 03Peak activity
6 comments in Day 1
Hottest window of the conversation
Step 03 - 04Latest activity
Oct 8, 2025 at 11:34 AM EDT
3 months ago
Step 04
Generating AI Summary...
Analyzing up to 500 comments to identify key contributors and discussion patterns
ID: 45394598Type: storyLast synced: 11/17/2025, 12:03:04 PM
Want the full context?
Jump to the original sources
Read the primary article or dive into the live Hacker News thread when you're ready.
In other words; encrypting DNS is an exercise in futility if the resulting IP is fully exposed.
Anyone who cares is fully capable of doing a reverse lookup if they must know the name of the domain you're connecting to.
The easy, all encompassing approach for the casual user --- just use a VPN as needed.
A decent VPN will encrypt DNS requests and route them through their servers --- thus obscuring all your "sensitive" network traffic.
https://whoismydns.com/
But I’d push back on the “futility” part. For me (and probably a lot of home users), encrypted DNS solves a different problem:
ISP Snooping & Profiling: Without DNS encryption, my ISP gets a complete log of every hostname I query. That’s valuable metadata even if the actual traffic is HTTPS. Encrypted DNS cuts them out of the loop.
Censorship & Filtering: Many ISPs or countries block sites by poisoning or hijacking DNS. DoT/DoH3 bypasses that without needing to route all traffic through a third party.
Performance & Control: Local caching with AdGuard means faster load times, plus I can filter ads, trackers, and telemetry at the DNS layer, something a VPN alone won’t do.
Reduced Trust Surface: With a VPN, I’m moving all trust to the VPN provider (and hoping they’re honest about logs). With encrypted DNS, I can split that trust between my own AdGuard instance and NextDNS, instead of funneling everything through a single exit point.
So in my view:
VPN = anonymity & hiding your IP
Encrypted DNS = privacy from intermediaries & control over resolution
They solve related but different problems. For “serious” privacy, I agree a VPN or Tor is needed. But for everyday use, encrypted DNS is a huge step up from plain-text queries and actually improves performance
With DNS encryption, your ISP still gets a complete log of every IP you visit. And from your IP log, they can easily get the host names if they want them.
In fact, I'd be surprised if they even bother logging DNS at all. It's much easier, more efficient and just as effective to log IPs.
Used by itself, encrypting DNS doesn't really hide anything and is thus an exercise in futility. Used with a more comprehensive solution like a VPN, it is even more so.
And each IP may have multiple hostnames associated with it, requiring more work to determine which one was accessed by the internet subscriber
The VPN also has an IP log for jqpabc
If someone wants to explore jqpabc's "sensitive traffic", it's even easier than asking his ISP. Because jqpabc uses a third party VPN, we just subpoena the VPN and they start logging, unbeknownst to jqpabc
Because the VPN uses a third party DNS cache that sends EDNS client subnet and does not encrypt DNS traffic to authoritative DNS servers, we can also get logs from those servers as well as jqpabc's general location
And of course jqpabc sends plaintext SNI so we have another source of hostnames that he has visited, in addition to plaintext DNS
They can just look at the TLS SNI field and the hostname is there in plaintext.
It’s _more_ trouble to do the reverse lookup.
It’s _more_ trouble to even bother with hostnames at all.
Just log IPs. By doing so, you're capturing the same essential data in a more compact form.