What Is DNS and Why Does It Matter for Your Privacy?
Every website you visit starts with a DNS lookup. Learn how the Domain Name System works, why it exposes your browsing habits, and how Nexun protects your DNS queries.
How DNS Works
The Domain Name System (DNS) is the internet's phone book. When you type a web address like nexun.io into your browser, your device sends a query to a DNS server asking: 'What is the IP address for this domain?' The DNS server responds with the numeric address, and your browser connects to it. This process happens in milliseconds every time you visit a website.
The Privacy Problem with Default DNS
By default, your DNS queries are sent unencrypted to your Internet Service Provider's DNS servers. This means your ISP can see every domain you look up -- building a detailed log of your browsing habits. Major ISPs in the UK, US, and the Netherlands have been known to sell or share this data with advertisers and government agencies. Providers like Comcast, BT, and KPN all handle DNS data that could reveal your online activity.
Encrypted DNS: DoH and DoT
Two technologies help protect DNS traffic. DNS over HTTPS (DoH) sends your queries inside encrypted HTTPS traffic, making them indistinguishable from normal web browsing. DNS over TLS (DoT) wraps DNS in a dedicated encrypted channel. Both prevent your ISP and anyone on the network from reading your queries -- but they still send your traffic to a third-party DNS provider like Cloudflare or Google, which then sees your queries instead.
How a VPN Handles DNS
When you connect to Nexun, all your DNS queries are routed through our own encrypted DNS resolver. Your ISP only sees that you are connected to a VPN -- not the individual domains you visit. Nexun does not log your DNS queries, and our no-logging policy has been independently verified. This is the most complete protection available for DNS privacy.
What Is a DNS Leak?
A DNS leak occurs when your device bypasses the VPN's DNS resolver and sends queries directly to your ISP's servers. This can happen due to system misconfigurations or certain browser features. Nexun's WireGuard-based client routes all DNS traffic inside the tunnel by default, preventing leaks. You can verify this at any time using a DNS leak test tool.
Quick Reference: DNS Privacy Risks
- Default DNS: fully visible to your ISP and any network observer.
- DoH/DoT without VPN: encrypted but visible to the DNS provider (Cloudflare, Google).
- VPN with private DNS: queries encrypted and handled by the VPN provider only.
- DNS leak: VPN tunnel active but DNS still reaching your ISP.
FAQ
Can my ISP see what websites I visit through DNS?
Yes. By default, DNS queries are sent unencrypted to your ISP's servers, giving them a full log of every domain you look up. Using a VPN like Nexun routes all DNS through an encrypted private resolver, hiding this information from your ISP.
What is the difference between DoH and using a VPN for DNS?
DoH encrypts your DNS traffic but still sends it to a third-party provider like Cloudflare or Google. A VPN routes your DNS through the provider's own resolver, so neither your ISP nor a big tech company sees your queries.
How do I check if I have a DNS leak?
Visit a DNS leak test site such as dnsleaktest.com while connected to Nexun. If the results show only Nexun's servers and not your ISP's servers, your DNS is protected. If your ISP's servers appear, there may be a leak.