What technical measures (DNS over HTTPS, DNS over TLS, encrypted SNI) reduce ISP access to DNS query logs and how widely were they adopted by 2025?
Executive summary
Encrypted transports for DNS—principally DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT)—substantially reduce an ISP’s ability to record plain-text DNS query logs because they move the DNS query into an encrypted TLS/HTTPS channel; research and industry reporting through 2025 show strong server-side support but slower endpoint (last-mile) uptake, leaving ISPs with mixed visibility [1] [2] [3]. Encrypted SNI (the effort to hide which hostname a client requests within TLS) is conceptually relevant to further reducing on-path visibility, but the provided reporting does not supply broad, quantified 2025 adoption figures for encrypted SNI/ECH and so cannot be used to assert concrete deployment levels.
1. How each technical measure limits ISP access to DNS logs
DoH and DoT replace plaintext UDP/TCP DNS queries with encrypted sessions so that the query name and response payload are no longer visible to passive observers on the last mile; that change directly prevents ISPs from recording human-readable DNS query logs without breaking TLS/HTTPS connections or performing active interception [3] [1]. Because DoH runs over regular HTTPS ports, it also blends DNS with general web traffic, making simple port-based filtering or logging ineffective [4]. DNS encryption over QUIC (DoQ) offers even greater handshake obfuscation, further impeding network-level identification of DNS flows, and researchers note QUIC’s encryption can make flow-level detection “unfeasible” for some observers [4]. Encrypted SNI—deployed as “encrypted client hello” (ECH) in TLS standards—aims to hide the server name requested inside an otherwise visible TLS handshake and therefore complements encrypted DNS by removing another source of passive telemetry; however, the sources here do not provide a measured global adoption rate for encrypted SNI/ECH by 2025, so its real-world impact on ISP logging cannot be quantified from this reporting (no direct source).
2. What the evidence says about how widely these were adopted by 2025
Server-side support for DoH and DoT matured substantially by 2025: major public resolvers and many DNS server products support these standards, and industry reporting describes “decent pace” of server-side adoption [2]. Large-scale measurement efforts and academic work document growing encrypted DNS traffic over the prior half‑decade, showing detectable DoH/DoT flows and the emergence of DoQ as an IETF focus [4] [1]. Policy and operational forums (RSA Conference and NIST drafts) were explicitly recommending encrypted DNS transports to protect client queries, signaling institutional momentum by 2025 [5]. Nevertheless, multiple studies cited in the dataset emphasize that endpoint adoption lagged: users often lack awareness or configuration knowledge and many endpoints still rely on legacy resolvers, so the fraction of actual client queries protected by encryption remained incomplete [1] [2]. Market analyses and forecasts reinforce an accelerating commercial transition—DNS security markets and network-encryption markets were growing rapidly into the mid‑2020s—but these business trends are not direct measurements of consumer-level encryption coverage [6] [7] [8].
3. Geographic and ecosystem gaps that mattered to ISP visibility
Measurements and surveys point to uneven regional progress: some regions and providers pushed encrypted DNS harder than others, and IPv6/DDR nuances influenced who could route encrypted resolvers effectively [9] [1]. DNSSEC adoption—while a different protection (integrity rather than confidentiality)—remained uneven with EU validation rates around mid‑40s percent in 2025, illustrating that DNS ecosystem upgrades are gradual and patchy; that same unevenness applied to encrypted transports at the endpoint level [10]. In practice, an ISP in a market where endpoints still use operator-provided, unencrypted resolvers retains substantial DNS-log visibility even as public resolvers and enterprise environments move to DoH/DoT [2] [5].
4. Practical limits and the remaining visibility for ISPs
Even when DoH/DoT conceal query contents, ISPs can still log metadata—IP addresses of resolvers, timing and volume of encrypted flows, and correlated TLS fingerprints—so encryption reduces but does not entirely eliminate network-level telemetry unless combined with broader changes [4]. Research warns that encrypted DNS may also complicate enterprise security and filtering, prompting debates over decryption/inspection proxies or managed resolver policies that, if implemented, reintroduce visibility under administrative control [4] [5]. Markets and standards communities were converging on encrypted DNS as best practice by 2025, but endpoint penetration lagged server capacity and policy endorsement, producing a transitional reality where ISP access to DNS logs was substantially reduced in some contexts but remained intact in many others [1] [2] [5].