Do DNS queries reveal visited websites even when using DuckDuckGo?
Executive summary
DNS is the internet’s address book and DNS queries can and do reveal which domain names a device resolves; using the DuckDuckGo search engine or browser does not magically hide those queries unless the configuration routes DNS through a privacy-preserving service (for example DuckDuckGo’s own DNS/VPN) or a properly configured VPN/DoH setup [1] [2]. Independent reports and code issues show two practical ways DNS-related information can still be exposed: client-side behavior (e.g., fetching favicons) that sends domain names to DuckDuckGo endpoints, and situations where DNS resolution falls back to an ISP or local resolver despite privacy tools, meaning visited sites can be inferred [3] [4].
1. DNS basics: why DNS queries can expose visited domains
Every time a browser or app needs to translate a human-readable site name into an IP address it issues a DNS query, and that query names the domain being visited, which means whoever answers the DNS request (ISP, corporate resolver, public DNS provider, or the app maker’s DNS) learns the domain name being resolved unless additional protections are in place [1] [5].
2. Using DuckDuckGo search or browser doesn’t automatically hide DNS traffic
Researchers and reporters have noted that simply searching with DuckDuckGo or using browsers’ private modes does not inherently prevent DNS leaks to the configured DNS server; PortSwigger’s coverage highlighted cases where search terms and related DNS activity were visible to ISP DNS logs even when DoH or private modes were used, and they specifically called out that using DuckDuckGo as a search engine didn’t fix that class of leak [4].
3. Practical examples: favicon requests and app behavior can leak domains to DuckDuckGo
Evidence from DuckDuckGo’s own Android codebase and a raised issue show the browser used an icons URL pattern (https://icons.duckduckgo.com/ip3/%s.ico) that caused the app to request favicons from DuckDuckGo’s servers for visited domains, thereby sending the domain names to DuckDuckGo’s infrastructure—an explicit example where client behavior transmits visited domains to DuckDuckGo [3].
4. DuckDuckGo’s DNS/VPN option and how that changes where queries go
When DuckDuckGo’s VPN (or its DNS service) is enabled, DNS queries are intentionally routed to DuckDuckGo’s DNS servers and optionally checked against their blocklist (“Scam Blocker”); DuckDuckGo documents that behavior and explains the setting can be disabled, which means DNS queries will still be handled but by whatever resolver the device is configured to use [2].
5. Other browsers and the reality of DNS leaks despite privacy features
Real-world bugs show that even privacy-branded browsers can leak domain names in edge cases: a Brave bug sent Tor .onion hostnames as standard DNS queries to locally configured DNS servers, demonstrating that complex browser code paths or disabled features can cause DNS leakage despite promises of anonymity—this illustrates the general class of failures that can expose visited sites via DNS [6].
6. Mitigations, trade-offs, and gaps in reporting
Practical mitigations include using a trustworthy DNS-over-HTTPS/ TLS provider, enabling a VPN with DNS leak protection, or routing DNS through DuckDuckGo’s documented DNS/VPN if the user trusts DuckDuckGo to receive those queries; proxy/VPN apps sometimes offer DNS leak protection settings to force DNS through the tunnel [5] [2]. The reporting in these sources documents specific leaks and behaviors but does not provide exhaustive tests across every DuckDuckGo product version and platform, so while the cited examples prove DNS can reveal visited domains even when using DuckDuckGo-related products, they do not quantify how often or in which exact configurations those leaks occur [3] [6] [4].