How does DNS-over-HTTPS (DoH) compare to VPNs in preventing DNS leaks?
This fact-check may be outdated. Consider refreshing it to get the most current information.
Executive summary
DNS-over-HTTPS (DoH) encrypts just DNS lookups, preventing on‑network observers from seeing which names are being resolved, whereas a VPN creates an encrypted tunnel for all traffic and can route DNS through that tunnel so the ISP cannot see queries [1] [2]. In practical terms, a correctly configured, trusted VPN is the stronger, broader defense against DNS leaks, while DoH is a useful supplement when a VPN is unavailable or when particular resolvers are preferred — but DoH alone cannot replace a VPN for leak protection or IP hiding [3] [1].
1. What each tool actually protects: protocol vs tunnel
DoH converts DNS queries into HTTPS traffic so those queries are encrypted between the client and the chosen DoH resolver, blocking passive eavesdroppers on the local network or ISP from reading plaintext DNS requests [4] [2], whereas a VPN establishes an encrypted tunnel for all outgoing and incoming packets and typically handles DNS resolution on the VPN provider’s own servers, hiding both the queries and the user’s real IP from the ISP or local network [1] [5].
2. When a VPN prevents DNS leaks and when it doesn’t
When a VPN is properly configured to route DNS requests through its tunnel and provides DNS leak protection, DNS queries stay inside the encrypted channel and do not “leak” to the local ISP’s resolvers — this is the normal expectation and a core selling point of VPNs [5] [6]. However, misconfiguration, OS resolver behavior, or browser/OS features can cause DNS to bypass the tunnel and reveal the resolver in use, which is why testing for leaks (ipleak-style checks) and using a VPN that advertises DNS leak protection matters [7] [4].
3. How DoH can both help and hurt when used with a VPN
DoH can add privacy if the VPN’s DNS handling is weak or if a user wants a specific trusted resolver; it also provides protection when not connected to a VPN or on devices that can’t run a VPN [3] [1]. But if DoH is configured at the browser level while a VPN is active, the browser may send queries directly to the DoH resolver outside the VPN tunnel, producing the exact DNS leak users hoped to avoid — in other words, DoH can bypass the VPN and create leaks if not carefully coordinated [8] [7].
4. Limits of DoH: what it cannot hide
Even when DoH encrypts DNS, it does not hide a user’s IP address or the fact that they are connecting to a given IP, nor does it fully prevent traffic analysis or SNI exposure unless additional measures (like ECH or a VPN) are used; attackers and observers can still infer destinations from IPs and other metadata [2] [5]. Additionally, DoH configured only in the browser leaves OS-level name resolution unprotected, which creates a gap that testing may reveal [9].
5. Practical advice based on the reporting
For maximum protection against DNS leaks, use a VPN that explicitly routes DNS through its tunnel and offers DNS‑leak protection and test with leak sites to confirm [5] [7]; use DoH as a fallback or complement — for example, when off VPN or on untrusted networks — but ensure DoH’s configuration does not bypass the VPN [3] [8]. Where privacy beyond DNS is required (IP hiding, all-traffic encryption), rely on the VPN; where only DNS confidentiality from the immediate network is needed, DoH is a lighter-weight option [1] [4]. Reporting does not settle proprietary trust questions about specific providers; users should verify behavior with tests and consult vendor documentation for interactions between DoH and VPN features [3] [4].