Alright, we have a deep one today. Daniel sent us a message getting into the weeds of network privacy. He wrote... In the context of our discussions about privacy, we have talked about how metadata is often more useful to those monitoring traffic than the contents of packets themselves. We have also talked about how metadata is often a blind spot for those who use VPNs, assuming that it means their traffic is indecipherable. Let's talk about the role of encrypted DNS or DNS over HTTPS. To what extent does that mitigate these concerns? And if one encrypts DNS and traffic, what is left to be found?
Herman Poppleberry here, and I have to say, Daniel is hitting on the frontier of consumer privacy right now. Most people think a VPN is a magic invisibility cloak, but the reality of modern networking is that there are still these massive neon signs pointing to where you are going, even if no one can see what you are doing once you get there.
It is the classic envelope versus the letter inside problem. You can seal the letter in lead, but the post office still needs to know the address on the outside to deliver it. By the way, before we dive into the technicalities of those envelopes, I should mention that today’s episode is powered by Google Gemini three Flash. It is the brain behind the script today.
And it has a lot to work with here. To answer Daniel’s question, we have to look at the two biggest leaks that happen before you even establish a secure connection: DNS and the Server Name Indication, or SNI.
Right, because when I type a website into my browser, my computer does not actually know where that is. It has to ask a phone book, essentially. And traditionally, that phone book request is just shouted across the room in plaintext for everyone to hear.
Well, not exactly... I mean, it is a broadcast that your Internet Service Provider, the guy sitting next to you at Starbucks, and potentially state actors can see. Even if you use a VPN, if your system is not configured correctly, you might be suffering from what we call a DNS leak, where your computer bypasses the VPN tunnel just to ask for that address.
But wait, how does a leak like that even happen if the VPN is supposed to be a tunnel? If the tunnel is active, shouldn't everything be forced through it?
You’d think so, but networking stacks can be lazy. Sometimes your Operating System has a hard-coded preference for the DNS server provided by your local router because it’s faster. So, while your web traffic waits for the VPN to spin up, the OS just blabs the DNS request out over the standard Wi-Fi connection. It’s like putting on a disguise but calling out your real name to the doorman before you put the mask on.
How common is that, really? I mean, if I buy a top-tier VPN, am I still at risk of this "lazy" OS behavior?
More common than you'd think, especially on mobile devices or Windows machines with "Smart Multi-Homed Named Resolution" enabled. That feature actually sends DNS requests to all available network interfaces simultaneously to see which one answers first. If your local ISP’s server is five milliseconds faster than your VPN’s server, your ISP gets the query in plaintext, and the VPN "win" is irrelevant because the secret is already out.
So that is where DNS over HTTPS, or DoH, comes in. It wraps that phone book request in the same encryption we use for credit card transactions. But here is the catch I keep seeing: does not the very next step in the process just give the game away anyway?
You are thinking of the TLS handshake. This is the part that really frustrates privacy advocates. Even if you hide your DNS query using DoH or DNS over TLS, your browser still has to tell the server which specific website it wants to talk to. This happens because one IP address—one physical server—might be hosting a thousand different websites.
Like a giant apartment complex with one street address. You can get to the front gate, but you still have to tell the guard which apartment number you are visiting.
And historically, that apartment number—the Server Name Indication—was sent in plaintext. So, your ISP might not see you ask the phone book for the address, but a millisecond later, they see your computer tell the server, "hey, I am here to see specific-site-dot-com." It completely invalidates the privacy gains of encrypted DNS.
It feels a bit like wearing a mask to a party but wearing a giant name tag on your chest. So, how are we fixing that? I know there has been a move toward something called Encrypted Client Hello, or ECH. Is that the silver bullet?
It is the closest thing we have, but it is technically very difficult to pull off. ECH evolved from an earlier attempt called Encrypted SNI. The way ECH works is by splitting the connection message into two parts: an Outer Client Hello and an Inner Client Hello. The Outer one is generic. It just says, "hello, I would like to talk to a server at Cloudflare or Akamai." It contains no sensitive info.
And the Inner one is the secret sauce?
Right. The Inner Client Hello contains the actual website you want to visit, and it is encrypted. But here is the technical hurdle: how does your browser know the encryption key to hide that inner message before it has even talked to the server?
That sounds like a circular logic problem. I need to talk to you privately, but to set up the private channel, I have to tell you I want to talk to you. How do you exchange a key with a stranger without anyone seeing the exchange?
This is why DoH is a prerequisite for ECH. The website actually publishes its public encryption key in its DNS records. So, when your browser asks the encrypted DNS server for the IP address, it also grabs this special key. Because the DNS query was encrypted, nobody saw you get the key. Then you use that key to encrypt the SNI inside the ECH handshake.
I see. So the two technologies are a tag team. Without encrypted DNS, you cannot securely get the key for ECH. Without ECH, the encrypted DNS is just protecting a request that you are about to repeat in public anyway.
It is an elegant solution, but it creates what I call the Front Door Problem. ECH really only provides meaningful privacy if the website is sitting behind a massive service provider like a Content Delivery Network. If you are visiting a small, self-hosted site with its own dedicated IP address, ECH is almost useless.
Because the IP address itself is the tell. If only one person lives in that house, knowing the house address is the same as knowing who you are visiting.
Precisely. If I see you connecting to an IP address that only hosts one specific political forum or a niche medical site, I do not need to see the SNI or the DNS query. The destination IP is a one-to-one map to the content. This is why we are seeing this massive centralization of the web behind companies like Cloudflare. Privacy, ironically, is pushing us toward a more centralized internet.
Does that mean if I host my own blog on a private virtual server, I'm basically impossible to hide? Even with all these protocols?
Pretty much. If your VPS has a static IP and that IP is only associated with "Herman's-Secret-Blog.com," then anyone watching the wire knows exactly where you went. To get privacy, you have to hide in the noise. You need to be one of ten million people all going to the same Cloudflare IP. It’s the digital equivalent of disappearing into a crowded subway station rather than walking into a lone cabin in the woods.
That is a fascinating trade-off. To stay hidden from my ISP, I have to hide in a crowd of millions of other people all knocking on Cloudflare’s front door. But then, does not that just mean Cloudflare becomes the ultimate observer?
That is the Centralization Paradox. We are trading local surveillance—the ISP who knows your name and home address—for global surveillance by a few tech giants. From a conservative or decentralization perspective, this is a double-edged sword. You are gaining privacy against the most immediate actors, but you are feeding a data monopoly.
Let's play devil's advocate for a second. If I’m a network admin for a school or a bank, don't I need to see that metadata to stop malware or data exfiltration? If my employees' computers are using ECH to talk to a command-and-control server, I’m blind.
You’ve hit the nail on the head. This is exactly why there is so much pushback. In a corporate environment, administrators often use "TLS Inspection" or "SSL Decryption" where they install a custom certificate on every laptop. This allows the firewall to sit in the middle and read the traffic. But ECH is designed to make that much harder, if not impossible, without breaking the connection entirely. It turns the network into a "black box" for the people who are technically responsible for its security.
And what about the network operators who actually want to see that traffic? I am thinking about corporate firewalls or parents who use filtering. If ECH becomes the standard, does not that break their ability to block certain sites?
It does, and this is leading to what researchers call Network Ossification. Some ISPs or corporate networks are actually looking at blocking ECH traffic entirely. If they cannot see where you are going, they might just refuse to let the connection happen, forcing your browser to fall back to the old, insecure, plaintext method. It is a cat-and-mouse game.
Wait, can a network actually "force" a fallback? That sounds like a downgrade attack.
It is exactly a downgrade attack, but one sanctioned by the network owner. If the ECH handshake fails—which the firewall can trigger by dropping those specific packets—the browser might assume there's a compatibility issue and try the older, non-encrypted SNI method just to make sure the user can actually see the website. It puts the user in a position where they have to choose between privacy and connectivity.
Is there a way for the browser to know it's being tampered with? Like, a "strict mode" that says "if I can't do ECH, I won't connect at all"?
Some browsers are experimenting with that, but it's a terrible user experience. Imagine your favorite news site just stops working because your local coffee shop’s router doesn't like the ECH packets. Most users will just blame the browser or the website, not the middleman. So, until ECH is ubiquitous, the fallback is a necessary evil for usability, even if it’s a privacy nightmare.
So, let's look at Daniel’s second question. If I have a VPN, I am using encrypted DNS, and the sites I visit support ECH... what is left? Am I finally a ghost on the wire?
Not quite. This is where we get into the really spooky stuff: Traffic Pattern Analysis and Fingerprinting. Even if every bit of metadata is encrypted, the physical characteristics of the traffic still tell a story.
You mean like the size of the packets?
Yes. Think about it this way. If you are reading a Wikipedia article, your computer sends a small request, and the server sends back a burst of text and a few images. The traffic is bursty, then silent while you read. If you are watching a movie on a streaming service, there is a constant, high-bandwidth stream of large packets.
So a monitor can look at the "shape" of the data and guess what I am doing?
Even more specific than that. There is research into Website Fingerprinting where algorithms can identify a specific page on a specific site just by the sequence of packet sizes and timings. Because every webpage has a unique combination of images, scripts, and third-party ads, the way those files load creates a unique "heartbeat" on the network. A sophisticated observer can match that heartbeat against a database and say, with eighty percent certainty, "this user is looking at this specific article."
That is terrifying. So even if the "what" is encrypted, the "how much" and "how fast" gives it away. It’s like watching someone through a frosted glass window. You can’t see their face, but you can tell if they’re eating, dancing, or sleeping based on their silhouette and movement.
And think about the "MTU" or Maximum Transmission Unit. Different networks and VPNs have different packet size limits. Sometimes the very way your packets are fragmented can reveal that you're using a specific version of a specific VPN client on a specific operating system. It’s all metadata, just at a deeper physical layer.
It feels almost impossible to defend against unless you just send a constant stream of junk data all the time to mask the real spikes.
And some high-security tools like Tor do exactly that—they use padding and fixed-size cells to try to normalize the traffic. But for the average user using a VPN and ECH, that metadata—the timing, the volume, and the frequency—is still a leak. There was actually a famous study where researchers could identify which YouTube video someone was watching just by looking at the encrypted traffic bursts, because each video has a unique bitrate profile based on its visual complexity.
That’s a wild thought. The actual pixels on the screen are changing the rhythm of the electrons on the wire in a way that can be reverse-engineered.
It’s the ultimate form of metadata. It’s not about the "header" anymore; it’s about the "behavior."
It also makes me think about the VPN provider itself. Daniel mentioned that people assume a VPN makes traffic indecipherable. But the VPN provider is just your new ISP. They see the destination IP, they see the connection duration, and if you are not using DoH and ECH inside the tunnel, they see everything the ISP would have seen.
This is why the "Zero Trust" model is so important. You should assume your VPN provider could be compromised or could be logging, even if they say they are not. By using DoH and ECH inside the VPN, you are adding a layer of encryption that even the VPN provider cannot peel back. You are essentially saying, "I trust you to hide my IP address from the destination, but I do not trust you to know exactly which page I am visiting on that destination."
It is like a nested set of Russian dolls. Each layer hides a different piece of the puzzle. I think the average person thinks privacy is a binary—you either have it or you do not. But the way you are describing it, it is more like a game of decreasing probabilities.
That is a great way to put it. You are never one hundred percent anonymous. You are just making it more and more expensive for someone to figure out what you are doing. For the average ISP, DoH is enough to stop them from easily selling your browsing habits. For a state actor, you need the whole stack, and even then, they might get you with traffic analysis.
Let's talk about the latency for a second. If I’m doing all these extra handshakes—encrypting the DNS, fetching keys for ECH, wrapping it in a VPN—am I going to feel that in my browsing speed?
There is a "privacy tax," certainly. Each of those steps adds round-trip times. For DoH, your browser has to perform an HTTPS request just to get an address, which is slower than a traditional UDP DNS request. However, modern protocols like QUIC and HTTP/3 are trying to mitigate this by combining steps. We're getting to a point where the hardware is so fast that the human brain doesn't notice the extra 50 milliseconds, but the network definitely "feels" it.
Is there any scenario where these privacy tools actually make things faster? Like, maybe by bypassing an ISP's slow DNS server?
Actually, yes! Many ISP DNS servers are notoriously overloaded or poorly maintained. Switching to a fast DoH provider like Cloudflare (1.1.1.1) or Google (8.8.8.8) can often make the initial page load feel snappier, even with the encryption overhead. You're trading a slow, local, unencrypted phone book for a high-speed, global, encrypted one.
What are the practical takeaways for someone listening who wants to close these blind spots? Obviously, turning on DoH in your browser is a two-click process now.
That is step one. Most modern browsers—Chrome, Firefox, Edge—have a "Secure DNS" setting. I recommend pointing it to a provider like Quad nine or Cloudflare, or even better, a self-hosted instance if you are feeling nerdy. Step two is checking if ECH is enabled. Firefox is currently the leader in implementing this, though Chrome is catching up. You often have to go into the "about:config" or "flags" menu to ensure it's truly active.
And what about the VPN side?
Make sure your VPN is not leaking. There are plenty of test sites where you can check if your real ISP’s DNS servers are showing up while the VPN is active. If they are, your "encrypted" tunnel has a massive hole in the side of it. And finally, just be aware that your behavior—the time of day you connect, the amount of data you move—is itself a form of metadata.
It is the "metadata is the message" idea. Even if I do not know what you said, if I know you called a divorce lawyer at three in the morning and talked for two hours, I know exactly what is going on in your life.
Well, I mean, that is the perfect example. The content of the call is almost secondary to the fact that the call happened. If you connect to a medical server and download 50 megabytes of data, I don't need to read the file to guess you're looking at high-res X-rays or medical imaging.
You almost said the forbidden word there, Herman. I saw you catch yourself.
I would never. My donkey pride is on the line. But seriously, Daniel’s point about the VPN blind spot is the most critical takeaway. People buy a subscription and think they are done. But privacy is a process, not a product. You have to look at the whole handshake, from the first DNS query to the final packet of the session.
Does this change the way we should look at mobile apps? I feel like we talk a lot about browsers, but my phone is basically a collection of a hundred different apps making their own connections.
Mobile is the Wild West. While browsers are adopting DoH and ECH, many individual apps use their own hard-coded networking libraries. An app might completely ignore your system’s DNS settings and talk directly to a tracking server in plaintext. This is why "system-wide" encrypted DNS, like using a profile on iOS or an app like NextDNS on Android, is so much more effective than just fixing your browser. You have to force the whole device to use the secure path.
That sounds like a lot of work for the average user. Is there a "set it and forget it" solution for mobile?
On iOS, you can actually download a configuration profile from a provider like NextDNS or AdGuard. Once installed, it acts as a system-level instruction that says "all DNS traffic must go through this encrypted tunnel." It works across apps, games, and browsers. On Android, there's a "Private DNS" setting in the network menu that does something similar using DNS-over-TLS. It’s not perfect, but it closes about 90% of the holes that individual apps try to sneak through.
I think it is also worth noting the political dimension here. As we see more movement toward government oversight of the internet, these technologies—DoH and ECH—are going to become flashpoints. They represent a shift in power from the network providers to the individual and the big tech platforms.
It is a weird alliance. You have privacy advocates and massive tech corporations on one side, and ISPs and government regulators on the other. It is not the usual battle lines. Governments argue that ECH makes it impossible to block child abuse material or stop malware, while advocates argue that without it, every citizen is subject to permanent, dragnet surveillance.
It's almost like the crypto wars of the 90s all over again, but instead of the encryption itself, we're fighting over the labels on the boxes.
It's the "metadata wars." If the government can't stop you from talking, they want to at least know who you're talking to and for how long. ECH is the first real technical threat to that ability in the history of the modern web.
Well, I think we have thoroughly unpacked Daniel’s prompt. It is a reminder that the "envelope" is just as important as the "letter."
And sometimes the envelope is a lot harder to hide. If you're not careful, you're just handing the postman a transparent bag and hoping he doesn't look too closely.
Thanks for the deep dive, Herman. This has been a great exploration of the stuff that most people just click past in their settings menu. It's easy to ignore these things until you realize how much they're actually saying about you.
My pleasure. It is a fascinating time to be looking at how the plumbing of the internet is being rebuilt for privacy. We're essentially rewriting the rules of the road while we're still driving on it.
We should probably wrap it up there. Thanks to our producer Hilbert Flumingtop for keeping the gears turning behind the scenes.
And a big thank you to Modal for providing the GPU credits that keep our AI-powered discussions running smoothly.
This has been My Weird Prompts. If you enjoyed this dive into the world of encrypted handshakes and metadata, we would love it if you left a review on your favorite podcast app. It really helps us find more people who care about this kind of nerdery.
You can also find all our episodes and the RSS feed at myweirdprompts dot com. We keep a list of resources there if you want to test your own DNS for leaks.
Until next time, keep your DNS encrypted and your handshakes secret.
Goodbye.
See ya.
