WHEN YOU CONNECT to a VPN, as well as proxying your traffic and setting the corresponding updates to your routing table, it may also provide you with different DNS settings. On paper, this was a reasonable idea. Traditional DNS requests (for example, where a website is resolved to 172.31.5.172) are transmitted in the clear, so even if the operator of a DNS server (typically one's ISP) doesn't know the web page a client is looking at, they at least are aware of the server it's on. This is known as DNS leakage. You may use another DNS server (such as Cloudflare's easy-to-remember 1.1.1.1 public offering), but again this is only viable if you trust that operator more than your ISP.

ISPs may also block certain domains at the DNS level, so for a time using someone else's DNS server was seen as a free and easy way around this by nefarious pirates, whose activities we do not condone. Many ISPs are aware of this, and many have taken the rather heavy-handed measure of performing DNS interception. Remember, we said DNS went over in the clear? Well, that makes it woefully easy for your ISP to just reroute those port 53 requests back to their DNS.

So VPNs now market themselves as providing DNS-leak resistant technology. Indeed, some offer an even more budget-friendly “DNS-only" option. The mechanics of this are straightforward: just tunnel DNS requests as well as (or instead of) other traffic. Again, this is just moving the problem of trusting the ISP upstream, to trusting the VPN operator.

While we may have no real problem with our government blocking torrent and streaming sites, or with ISPs voluntarily blocking child pornography sites, the same techniques are used by the brutal and antidemocratic regimes of the world to repress dissidents, activists and journalists. And that we cannot condone. One technical approach is to switch from classical DNS to DNS-over-HTTPS (DOH).