Your Internet Service Provider is not your friend. It is a pipe company that charges you monthly for access to a global network and then monetises everything it observes about how you use that access. This is not a conspiracy theory. In the United States it has been explicitly legal since 2017, when Congress voted to strip FCC privacy rules that would have prevented ISPs from selling customer browsing data without consent. In the UK, the Investigatory Powers Act compels ISPs to retain twelve months of connection records, accessible on demand by a list of government agencies long enough to be genuinely alarming. In Australia, mandatory data retention laws have been in force since 2015. The specifics vary by country. The principle does not: your ISP sees a great deal, and the incentive to profit from that visibility is structural.
Most people have a vague sense that this is true and an equally vague sense that HTTPS and a VPN probably fix it. The reality is more complicated, and the gap between what people believe their VPN does and what it actually does is where a lot of privacy goes to die. This article is about that gap.
What your ISP actually sees without a VPN
Before we talk about fixes, let's be precise about the problem. Your ISP sits between your device and the rest of the internet. Every packet you send travels through their infrastructure. What they can read from those packets depends on whether the traffic is encrypted β but encryption only covers content, not context. And context turns out to be extraordinarily revealing.
Without a VPN, here is what your ISP has access to in plain view: every DNS query you make, the IP addresses of every server you connect to, the timing and volume of your connections, and β for any unencrypted HTTP traffic, which is increasingly rare but not extinct β the full content of what you send and receive. The DNS queries alone are enough to build a detailed behavioural profile. Every time you type a domain name into a browser, your device asks a DNS resolver to translate that name into an IP address. Under default conditions, that resolver belongs to your ISP. They get a timestamped log of every domain you visit, regardless of whether the connection itself is encrypted.
Even for HTTPS traffic, where the content is encrypted, your ISP can see the destination IP address. Combined with DNS logs, this means they know not just which websites you visit but when you visit them, how often, and for how long. That is enough to infer your work schedule, your political interests, your medical concerns, your relationship status, and your daily routine. This is not speculation β it is the explicit commercial value of the data that ISPs sell to analytics companies and data brokers.
What a DNS leak is and why it matters
A DNS leak is what happens when your device sends DNS queries outside your VPN tunnel β directly to your ISP's resolver, or another third-party resolver β despite your VPN being active. This is the single most common and most consequential privacy failure in everyday VPN use, and a significant number of people using VPNs right now are experiencing it without knowing.
The mechanism is straightforward. When you connect to a VPN, your traffic is supposed to be routed through an encrypted tunnel to the VPN provider's servers, including your DNS requests. A correctly configured VPN intercepts DNS queries and handles them internally, so your ISP only sees encrypted tunnel traffic going to a VPN server IP β nothing else. A DNS leak breaks this. Your DNS queries take a detour, travelling outside the tunnel to a resolver your ISP controls or can observe. Even with a functioning VPN encrypting your actual web traffic, the DNS queries announce exactly where you're going.
DNS leaks happen for several reasons. On Windows, a feature called Smart Multi-Homed Name Resolution can cause the OS to send DNS queries to multiple resolvers simultaneously, bypassing the VPN's resolver entirely. IPv6 is another common culprit β many VPNs tunnel only IPv4 traffic, leaving IPv6 DNS queries exposed. Teredo tunnelling, a Microsoft IPv6 transition technology, is a frequent offender. Misconfigured network settings after a VPN disconnect, particularly if the kill switch fails or isn't enabled, can briefly expose DNS queries during reconnection. The point is that a VPN being "on" is not the same as a VPN being leak-free.
Testing is straightforward. Visit ipleak.net or dnsleaktest.com with your VPN active. If the DNS servers listed belong to your ISP rather than your VPN provider, you have a leak. A lot of people who run this test for the first time are surprised by what they find.
What a VPN actually hides β and what it doesn't
A VPN, correctly configured and leak-free, does the following: it encrypts your traffic between your device and the VPN server, substitutes the VPN server's IP address for your real IP address as far as destination websites are concerned, and handles DNS resolution internally so your ISP cannot read your DNS queries. That is genuinely useful. It means your ISP sees encrypted tunnel traffic going to a VPN server IP and nothing else. They cannot read the content of your traffic or determine which sites you visit.
What a VPN does not do is make you anonymous. The destination websites you visit can still see the VPN server's IP address and, if you're logged in, your account. Your VPN provider can see everything your ISP previously could β you have shifted trust, not eliminated it. If your VPN provider logs activity and is subject to legal process, that data can be compelled. "No logs" policies vary considerably in what they actually mean and how they are audited; some are more credible than others. A VPN also does nothing about browser fingerprinting, tracking cookies, login-based tracking, or the extensive client-side data collection baked into most websites and apps.
Critically, your ISP can still see that you are using a VPN. The IP addresses of commercial VPN servers are widely known, and ISPs can identify VPN traffic by its characteristics even when they cannot read its contents. In some jurisdictions, VPN use itself is logged. This matters less in most Western countries and matters enormously in others.
Metadata: the thing encryption doesn't fix
There is a concept in intelligence circles that has leaked into mainstream privacy discourse over the past decade: metadata is often more valuable than content. Former NSA director Michael Hayden put it directly in 2014: "We kill people based on metadata." That is an extreme example, but the underlying principle applies to the commercial context too.
Metadata is everything except the content of your communications β who you contacted, when, from where, for how long, and how frequently. For web traffic, this means connection timing, data volumes, destination IPs, and DNS records. A VPN encrypts content and obscures DNS queries, but it does not eliminate metadata. Your ISP still sees that you connected to a VPN server at 11pm on a Tuesday and maintained a 4GB session for three hours. Traffic analysis can infer a great deal from that pattern even without reading a single byte of the actual content.
More sophisticated metadata analysis β the kind that intelligence agencies use and that commercial data brokers are increasingly approximating β can correlate connection patterns, timing, and volume to identify behaviour with high confidence even through encrypted tunnels. This is not a reason to abandon encryption or VPNs. It is a reason to be clear-eyed about what they protect and what they don't.
DNS-over-HTTPS: a genuine improvement with a catch
DNS-over-HTTPS, or DoH, encrypts DNS queries between your device and the DNS resolver. Firefox and Chrome both enable it by default now. It is a genuine improvement over traditional plaintext DNS β it means your ISP cannot read your DNS queries in transit by passively observing your traffic. If you are not using a VPN, DoH meaningfully reduces your ISP's visibility into your browsing.
The catch is centralisation. DoH routes your encrypted DNS queries to a resolver β and the default resolvers are Cloudflare (1.1.1.1) and Google (8.8.8.8). You have encrypted your DNS queries from your ISP and handed them to two of the largest data companies on earth instead. Cloudflare claims to delete query logs within 24 hours and not to sell data. Google's privacy model is, charitably, more complex. Whether this trade-off suits you depends on your threat model, but it is a trade-off rather than a clean win. Running your own recursive resolver, or using a VPN with internal DNS handling, avoids the centralisation problem at the cost of more setup.
What actually works
A VPN from a provider with a credibly audited no-logs policy, with DNS leak protection enabled and a kill switch active, meaningfully reduces your ISP's visibility into your browsing. It is not perfect and it is not anonymous, but it substantially narrows the data your ISP can collect and sell. ProtonVPN and Mullvad are the most credible options for privacy-focused users β both have published independent audits, both have straightforward business models that do not depend on selling user data, and both have track records of resisting legal requests. The free VPN market is almost uniformly terrible for privacy; many free providers log extensively and sell the data, which is precisely the problem you were trying to avoid.
Beyond a VPN: use a browser with sensible defaults (Firefox with uBlock Origin covers most attack surface), enable DNS-over-HTTPS with a resolver you've made a conscious choice about, disable WebRTC in your browser (it can leak your real IP even with a VPN active), and understand that your biggest privacy exposures in 2026 are probably not your ISP but the first-party tracking built into the apps and services you're logged into. Your ISP is a problem. It is not the only problem. Treating it as the only problem, and a VPN as a complete solution, is a comfortable fiction that the VPN marketing industry has done well out of.
The honest summary: your ISP sees more than most people realise, sells more than most people are comfortable with, and the mitigations that exist are real but partial. A VPN with good DNS handling and no-logs policy is worth running. It is also not a magic solution, and understanding its limits is more useful than pretending they don't exist.