The Domain Name System (DNS) acts as the phone directory of the Internet. Instead of phone numbers, computers communicate using numeric addresses called IP addresses that look like 192.168.1.1.
Numbers are fine for computers, but humans are terrible at remembering them. Imagine having to know that to reach Google, you’d have to type in 188.8.131.52. And that’s just one site—there are millions more on the internet! You’d need a great memory or a massive notebook and an awful lot of patience to remember them all. Do you remember all of your friends’ phone numbers?
DNS solves the memory issue as it provides a way for a computer to accept a human-readable name (such as www.expressvpn.com) and convert it into an IP address.
So far so good, but here’s the catch: To find out what IP address goes with which name, you must ask a DNS server. By default, you’re most likely using your Internet Service Provider’s (ISP) DNS servers, and therefore you’ll be asking their DNS server to find the IP address for you.
The problem is that to locate the IP address you want, you must tell your ISP who you want to talk to. So even though they might not see what you’re sending to and from that site, they know which sites you tried or wanted to visit, because you looked up that site’s IP address.
What does DNS allow ISPs to see when you visit a website?
Think of DNS like calling directory inquiries (we assume that’s still a thing!?). The operator will ask you who you are looking for and they will then give you that person’s phone number. If you don’t provide them with the name, they obviously can’t look up that phone number.
But that’s not all; the phone company will also know the following metadata:
- Who you want to call (because you told them)
- What time you made the request
- Likely your phone number and where you called from
Altogether, they can say: “A person with phone number xxx called at 7:05 pm on September 18, 2017, and asked for John Smith’s phone number”. That’s quite a lot of information about you.
What’s worse is that a third-party can assume that if you make a call to directory inquiries for a John Smith’s number, you also want to speak to said John Smith—and it’s entirely possible that he might be a person of interest to someone who is spying on you.
But how does directory inquiries relate to an internet-based scenario? If you want to visit www.expressvpn.com, then the following will occur:
- Type the URL into your browser
- Your computer will send a request to your DNS server to ask for the IP address
- The DNS server will find the IP address and return it to your computer
The DNS server can see that a computer at IP address 192.168.1.1 looked up the IP address for www.expressvpn.com at 7:06 pm on September 18, 2017.
The only reason your computer would attempt to look up that name would be if you were trying to connect to it. So, much like the phone number analogy, it can be assumed that it’s a website you want to visit.
Protect your DNS traffic with ExpressVPN
The good news is that when you connect with ExpressVPN, our servers handle all of your DNS requests—not your ISP.
In fact, because ExpressVPN secures your traffic, your ISP can’t even tell if you make a DNS request. We never log DNS requests, and when we look up a name on your behalf, all any other DNS server can see is our server address—they can never see you.
As everyone on the same server shares the same DNS server as you, all the requests come from a single source, mingling your requests in with everyone else’s. Even if someone were to be interested in DNS traffic, they wouldn’t be able to isolate any particular user.
Let’s run through the directory enquire scenario again, but this time for a user secured with ExpressVPN:
- Type www.expressvpn.com into your browser
- The DNS lookup goes to an ExpressVPN DNS server
- Your ISP cannot see it or even identify it as DNS traffic
- Our DNS server makes the request on your behalf
What this then looks like to another DNS server is: An ExpressVPN server requested the address for www.expressvpn.com at 7:09 pm September 18, 2017. In short, it tells them nothing about who actually made the request, and thus your privacy is secured.