In this article, we discuss DNS — what it is, how it works, and how it impacts online privacy and censorship.

All devices that connect directly to the internet are identified by a numerical label known as an IP address. To help make things easier for us humans, this address can also be identified using more readable and memorable domain names. The Domain Name System (DNS) maps these domain names to their corresponding IP addresses.  

Learn more about IP addresses

For example, the Proton VPN website uses the domain name, which corresponds to the IP address When you type into your browser’s URL bar, the domain name must be converted into its corresponding IP address for computers to understand it. 

This conversion is performed using DNS. So when you type in, DNS converts the domain name into the IP address: This allows your browser to locate and connect to the correct website. 

Domain names exist solely for human convenience and aren’t required for the internet to function. If you could remember IP addresses, you could type those in directly. To see this in action, simply enter into your browser’s URL bar, and it will take you to the Proton VPN website.

How DNS works

DNS is often compared to a telephone directory that cross-references domain names and their corresponding IP addresses. This is a useful analogy for understanding what DNS does, but the reality of how it works is more complex. 

DNS resolver

When you enter a domain name into your browser’s URL bar, a DNS query is sent to a special server called a DNS resolver (also DNS recursor or just DNS server). 

As its name suggests, the DNS resolver “resolves” the DNS query by retrieving the domain’s corresponding IP address and sending it back to your browser. Now that it knows the IP address of the website you want to visit, your browser can connect to it.

So far, so simple. But how does the DNS resolver retrieve the correct DNS address for a domain (a process complicated by the fact that new domains are created all the time, and IP addresses are often dynamically allocated to domains and therefore routinely change)? 

How a domain is resolved using DNS

A DNS lookup for a top-level domain(new window) (TLD) typically involves the following steps: 

1. You type into your browser’s URL bar. Your browser sends this query over the internet to a DNS resolver

2. The DNS resolver sends a query to a DNS root name server. This is a server that stores information on TLDs (such as .com or .net, or country code TLDs such as .ch or .uk). For our query was (, the DNS root name server would point to the DNS resolver for “.com” TLDs.

3. Armed with this information, the DNS resolver will now query the .com TLD name server, which maintains a list of all .com domains. The TLD name server responds with the IP address of the domain’s authoritative name server

4. The DNS resolver can now query the domain’s authoritative nameserver. This is typically run by a domain name registrar(new window) — a business that leases and manages domain names (such as GoDaddy or Namecheap). The authoritative nameserver is the final source of truth about the domain and can return its IP address to the DNS resolver (in our case, this will be 

5. The DNS resolver sends the correct IP address to your browser, which can now connect to

How DNS works

In reality, the situation is a bit more complicated. For example, many domains are associated with multiple IP addresses (including both IPv4 and IPv6 addresses), and there will be additional steps if you visit a subdomain (such as

Information is also routinely cached (stored locally) at all stages of the process — by your browser, by the DNS resolver, and by the various name servers. If the required information is found in a cache, then a request is not sent, which results in some steps being missed. 

However, in essence, this is how DNS works for a fairly standard visit to a website.

DNS, censorship, and government surveillance

By default, your browser sends your DNS queries to a DNS resolver run by your internet service provider (ISP). Your ISP can use various methods to see what you do on the internet, but by far the easiest (and cheapest) way is to simply monitor your DNS queries.

Most government mass spying programs rely on requiring ISPs to keep logs of their customers’ browsing histories. And, because it is easy and cheap, most ISPs meet these legal obligations by only keeping DNS logs. 

Similarly, when governments wish to censor internet content on social, religious, political, or “moral” grounds, they ask domestic ISPs to enforce these blocks. And the easiest way to do this is to block DNS queries to specified websites and apps. 

Third-party DNS services

One way to avoid at least some of this censorship and surveillance is to use a third-party DNS resolver, such as Cloudflare or OpenNIC. 

Some of these services may have good privacy policies, but unless connections to the DNS resolver servers are encrypted using DNS over TLS (DoT) or DNS over HTTPS (DoH)(new window), your ISP can see the requests in plaintext should it choose to look.

Encrypting DNS queries makes it harder (and therefore more expensive) for an ISP to monitor your browsing history, but it can still fairly easily trace which websites and apps you connect to if it wishes to.

Get Proton VPN!

DNS and VPNs

When using a VPN (such as Proton VPN), your connection to the VPN server is encrypted. With some effort, your ISP can see that you’ve connected to an IP address belonging to the VPN server, but that’s it.

DNS queries are sent through the VPN tunnel and resolved by the VPN provider, which may run its own DNS resolver or use a third-party VPN resolver. This has no privacy implications since the DNS queries appear to come from the VPN server, not the VPN user. 

Learn how a VPN works

It’s worth noting that there’s no need for encrypted DNS when using a VPN, as all DNS queries are sent through the encrypted VPN tunnel anyway. 

It’s also not recommended to use a third-party DNS resolver together with a VPN. Configuring your system in this way may cause your DNS queries to be sent outside the VPN tunnel to the third-party DNS resolver. 

Learn more about DNS leaks

NetShield Ad-blocker

Proton VPN offers NetShield Ad-blocker in all our apps. This is a DNS filtering feature that blocks DNS queries to domains known to belong to advertising companies, online trackers, and malware. It (and other similar DNS filtering services) works at the DNS resolver level by simply failing to resolve DNS queries to blocklisted domains. 

Learn more about NetShield Ad-blocker

Technically, this constitutes a DNS leak (see below). This may not be a huge issue if the DNS query is encrypted and you trust the DNS resolver, but it introduces an unnecessary third party (and therefore potential point of weakness) into the equation.

DNS leaks

When using a VPN, all DNS queries should get sent through the VPN tunnel to be resolved by the VPN provider. If, for any reason, the DNS query is sent outside the VPN tunnel to a third-party DNS resolver, a DNS leak has occurred. Failure to properly route IPv6 DNS requests through the VPN tunnel is a common cause of DNS leaks.

Since this third party would likely be your ISP, DNS leaks are a serious privacy concern. Needless to say, all Proton VPN apps have strong built-in DNS leak protection. 

Final thoughts

At heart, DNS is just a complicated, automated phone book. It makes the internet usable for humans, but it can be (and is) abused by governments to spy on their citizens and censor what they see. The best way to bypass these abuses of DNS is to use a VPN service such as Proton VPN. 

A VPN service securely resolves your DNS queries instead of your ISP, and most reputable VPN services make it their business to protect your privacy.

Of course, a VPN also offers many other benefits, such as hiding your real IP address from websites you visit, providing enhanced protection against IPS’s being able to monitor or censor your internet activity, being able to stream your favorite content when you’re traveling, and more. 

Learn more about the benefits of using a VPN

Protect your privacy and security online
Get Proton VPN free

Related articles

What is AirTag stalking?
In an era of “smart devices” that often double as spy devices, AirTags are tracking tools that are open about their function and can be vital in helping locate lost items (as anyone who has lost their car keys can attest to). However, as a recent cla
How to fix a "Your connection is not safe" error
As you surf the web using your browser, you’ll no doubt encounter websites that your browser will refuse to load, instead showing some variation of an error message, such as Your connection is not private or Warning: Potential Security Risk Ahead. 
Your search history is a window into your inner life. Anyone with access to it knows what your hobbies and interests are, your sexual orientation and preferences, the things that worry you (for example your medical concerns), your political affiliati
how to flush dns blog
  • Privacy deep dives
A DNS cache is a record of all the websites you’ve visited over a set amount of time. Simply put, your DNS cache is a list of websites you visited in the past that’s stored on your device. Your computer uses it to speed up visits to those same websit
Is Temu legit?
  • Privacy basics
Temu has become an unavoidable brand. Unknown to most up to a year ago, the online retailer exploded onto the digital scene in the United States with lavish ads and a riveting social media campaign, and has started its takeover in Europe now, too. As
We examIne whether the controversial Chinese video platform is safe to use
  • Privacy basics
In this article, we take an in-depth look at whether the wildly popular social media platform TikTok is safe to use. Several countries recently banned government officials from using TikTok, and now the US House of Representatives has passed the Pro