What Your ISP Can Actually See When You Browse
Most people assume HTTPS means their ISP is locked out. It's more complicated than that. This breaks down what your ISP can see, what they can't, and what changes when you use a VPN or encrypted DNS.
- โYour ISP always sees which IP addresses you connect to.
- โIf you use their DNS, they see every domain you look up โ even on HTTPS sites.
- โHTTPS hides page content, URLs, passwords, and messages. The ISP only sees the hostname.
- โA VPN shifts visibility from your ISP to the VPN provider.
- โDNS-over-HTTPS (DoH) hides your lookups without routing all traffic through a VPN.
The Full Visibility Table
| What you do | ISP DNS | ISP network | With DoH | With VPN |
|---|---|---|---|---|
| Visit example.com (HTTPS) | โ sees domain | โ sees IP + hostname (SNI) | โ hidden | โ hidden |
| Visit example.com (HTTP) | โ sees domain | โ sees full URL + content | โ hidden | โ hidden |
| Pages you visit on HTTPS | โ | โ content encrypted | โ | โ |
| Passwords you type | โ | โ encrypted | โ | โ |
| Every domain you look up | โ full log | โ | โ encrypted | โ hidden |
| Volume of traffic | โ | โ always visible | โ | โ sees only VPN server |
| Time of activity | โ | โ always visible | โ | โ only VPN server |
| Your real IP address | โ | โ always visible | โ | โ hidden |
What ISPs Can Always See
1. Your IP address and who you connect to
Every packet you send has a destination IP address. Your ISP routes those packets โ they have to see the destination. There is no way to hide this without a VPN or Tor.
2. Hostnames via SNI
When you start a TLS connection to an HTTPS site, your browser announces the destination hostname in the TLS handshake. This is called Server Name Indication (SNI). It's sent in plaintext so the server can pick the right certificate. Your ISP sees this even though the rest of the connection is encrypted.
So when you visit https://reddit.com/r/privacy/something-private, your ISP sees reddit.com but not the path or content. Encrypted Client Hello (ECH) can hide SNI but isn't yet widely deployed.
3. DNS queries (if using their resolver)
DNS queries are sent in plaintext by default. If you use your ISP's DNS resolver (the default on most home routers), they have a complete log of every domain you looked up, with timestamps. This is separate from the SNI visibility โ ISP DNS logs cover all domains, not just HTTPS sites.
Some ISPs sell this data or use it for ad targeting. It tends to be more sensitive than SNI because it captures background requests from apps, OS telemetry, and software updates, not just what you type in a browser.
4. Traffic volume and timing
Even with HTTPS, your ISP can see how much data you transfer and when. Traffic analysis can sometimes infer behaviour without seeing content. The volume pattern of a video stream, for instance, is distinct from browsing.
What ISPs Cannot See (With HTTPS)
- โThe specific pages, articles, or posts you view
- โSearch queries typed into HTTPS search engines
- โPasswords, form submissions, login credentials
- โPrivate messages sent over HTTPS apps
- โPage content, images, or files transferred over HTTPS
The key caveat: "cannot see" assumes no TLS interception. A middlebox with a trusted certificate (common on corporate networks) can inspect all of the above.
How to Reduce What Your ISP Sees
Encrypts your DNS queries so your ISP cannot log the domains you look up. Does not hide which IPs you connect to. Enable in Firefox under Settings โ Privacy & Security โ Enable DNS over HTTPS, or use NextDNS / 1.1.1.1 system-wide.
Hides your IP, DNS queries, and which servers you connect to from your ISP. The VPN provider now has this visibility instead. Choose one with a verified no-logs policy (Mullvad, ProtonVPN). A VPN does not hide WebRTC IPs; disable WebRTC separately if needed.
Routes traffic through three encrypted hops. No single node knows both who you are and where you're going. Much slower than VPN. Best for high-risk anonymity needs.
Hides the SNI from your ISP. Firefox supports it. Not yet widely deployed by servers. Requires DNS-over-HTTPS to work โ the ISP could otherwise still see the domain from the DNS query.
Check Your Own Exposure
Our free test checks for active header injection, DNS privacy signals, TLS interception, and WebRTC leaks โ giving you a concrete score for your current connection.