I mean all they can really see nowadays is the sni. Only thing isnt encrypted anymore. And yes their is encrypted hello bit nobody seems to be using it.
Sites are https so that is all encrypted set up DOH or DOT and your DNS is encrypted.
this post was submitted on 13 Mar 2026
57 points (98.3% liked)
Privacy
47127 readers
1364 users here now
A place to discuss privacy and freedom in the digital world.
Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.
In this community everyone is welcome to post links and discuss topics related to privacy.
Some Rules
- Posting a link to a website containing tracking isn't great, if contents of the website are behind a paywall maybe copy them into the post
- Don't promote proprietary software
- Try to keep things on topic
- If you have a question, please try searching for previous discussions, maybe it has already been answered
- Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
- Be nice :)
Related communities
much thanks to @gary_host_laptop for the logo design :)
founded 6 years ago
MODERATORS
DoH is not as private as you think, that’s just how big tech positioned it.
DoH encrypts DNS queries between your browser and the DNS resolver, it does not hide your browsing activity from the DoH provider itself.
Google, cloudflare or any other 3rd party orgs still see your data.
I have an open source firewall on gitlab if you wanna take a look. Blocks some IPs - I know it’s not much but fuck Palantir - I made it so their site won’t load.
Blocks 50+ stalkerware apps as well as data broker trackers.
I want to go back to it so you can wire in through my VPS and build it as a mobile app to block Gemini and Apple Intelligence from scraping your photos and texts and everything to train their models.
Well how could it? Of course the DNS provider needs to know the domain you want to look up - otherwise how would they be able to look it up?
Still it would fulfill the OP's wish: He wants to hide traffic from his ISP, so if he chooses a DNS resolver other than his ISP, and encrypt transmission, goal is achieved.
sni may be enough depending on what a given oppressive isp/government wants to do.
I also don't trust my ISP nor my national government, which is the bulk of my private Internet use goes over a fail-close VPN.
I don't trust my ISP or the government above it.
I think everyone here today doesn't trust their ISP and government.
Use a #VPN or #TOR,Your ISP will only know the destination point, all traffic will be encrypted through a #tunnel
You said you installed a router. How did you configure the modem? In Full Bridge?
Also start changing your #DNS, don't use your ISP's default ones
My pihole serves dns. If not found, it goes directly to root tables (I forgot how they are called).
The router, I just connected its WAN port to the ISP's switch/router/AP. Within the LAN under my router I have DHCP sending everybody to do lookups to the pihole. I don't know what full bridge is.
The ISP's modem/router/switch/AP, I cannot configure. It is a fucking "smart" brick remotely controlled.
@certified_expert
so the modem that you have from your ISP it is not possible to configure it as, ONT,Bridge or Full Bridge . 🤔
Since you are just starting out, I recommend you start by subscribing to a VPN, (don't use the free ones)avoid tor for now, I use Mullvad which only allows 5 devices at the same time, but there are others, choose those that don't keep logs.
If you are able to set up OpenWRT on your router and run Mullvad through that, you can cover your whole network as one "device."
I recommend everyone get their own modem/router if they are able to. ISP's don't provide them for free and you have no idea what monitoring they do with their hardware.
They literally to vide them for free. And why so people use their service. Do you know how many people just use their modem and they up sell people WiFi repeaters and the like. The hardware is a fold mine for ISPs.
A VPN? That routes the traffic to the other server, so the ISP can only see you're connecting to a VPN. Most people recommend Mullvad, I personally use Proton and Windscribe, both free, open source, and trusted.
Can it be installed at a network level, rather than at a device level (like pihole)?
You can run your VPN on your firewall (mine is opnsense, behind a cable modem in bridge mode). E.g. wireguard with Mullvad is a good option. Or you can set up a VPN client on your end devices -- Mullvad gives you 5 endpoints for one account.
Yes, but support changes depending on your router. Not many in the consumer market support it, but you can run OpenWRT on either a supported router or a Linux box with at least two interfaces - a usb adapter works if you're on a budget, and ethernet+WiFi also counts. I would suggest looking into VPN providers that support Wireguard, as that's in my experience both faster and more reliable than OpenVPN.
For commercial alternatives you can just buy and import a wireguard conf file into, I know MikroTik routers support it and I believe GL.iNet does too. I'm pretty sure there are more, hopefully people can contribute their experiences.
I wouldn't recommend TOR for this usecase btw, you'd be adding a lot of latency when you don't need the additional anonymity layer.
Yes, GL.iNet routers have a VPN pane where you can simply enter the details of a WireGuard or OpenVPN server. I signed up for a free account at Proton, downloaded the configuration for a free WireGuard server, and installed it on the GL.iNet box. When I switch on the VPN in the router interface, all traffic flows through the VPN. I use it while travelling with my family. I can connect the travel router to the hotel or AirBnB wifi, then turn on the VPN (or not), then connect all the family devices to the travel router.
OP could do the same thing, assuming their router supports it, and set up a WireGuard VPN (much faster than OpenVPN) connection on the router and route all network traffic through it. A free VPN will always be slow and congested. A paid one is likely worthwhile in this case, especially if OP streams media.
yes it can technically, but I've more heard about tor box than vpn box, a pi or whatever should work for both ! But only if you can install a client for your vpn, because if you don't have one I believe you have to download a .conf file for each IP of each server you want for your vpn but they change all the time.
VPN is the answer but keep in mind that you're just moving the trust to the VPN (they can see your traffic).
The web uses a request/response architecture. Your computer requests a cat pic from the server and the server sends a cat pic back. Your real IP address must be in the request... otherwise the response cannot be routed back to you. VPNs act like couriers making requests and receiving responses on your behalf. So:
- The cat pic server sees traffic coming from the VPN provider and doesnt know who you are.
- The ISP sees encrypted traffic to the VPN but doesn't know what it is.
- The VPN sees everything.
Most web traffic is already encrypted with TLS but not the domain names and IPs (needed for routing).
If you really want to be anonymous on the web, use tor, but it's slow and many websites block tor exit nodes so you will have a degraded experience.
If I use VPN, my isp will see that I send and receive gibblish to and from a single address (the vpn server), all over port 443, right?
If I use TOR, what does my ISP see?
Itll go over a different port depending on the vpn protocol (i recommend wireguard). So the isp will know it's vpn gibberish, but there are ways to tunnel the ciphertext through https again (like wstunnel). A bit overkill for your setup but comes in handy if you need to break through firewalls (if you are in china and wireguard ports are blocked but 443 is allowed)
If you use tor, your isp sees tor traffic (gibberish) but tor also supports obfuscation to make it look like http. All you need to use tor is tor browser (mobile apps exist too) so try it out... It's free but you will see the limitations I mentioned.
- yes
- the same, but probably to an even more unknown IP that is also changing frequently. the content itself should look equally random
This is what a VPN is for.
VPN is the answer to your question.
A trustworthy VPN provider is your best solution here. Mullvad, IVPN, and ProtonVPN are common recommendations in the community. I would personally recommend against Windscribe; it is privacy-friendly but has had major bugs repeatedly in the past. If you want to go experimental, check out NymVPN and Obscura (Apple platforms only).
While we’re recommending/not recommending vpns, don’t use PIA. they WERE the go to. But they’re owned by an American company now and based there.
On top of client VPNs you might consider the possible other freebies from yr ISP such as router, WiFi access points and other network elements they provide you with. Set-op-boxes as well. All those equipments are absolutely ratting you as much as possible. Also any software including mobile apps they provide for support / billing / whatever.
I think I am not understanding this comment. I'm saying I don't trust the ISP. Why would I invade my house and phone with more of their gadgets?
They don’t provide you any equipment ? Then good. It’s very typical for them to do so.
Get a VPN. This is 50% of what they're for.
What is the other 50%? How is a VPN trustworthy?
You’re asking the right questions.
VPNs aren’t much safer. You’re putting your trust in a vpn company instead of an isp. If the vpn company is compromised (such as with Pia) then you’re no better off than if you’d not used the vpn. Tor isn’t that much safer these days since the nsa runs Tor exit nodes. Best bet is a no logging vpn. Though you’re again putting your trust in them that they actually don’t log. Whether or not they do is only known to them.
I think the nsa is not going to cast doubts over tor by leaking information from normal people or small fry criminals like pirates. and if you're a dissident from a different country than usa, it's probably also fine. I'm a lot more worried about the vpns that pay or own vpn review sites or have ties to surveillance companies
Other than a VPN, use a privacy respecting DoH provider on your router so all your devices use that instead of your ISP for DNS.
My router's DHCP service is pointing clients to the pihole for DNS. Should I run that on HTTPS too? Can the pi do that?
It's not necessary for the pihole to run over HTTPS, because that would only encrypt traffic between the pi and your device within your own network. When the pi doesn't have the DNS that your device requests, it looks it up from the internet. You've probably set the DNS lookup servers in pihole. That's a good start to avoid your ISP. The servers you choose may support DoH, and. you should use ones that do. That way, when the pi sends a DNS lookup to the internet, via your ISP, it's encrypted by HTTPS so your ISP can't inspect it.
Once you put a VPN on your router, be sure to have a few servers setup so if one isn't behaving right you can log into your router and quickly switch servers.
How can I install a VPN client in a router? A simple soho device, like those tplink, dlink, asus... It doesn't support openwrt.
The software must support it. If OpenWRT isn't an option then maybe another software is such as DD-WRT or FreshTomato or sometimes the OEM software does too. You could also put a dedicated firewall device before your router with OPNsense and put a VPN on that