Skip to main content
LiMP VPN
All posts

How a VPN Protects You from ISP Tracking

How a VPN Protects You from ISP Tracking

TL;DR: Your internet provider sees every connection you make: which sites you reach, when, how often, and how much data you move. Even with HTTPS, the site name leaks through DNS queries and the TLS SNI field, while the fact and volume of traffic stay visible. A VPN wraps all of your traffic in an encrypted tunnel, so the ISP sees only one connection — to the VPN server — and can no longer build a list of your sites. In return, trust shifts to the VPN service, which makes a no-logs policy and DNS-leak protection essential. A VPN does not hide you from the VPN provider itself, from account logins, or from trackers on the destination site.

What your ISP actually sees

When you open a website, your traffic physically passes through your provider's equipment. An ISP is not a passive "pipe": it routes packets, keeps technical logs, and in many countries is legally required to retain connection metadata. It helps to separate the content of your traffic (what you typed in a chat, which password you entered) from the metadata (which server you connected to, when, how long, how many megabytes you moved). HTTPS has long encrypted content — that is good. But on a normal connection the metadata stays exposed, and from it you can reconstruct a surprisingly detailed picture of someone's life.

Here is what a typical ISP can technically record about your connection without any VPN:

  • DNS queries — which domain names you looked up (say, bank.example or the name of a medical site), even if the connection later went over HTTPS.
  • Destination IP addresses — which servers you connected to; an IP often maps clearly to a service.
  • The SNI field — the site name sent in plaintext at the very start of the TLS handshake.
  • Timing and frequency — when you go online, which hours you are active, how often you visit a resource.
  • Traffic volume — how much data moved; volume alone distinguishes reading text from watching video or downloading a file.
  • Session duration — how long you stayed connected to a particular server.

Individually these crumbs are harmless. Together they form a profile: your daily routine, interests, habits, which services you use and how heavily. That is enough for ad targeting, behavioral analysis, and in some cases deanonymization.

Technical logs and mandatory retention

An ISP has two reasons to collect data: technical (routing, fault handling, attack mitigation — for which the equipment already "sees" the packet flow) and regulatory (in many countries data-retention law requires keeping connection metadata: who connected to whom, when, and for how long). Content is usually not stored — HTTPS encrypts it — but metadata often is, sometimes for months.

A separate topic is deep packet inspection (DPI). This is technology in which the ISP analyzes not just headers but the structure of traffic: from characteristic signatures, DPI recognizes protocols and sometimes specific applications. DPI works on the "shape" of a connection and on metadata — it does not crack the content behind HTTPS, but it can determine the type and direction of your traffic. The takeaway is simple: assuming "the ISP records nothing anyway" is careless — technically it can see metadata, legally it is often required to keep it, and with DPI it can also classify your traffic. All of this works right up until your traffic is hidden inside an encrypted tunnel.

How a profile is assembled from metadata

The main danger of metadata is that it correlates. One DNS query to an airline's site means nothing. But if it is followed by a query to a hotel in the same city, then to a banking app, then to a map, a story about a planned trip takes shape. The ISP (or whoever it hands metadata to) may not read a single letter you wrote, yet can reconstruct an event from the chain of requests. In the same way, timing reveals when you wake up and which services you use in the evenings, and volume betrays the nature of your activity: a steady small stream is messaging, a heavy and prolonged one is video or downloads. This "digital shadow" forms without any hacking, purely from observing metadata — and it is exactly what a VPN hides.

Why HTTPS alone is not enough

A common misconception: "I have the padlock in the address bar everywhere, so the ISP sees nothing." HTTPS does encrypt the body of the request and response — login, password, message text, page content. But HTTPS was never designed to hide the fact that you reached a site. The protocol leaves a few "cracks" through which the resource name leaks to the ISP.

DNS — a phone book everyone can read

Before your browser opens a site, it asks a DNS server: "what is the IP for this domain?" Classic DNS runs in plaintext over UDP port 53. That means the ISP (and the DNS server most often belongs to it) sees the list of every domain you looked up, before the HTTPS connection is even established. Even if the page later loads over an encrypted channel, the domain name has already been exposed. To diagnose this there is a dedicated procedure — a DNS leak test — which shows which resolver actually handles your queries and whether they slip out to the ISP, bypassing the channel you believe is protected.

SNI — the site name in plaintext

When a TLS connection is established, the client's very first message (ClientHello) states which domain it is connecting to — this field is called SNI (Server Name Indication). It exists so that one IP address can serve many sites. The trouble is that in classic TLS the SNI field is sent before encryption, in plaintext. An ISP watching the handshake reads the site name straight from this field — even if your DNS is encrypted. There is a technology called Encrypted Client Hello (ECH) that hides SNI, but it is not deployed everywhere and depends on support from both the server and the network, so relying on it as a privacy guarantee is not yet realistic.

Destination IP and the shape of traffic

Even if we assume both DNS and SNI are encrypted, the IP address of the server you connect to remains. In many cases an IP uniquely identifies a service: large platforms hold well-known address ranges. On top of that, the ISP sees the "shape" of your traffic — the pattern of packets, their sizes and timing; analyzing this shape (traffic fingerprinting) can in some cases guess which service you use without decrypting any content. The conclusion: HTTPS protects what you send but does a poor job of hiding where and when you go. That is precisely the gap a VPN closes.

HTTPS and VPN are different layers

HTTPS handles the confidentiality of content between you and the site, while a VPN ensures the ISP cannot see the map of your movements across the network at all. HTTPS is not "weaker" than a VPN — it is simply a different layer, and the best practice is to use both at once. Inside the VPN tunnel, HTTPS keeps encrypting content on the leg from the VPN server to the site, adding a layer of protection. Relying on only one of the two leaves half the picture open: either the ISP sees your routes (HTTPS only), or content is exposed on the last leg (a hypothetical "bare" VPN without HTTPS, which barely exists in practice).

What changes with a VPN: a single encrypted tunnel

A VPN (virtual private network) creates an encrypted tunnel between your device and the VPN server. All network traffic — DNS queries, TLS handshakes, content — is packed inside this tunnel and encrypted before it even leaves the device. If you want to understand the idea from scratch, start with a plain-language explanation of what a VPN is.

From the ISP's point of view the picture simplifies radically. Before, it saw dozens or hundreds of your connections to different sites. Now it sees one connection — between you and the VPN server — and a stream of encrypted data inside it. Here is what the ISP stops seeing:

  • The list of sites — DNS queries travel inside the tunnel, so the ISP gets no domain names.
  • SNI — TLS handshakes with destination sites happen behind the VPN server, past the ISP.
  • Real destination IPs — the ISP sees only the VPN server's IP, not the sites you visit.
  • The link between traffic and services — the stream is uniform and encrypted, far harder to split into "this is banking, that is video."

The quality of this protection depends on the tunnel's protocol. The modern choice is the WireGuard protocol: fast, with strong cryptography and a minimal attack surface. Hiding your real IP is a side but important effect: for the destination site and for the ISP, your visible address changes to that of the VPN server. There is more on this in the guide on how to hide and change your IP address.

Trust shifts to the VPN service

Here we have to be honest. A VPN does not make you invisible — it relocates the point of trust. Before, all your activity was visible to the ISP; now all traffic, before decryption, passes through the VPN server, and the VPN service technically occupies the same privileged position. So the question "whom do you trust?" does not disappear — it is redirected. But this is not "things got worse": before, your routes were watched by an ISP that owes you no privacy and that you often did not choose (frequently a local monopoly). With a VPN, you consciously choose who gets part of your traffic and can lean on their public policy.

From this follows the main selection criterion — a no-logs policy. A serious service does not record which sites you connected to, your real IPs, or session timings: if there are no logs, then even under an external request the service has nothing to hand over. If it keeps detailed records, you have not removed surveillance — you have only swapped the observer. What to look for when choosing:

  • No-logs on paper and in practice — look for a clear statement of exactly what is not logged (activity, IPs, timings).
  • Jurisdiction — where the service is registered and what data-retention obligations it has.
  • Transparency — a clear privacy policy without ambiguous caveats.
  • Business model — free VPNs often earn by selling user data; a paid subscription reduces that conflict of interest, because a service that lives on subscriptions has no incentive to trade your data.

How to weigh these criteria and avoid falling for marketing is covered in our guide on how to choose a VPN in 2026. The short rule: a free service with no clear monetization model almost certainly treats your data as the product.

DNS leaks and the role of a kill switch

A VPN hides your DNS queries only as long as they really travel inside the tunnel. In practice there is a DNS leak: the operating system or an app sends DNS queries directly to the ISP's servers, bypassing the VPN. As a result, the traffic looks encrypted but the list of domains still leaks. The causes vary: incorrect network settings, OS behavior, IPv6 the VPN did not intercept, or apps that use their own DNS. So merely turning on the VPN is not enough — you need to confirm there is no leak. How to check and fix this is described in the guide on testing and fixing a DNS leak.

The second key safeguard is a kill switch. If the VPN connection drops for a second (a network switch, a server reboot, a weak signal), the device may automatically fall back to the normal connection — and all traffic, including DNS, briefly goes out in the open through the ISP. A kill switch blocks any network exchange until the tunnel is restored, allowing not a second of "bare" traffic. Such drops are especially insidious on mobile devices, where the network switches constantly: you leave the house, the phone hops from Wi-Fi to mobile data, and in that fraction of a second without a kill switch background apps manage to "knock" on their servers directly. A good kill switch also seals the side channels of leakage, including IPv6, and once the connection is restored everything keeps working automatically.

How this mechanism works and why it is mandatory for serious privacy is covered in the breakdown of what a kill switch is in a VPN. The combination of "VPN + leak testing + kill switch" closes the main scenarios in which your domains could leak to the ISP again.

Encrypted DNS (DoH/DoT) vs a VPN

People sometimes advise: "why a VPN, just turn on encrypted DNS." DoH (DNS over HTTPS) and DoT (DNS over TLS) encrypt the DNS queries themselves, so the ISP does not see domain names during resolution. That is a useful step, and many browsers support it out of the box. But it closes only one crack: encrypted DNS does not touch the SNI in the TLS handshake, does not hide real destination IPs, and does not mask traffic volume and timing. So the ISP still sees which IPs you connect to and can draw conclusions about the services you use from those IPs and the shape of your traffic.

  • DoH/DoT — encrypt DNS queries; do not hide destination IPs, SNI, or traffic shape.
  • VPN — wraps all traffic whole; the ISP sees only the connection to the VPN server.
  • Together — a VPN already carries its own protected DNS inside the tunnel, so a separate DoH is usually redundant.

If your goal is to hide your activity from the ISP entirely, a VPN solves it more completely. We compared a VPN with other anonymization tools in the article VPN vs proxy vs Tor.

What a VPN does NOT hide

An honest conversation about privacy must include the limits. A VPN is a powerful tool against ISP surveillance, but not an invisibility cloak. It helps to split things by level. At the network level (the ISP, nodes along the path, open Wi-Fi) a VPN works great: it hides routes and encrypts the channel. At the application level (the site itself, ad networks, analytics) a VPN is almost powerless, because there you interact with the service directly — and swapping IPs does not cure that.

  • Account logins — by authenticating to a service, you voluntarily tell it your identity; the VPN has nothing to do with it.
  • Cookies and trackers — ad networks track you via cookies and pixels regardless of IP.
  • Device fingerprinting — the browser exposes a unique set of parameters (fonts, resolution, versions) that identifies you even without an IP.
  • Site-side tracking — the destination site collects its own analytics on your actions.
  • Malware — a VPN is no substitute for antivirus and does not protect against phishing or infected files.

The correct model is this: a VPN removes the ISP from the observers of your routes and encrypts the channel, but privacy at the level of accounts and trackers requires separate measures — tracker blockers, profile isolation, login hygiene. A VPN is the foundation, not the whole building.

Throttling and shaping: another reason to hide your traffic

ISP surveillance is not only about privacy. By seeing which services you connect to and the character of your traffic, the ISP can also manage it. Traffic shaping and throttling are the deliberate slowing or prioritization of certain types of connections. A classic example: the ISP recognizes from the shape of traffic that you are watching high-quality video or downloading a large file, and throttles that specific stream. When all traffic goes through a VPN, the ISP sees only a uniform encrypted stream to a single server — and it becomes much harder to selectively slow specific services, because it cannot tell them apart inside the tunnel.

An honest caveat: a VPN does not lift the physical limits of your link and does not "speed up the internet" by itself. If the ISP throttles everyone indiscriminately, a tunnel will not help. But against selective slowing of specific services, masking the traffic often works. The topic overlaps with security on open networks — covered in detail in the guide on public Wi-Fi security.

Checklist: how to actually hide your activity from the ISP

  • Turn on the VPN on all devices — phone, tablet, laptop; the ISP sees each device's traffic separately.
  • Choose a service with an honest no-logs policy — since trust shifts to the VPN, it must be justified by a transparent policy.
  • Enable the kill switch — so that if the tunnel drops, traffic and DNS do not leak to the ISP for even a second.
  • Check for a DNS leak — run a test and confirm DNS queries go through the VPN.
  • Use a modern protocol — WireGuard, for example: strong encryption and a minimal attack surface.
  • Keep the VPN on all the time — the ISP records exactly the unprotected gaps.
  • Do not confuse a VPN with site anonymity — for accounts and trackers use separate measures: blockers, profile isolation, login hygiene.
  • Re-check after switching networks — when you switch Wi-Fi or mobile networks, confirm the tunnel came up and there are no leaks.

Where LiMP fits in

If you want to close off ISP surveillance without long fiddling with settings, take a look at LiMP. It is a B2C VPN with a 100 ₽/month subscription, apps for iOS and Android, and a no-logs policy — that very shift of trust is here made in your favor: the service keeps no logs of your activity. The tunnel hides DNS, SNI, and real IPs from the ISP, while the kill switch keeps traffic from leaking if the connection drops. It is not a cure-all for every threat — it is a tidy privacy foundation that turns on in one tap and runs in the background.

Conclusion

By default your internet provider sees far more than it seems: the list of your sites via DNS and SNI, destination IPs, timing, volumes, and frequency of access. HTTPS encrypts content but does not hide the fact and address of your connections. A VPN solves this comprehensively — it wraps all traffic in an encrypted tunnel, and the ISP sees only one connection to the VPN server. The price is a shift of trust to the VPN service, which makes the key requirements an honest no-logs policy, DNS-leak protection, and a kill switch. And remember the boundaries: a VPN does not hide you from account logins, trackers, and fingerprinting on the site's side. Use it as a solid foundation of privacy, complemented by account hygiene.

Frequently asked questions

Does my ISP see sites if I connect over mobile data rather than Wi-Fi?

Yes, the same way. A mobile carrier is also an internet provider: it routes your traffic, sees DNS queries, SNI, and destination IPs, and is often required to retain metadata. A carrier's network is no more "private" than a home ISP, so a VPN on a phone is just as appropriate as on a computer.

If I use a VPN, can the ISP at least see that I turned a VPN on?

Usually yes: the ISP sees one encrypted connection to the VPN server's IP and can tell from the traffic's character that it is a VPN. But the content, the list of sites, DNS, and SNI stay hidden from it — it knows "you are using a tunnel" but not "where exactly you go."

Does a VPN help if I already switched DNS to a third-party resolver (say, a public one)?

A third-party DNS only changes who answers the queries, but with ordinary (unencrypted) DNS the ISP still sees the queries themselves, plus the SNI and destination IPs. A VPN closes all of these channels at once by wrapping traffic in a tunnel, so it is more reliable than simply changing the DNS server.

Does a VPN change what my employer sees on a corporate network?

Partly. A personal VPN hides the list of your sites and the content from the corporate network — the admin sees only the tunnel to the VPN server. But many companies forbid third-party VPNs by policy or block them at the network level, and issued work devices may run separate monitoring that a VPN does not undo.

Does ISP protection still apply if my browser is in incognito mode?

These are different things. Incognito only avoids saving history and cookies locally, on your device, but the ISP still sees DNS queries, SNI, and destination IPs. It is the VPN, not private browsing mode, that protects against ISP surveillance; you can combine them, but one does not replace the other.

If I have a static IP at home, is a VPN more important for me?

A static IP makes it easier to tie your activity to one address over time, but it does not change the essence: even with a dynamic IP the ISP sees your DNS, SNI, and routes. A VPN is useful in both cases; with a static address it additionally hides your permanent "identifier" from destination sites.

How a VPN Protects You from ISP Tracking | LiMP VPN