VPN vs DNS
VPN and DNS both unblock content, but operate at different layers. VPN encrypts all traffic through a remote server; DNS only resolves names to IPs. Only VPN provides real privacy.
Both a VPN and a custom DNS get marketed as ways to "unblock the internet" — so people treat them as interchangeable privacy tools. They're not. They operate at completely different network layers, and confusing them is how you end up feeling private while staying wide open.
Mental model: A VPN is a sealed tunnel that wraps your entire connection; a DNS resolver is just an address book that points you in a direction.
What a VPN Actually Does
A VPN builds an encrypted tunnel from your device to a remote server. Every packet — from every app, every browser tab, every background service — gets routed through that tunnel before it reaches the internet.
From your ISP's perspective, they see traffic leaving your device, but they can't see where it's going or what it contains. The payload is scrambled. Your real IP address is hidden behind the VPN provider's IP.
That's real privacy at the network layer.
The cost is tangible:
- Latency increases. Every packet now detours through a distant server. A round-trip that took 10ms might now take 50ms or more.
- You must trust the provider completely. Your ISP can no longer see your traffic, but the VPN provider can see all of it. They're now the entity with visibility into where you browse, what you download, what APIs you call. Pick a shady provider and you've relocated the surveillance, not eliminated it.
- Throughput suffers. Encryption and decryption add CPU overhead, and the tunnel's bandwidth is bounded by the provider's infrastructure.
What DNS Does (And Doesn't)
A DNS resolver is an address book. When your browser asks "where is example.com," the resolver answers with an IP address. That's it.
When you switch to a custom DNS like 1.1.1.1, you're changing who answers that question, not how the answer is used. The lookup might happen through a different path. Maybe the custom resolver blocks known malware domains, or bypasses a regional filter. The lookup itself is now rerouted.
It's fast because there's no tunnel, no encryption overhead, no detour.
The catch is critical:
- No encryption. The lookup query and response travel unencrypted. Anyone watching the network can see what domain you just queried.
- No IP hiding. After the resolver returns an IP, you connect directly to that IP address. Your real IP is visible. Your ISP still sees every site you visit.
- Limited scope. Only DNS lookups are affected. The rest of your traffic — VoIP, instant messages, video streams — routes normally, fully exposed.
Changing your DNS resolver is not a privacy measure. It's a filtering or unblocking measure. If your ISP blocks example.com by intercepting the DNS lookup, a custom resolver bypasses that block. But your ISP still sees that you tried to reach example.com, because the subsequent connection attempt reveals the destination.
Side-by-Side Comparison
| Aspect | VPN | Custom DNS |
|---|---|---|
| Scope | All traffic, all apps | DNS lookups only |
| Encryption | Yes, full tunnel | No, unencrypted by default |
| IP hiding | Yes, ISP sees VPN server IP | No, your IP is visible |
| ISP visibility | Sees only encrypted traffic | Sees all sites you connect to |
| Latency impact | Significant (detour through server) | Minimal (one extra lookup) |
| Trust requirement | Must trust VPN provider completely | Trust applies only to DNS lookups |
| Primary use case | Privacy, hiding activity from ISP | Unblocking domains, malware filtering |
A Practical Example
You want to access a news site that your ISP blocks. Here's what happens in each scenario.
With a custom DNS (1.1.1.1):
- Your device queries 1.1.1.1: "Where is newssite.example?"
- 1.1.1.1 responds: "203.0.113.45."
- Your device connects directly to 203.0.113.45.
- Your ISP sees the connection to 203.0.113.45 and either allows or blocks it. If they've blacklisted the IP, you're still blocked. If they haven't, the site loads — but your ISP now has a full record that you accessed it.
With a VPN:
- Your device sends all traffic — including the DNS lookup — through the encrypted tunnel to the VPN server.
- The VPN server queries a DNS resolver (its own or a third party): "Where is newssite.example?"
- The resolver responds with an IP.
- The VPN server connects to that IP on your behalf.
- Your ISP sees encrypted traffic leaving your device, destined for the VPN server. It has no visibility into where you're actually going or what you're reading. The news site's server sees the VPN server's IP, not yours.
The VPN hides your activity. The DNS resolver just changes the first step.
For Backend and Systems Engineers
If you're thinking about this in terms of request flow and latency: DNS is a single lookup query that typically resolves in a few milliseconds locally (or a few hundred milliseconds over a network). A VPN adds a persistent tunnel with handshake latency upfront, then per-packet encryption/decryption overhead and network latency on every subsequent packet.
For API clients and microservices, using a VPN for "privacy" is sometimes the wrong choice. If you're running a backend service that needs to reach an external API, and you route all traffic through a VPN for compliance, you've introduced per-packet latency and a single point of failure (the VPN provider). Custom DNS for service discovery or regional routing is lighter and faster — but it doesn't encrypt or hide the traffic. Use it for discovery and filtering; use a VPN (or mTLS) if confidentiality is the requirement.
When to Use Which
They're not competitors — they're different jobs at different layers.
Reach for a VPN when: you need to hide your activity and IP address from your ISP or network, you're on an untrusted network (public WiFi), or you need to encrypt all traffic to a specific gateway. Accept the latency cost and the need to trust the provider.
Reach for a custom DNS when: you want to unblock domains that are filtered by DNS, you want to block malware or ad domains at the resolver level, or you need faster routing without the overhead of a tunnel. Understand that you're not gaining privacy — you're changing who answers the address book.
Most robust privacy setups lean on the VPN. Changing your resolver is not privacy; it's filtering.
Watch the 90-second reel for a quick visual walkthrough.