Skip to content

What does your ISP actually see?

Even with HTTPS everywhere and incognito mode on, your ISP sees the domain of every site you connect to, when, how often, and how much data flows — what it can't see is the content: pages, searches, messages, passwords. Your ISP is the one party on the internet you can't route around by default — every packet you send rides its wires first, and it's also the only party that can tie your IP to your name. This guide maps its visibility honestly: what's exposed, what encryption actually covers, and what changes the picture.

Maintained by the ipconfig.io team · Reviewed 1 July 2026

Who your ISP is, according to your connection

The network field of the lookup names the operator carrying your traffic right now:

bash
curl ipconfig.io/asn-org

Home fiber, mobile carrier, office network — whoever owns that ASN (what an ASN is) is the party this guide is about. If it names a VPN provider instead, you've already moved the trust — more on that below.

The visibility map

Your ISP seesYour ISP cannot see (HTTPS)
Every domain you connect to (DNS + SNI)The specific pages and URLs within a site
When, how often, and for how longYour searches, form entries, passwords
Traffic volume per connectionMessage and email content
The IP of every server you reachWhat you watched — beyond "video-sized traffic from that domain"
That you're using a VPN or Tor (though not what's inside)

The two channels that leak destinations deserve naming, because they're why "I use HTTPS" doesn't end the conversation:

  • DNS — if your devices use the ISP's resolver (the default), every domain lookup is handed to it directly, before any encryption starts. (What a DNS leak is — the same channel, in VPN context.)
  • SNI — when your browser opens an HTTPS connection, the domain name travels unencrypted in the handshake so the server knows which certificate to present. Encrypted DNS doesn't close this one; encrypted SNI (ECH) exists but isn't yet universal.

Metadata is not a consolation prize, to be clear — a timestamped domain log is a detailed behavioral profile: sleep schedule, health worries, job hunts, politics. Content encryption protects what you said, not who you are. And depending on your country, that log may be retained under data-retention law or monetized in aggregate — the visibility is the same either way; only the policy differs.

What changes the picture

Encrypted DNS (DoH/DoT) moves your lookups from the ISP's resolver to one you choose — a real improvement, but partial: SNI still names each domain as you connect. Think of it as removing one of two copies.

Tor removes destination visibility entirely — the ISP sees only that you're using Tor — at real cost in speed and site compatibility.

A VPN is the structural change: every packet goes into one encrypted tunnel, so the ISP's view collapses to "encrypted traffic to a VPN server, this much, at these times." DNS, SNI, destinations — all inside the tunnel. The honest framing is that a VPN doesn't delete the watcher; it moves the trust from an ISP you didn't choose to a provider you did. That's precisely why the selection bar is an independently audited no-logs policy — Proton VPN is a solid example (Swiss jurisdiction, audited, no-logs). (Affiliate link; it helps keep ipconfig.io free. Any audited no-logs provider clears the bar.) Verify the switch took effect: curl ipconfig.io/asn-org should name the VPN, and the leak test confirms nothing routes around it.

Frequently asked questions

Can my ISP see the sites I visit? Yes — every domain, via DNS and SNI, plus timing and volume. Not the pages or content on HTTPS sites.

Does incognito hide anything from my ISP? Nothing. Incognito is device-side only.

Does HTTPS hide my activity? It hides content, not destinations. The padlock and the domain log coexist.

How do I reduce it? Encrypted DNS helps partially; Tor and VPNs remove destination visibility — a VPN by moving trust to an audited no-logs provider.

Next steps

Geolocation by MaxMind GeoLite2. No tracking, no keys.