What your ISP can actually see without a VPN (and what they do with it)
Your internet service provider sits between you and everything else on the internet. Every packet your laptop sends crosses their network. They see all of it — but with HTTPS now covering most of the web, "see all of it" is more nuanced than it used to be. Here's the precise version.
What your ISP can see in 2026
Every DNS query you make
When you type example.com into your browser, your computer first asks a DNS server "what's the IP for example.com?" Without a VPN or DNS-over-HTTPS, that question travels in cleartext to your ISP's DNS resolver. Your ISP sees:
- The domain you're looking up
- The exact time you looked it up
- The frequency you look it up
- Whether you've looked it up before
ISPs generally retain DNS query logs. The retention period varies by jurisdiction and by ISP, but logging by default is the rule, not the exception.
Every domain you visit, even over HTTPS
HTTPS encrypts the contents of your traffic but not the destination. The TLS handshake includes a Server Name Indication (SNI) field, a cleartext header that says "I want to connect to www.example.com" so the server knows which certificate to serve. SNI is necessary; multiple sites share IP addresses on shared hosting, and the server needs to know which one you want.
That SNI is visible to anyone watching the wire, including your ISP. Even with full HTTPS, your ISP knows exactly which sites you visit, just not what you do on those sites.
Some browsers support Encrypted SNI (ESNI) and Encrypted Client Hello (ECH), but support is patchy and ISP-side filtering catches a lot of edge cases. In practice, SNI is visible to your ISP today.
Connection metadata
Your ISP sees:
- Source and destination IPs. They know your IP (they assigned it) and the destination IP for every connection.
- Protocol and port. Whether you're using HTTP, HTTPS, SSH, RDP, BitTorrent, a VPN, etc. They can usually identify the protocol from packet patterns even if you change the port.
- Timing. When connections happen, how long they last, how often they recur.
- Data volume. How much you sent and received in each direction.
Combined, these are enough to build a detailed picture. ISPs know when you're streaming video, when you're on a video call, when you're downloading large files, and roughly which services you're using.
What's actually private without a VPN
Inside an HTTPS session, your ISP cannot see:
- The full URL path (just the domain)
- Page content
- Form submissions
- Cookies
- API requests inside the page
So they know you visited a banking site, but not which page on it. They know you used a chat app, but not who you talked to or what you said. That's the floor of what HTTPS provides.
What ISPs actually do with this data
Sell it to advertisers
In the US, the FCC's broadband privacy rules were repealed in 2017. ISPs can sell your browsing history to advertisers without explicit consent, and several do. Verizon, AT&T, and Comcast have all run targeted-advertising programs that use ISP-level browsing data. The data is "anonymised" before sale, but anonymisation of browsing data has been demonstrated to be reversible in research after research.
In the UK, ISPs are required to retain connection records for 12 months under the Investigatory Powers Act and make them available to government agencies on request. The retention is mandatory; the access is not advertised but well-documented in transparency reports.
In the EU, GDPR provides stronger consumer protections, but ISPs still retain operational logs and respond to law-enforcement requests under national legislation that varies by member state.
Throttle specific traffic
ISPs prioritise some traffic over others. The most common targets:
- BitTorrent and other P2P
- Video streaming during peak hours, especially on lower-tier plans
- Gaming traffic on consumer plans, sometimes
- Anything they recognise as a competing service (e.g. an ISP that owns a video service may throttle Netflix)
This is technically violating net neutrality where net neutrality applies, and technically legal where it doesn't. In the US, throttling is legal as long as it's disclosed; many ISPs disclose it in fine print and assume you won't read it. The mechanism is covered in what is ISP throttling.
Comply with government requests
Law enforcement requests for ISP records are routine. The Five Eyes countries (US, UK, Canada, Australia, New Zealand) share intelligence including communications metadata. The request volume is in the hundreds of thousands per year per major ISP. Most are processed without challenge.
A subpoena, search warrant, or NSL (in the US) lets law enforcement obtain your subscriber records, IP assignment history, connection logs, and DNS query logs from your ISP. They don't need to break into your computer; they can ask the ISP.
Inject ads (less common now, still happens)
Pre-HTTPS-everywhere, some ISPs injected ads into HTTP responses. AT&T and several smaller ISPs got caught doing this in the early 2010s. The practice is rarer now because most pages are HTTPS, but it still happens on the cleartext edges (DNS responses redirecting to "search assist" pages, for instance).
How a VPN changes the picture
A VPN encrypts everything between your device and the VPN server. Your ISP sees:
- An encrypted tunnel to a single IP (the VPN server)
- The protocol and port of the tunnel
- How much data you sent
- How long the tunnel was up
They do not see:
- Which sites you visited
- DNS queries (those happen inside the tunnel, resolved by the VPN's DNS)
- The content of any traffic
- The destinations you reached after the VPN server
They know you're using a VPN. They know how much bandwidth your VPN consumed. They don't know what you did with it.
This eliminates the surveillance and traffic-shaping concerns at the ISP level. It moves trust from the ISP to the VPN provider — which is why the VPN provider's logging policy matters. A VPN that logs everything is just a different ISP with different jurisdiction.
Fexyn does not log browsing history, DNS queries, or traffic content. That's the precise commitment, with the small print spelled out.
VLESS Reality goes one step further
A standard VPN tells your ISP "you're using a VPN" by the protocol pattern. WireGuard packets look like WireGuard. OpenVPN packets look like OpenVPN. The ISP knows you're tunneling, even if they don't know what.
VLESS Reality with the Vision flow (Fexyn Stealth) is different. It establishes a real TLS 1.3 connection to a real well-known site like microsoft.com. To the ISP, the traffic looks like an HTTPS session to microsoft.com. Same SNI, real certificate from a real CA, plausible bandwidth profile.
In countries where "using a VPN" is itself a flag, this matters. The ISP can't tell you're tunneling without false-positive-blocking traffic to legitimate public sites.
How VLESS Reality works · Why this matters under DPI
The DNS-leak side door
A VPN that doesn't fully tunnel your DNS queries leaves a side channel open. Even with the tunnel up, DNS queries can leak to your ISP through OS-level shortcuts (Smart Multi-Homed Name Resolution on Windows, IPv6 fallback paths, IPv4-mapped queries). Your ISP then sees the domains you're visiting via DNS, even though the tunnel hides everything else.
Test for DNS leaks regardless of which VPN you use. If leaks show up, fix them.
Fexyn forces all DNS through the tunnel using NRPT rules at the OS level plus per-protocol DNS configuration. The combination eliminates the common leak paths.
Related
- How DNS leaks expose your location
- VLESS Reality / XRay on Fexyn
- Deep packet inspection, explained
- No-logs policy
- Test your current IP
- VPN for Google — what your ISP sees from your Gmail, Maps, and Search use
- VPN for YouTube — ISP throttling of video traffic specifically
Try Fexyn free for 7 days. Your ISP keeps seeing you online; they stop seeing what you're doing.