The Complete Privacy Stack: VPN, Browser, DNS, and Beyond
A VPN alone doesn't make you private. Neither does a "privacy browser" or encrypted DNS. Real privacy requires layers - multiple tools working together to minimize your digital footprint.
This guide walks through building a practical privacy stack, from essential to advanced. No paranoia required - just straightforward tools that work.
Understanding the Layers
Think of privacy like physical security. A door lock is good. A door lock plus a deadbolt is better. Add an alarm system, and you're significantly more protected. Each layer addresses different threats.
| Layer | What It Protects | Threats Addressed |
|---|---|---|
| VPN | Network traffic | ISP monitoring, network surveillance, IP tracking |
| Browser | Web activity | Fingerprinting, cookies, trackers |
| DNS | Domain lookups | DNS logging, DNS-based blocking |
| Search | Search queries | Search history profiling |
| Communications | Email scanning, metadata collection | |
| Passwords | Account security | Credential theft, account takeover |
Let's build each layer.
Layer 1: VPN (Network Protection)
Your VPN is the foundation. It encrypts all traffic leaving your device and masks your IP address from every site you visit.
What to Look For
- WireGuard protocol: Faster and more secure than OpenVPN
- No-logs policy: Verified, not just claimed
- Anonymous signup: No email or personal data required
- Crypto payments: No payment trail back to you
- Kill switch: Blocks traffic if VPN disconnects
Setup
- Get your account number from LookerVPN
- Download the WireGuard app for your device
- Generate a config in your dashboard
- Import the config or scan the QR code
- Connect
When to Use It
Keep your VPN on by default. The performance impact with WireGuard is minimal (typically <10% speed reduction), and it protects you from:
- ISP logging your browsing history
- Public Wi-Fi attacks
- IP-based tracking across sites
- Geographic content restrictions
Layer 2: Browser (Web Privacy)
Your browser is where most tracking happens. Even with a VPN, websites can identify you through cookies, fingerprinting, and tracking scripts.
Recommended Browsers
For daily use: Firefox or Brave
Firefox with the right settings offers strong privacy without breaking websites:
# Essential Firefox settings (about:config)
privacy.trackingprotection.enabled = true
privacy.trackingprotection.socialtracking.enabled = true
network.cookie.cookieBehavior = 1 # Block third-party cookies
Brave blocks ads and trackers by default. It's Chromium-based, so site compatibility is excellent.
For sensitive browsing: Tor Browser
Tor routes your traffic through three random nodes, making it nearly impossible to trace. Use it when you need maximum anonymity, but expect slower speeds.
Essential Extensions
Keep extensions minimal - each one increases your fingerprint. These are worth it:
- uBlock Origin: Blocks ads and trackers
- Privacy Badger: Learns and blocks invisible trackers
- HTTPS Everywhere: Forces encrypted connections (less needed now, but still useful)
Browser Hygiene
- Use containers or profiles to separate activities (work, personal, shopping)
- Clear cookies regularly or use auto-delete extensions
- Disable WebRTC to prevent IP leaks (even through VPN)
- Use private/incognito mode for one-off searches
Layer 3: DNS (Domain Lookup Privacy)
Every time you visit a website, your device asks a DNS server to translate the domain name to an IP address. By default, these queries go to your ISP - unencrypted and logged.
The Problem
Even with a VPN, your DNS queries can leak if not configured properly. Your ISP (or whoever controls your DNS) sees every domain you visit, even if they can't see the content.
Solutions
Option 1: Use Your VPN's DNS
LookerVPN routes DNS through the VPN tunnel automatically. This is the simplest solution - no extra configuration needed.
Option 2: Encrypted DNS (DoH or DoT)
DNS over HTTPS (DoH) or DNS over TLS (DoT) encrypts your DNS queries. Good providers:
| Provider | DoH Address | Privacy Policy |
|---|---|---|
| Cloudflare | https://cloudflare-dns.com/dns-query |
No logging of IP addresses |
| Quad9 | https://dns.quad9.net/dns-query |
No personal data collection |
| Mullvad | https://dns.mullvad.net/dns-query |
No logging, blocks ads/trackers |
Option 3: Run Your Own
For maximum control, run a Pi-hole or AdGuard Home on your network. This gives you:
- Local DNS resolution
- Network-wide ad blocking
- Full control over logging
Configuration
Firefox DoH Setup:
- Settings → Privacy & Security → DNS over HTTPS
- Select "Max Protection"
- Choose provider or enter custom URL
System-wide (macOS):
- System Preferences → Network → Advanced → DNS
- Add encrypted DNS server IPs
System-wide (Windows):
- Settings → Network & Internet → Ethernet/Wi-Fi → DNS server assignment
- Set to Manual and enter DNS addresses
Layer 4: Search (Query Privacy)
Google logs every search you make and ties it to your profile. Even in incognito mode. Even with a VPN (if you're logged in).
Private Search Engines
DuckDuckGo
- No search history storage
- No user profiling
- Good results (pulls from multiple sources)
!gbang to fall back to Google when needed
Startpage
- Google results without Google tracking
- Acts as a proxy between you and Google
- Slightly slower but familiar results
Brave Search
- Independent index (doesn't rely on Google/Bing)
- No tracking
- Growing rapidly in quality
Setup
Set your default search engine in your browser:
- Firefox: Settings → Search → Default Search Engine
- Brave: Settings → Search engine
Layer 5: Email (Communication Privacy)
Regular email (Gmail, Outlook, Yahoo) is not private. These providers scan your emails for advertising and comply with data requests.
Private Email Options
ProtonMail
- End-to-end encrypted
- Based in Switzerland
- Free tier available
- No IP logging
Tutanota
- End-to-end encrypted
- Based in Germany
- Open source
- Encrypted calendar included
SimpleLogin / AnonAddy
- Email aliasing services
- Create unlimited aliases that forward to your real email
- Hide your actual email address from services
Best Practices
- Use aliases for signups (one per service)
- Keep your real email address private
- Enable 2FA on your email (it's the keys to everything else)
- Consider separate emails for sensitive accounts
Layer 6: Passwords & Authentication
Weak or reused passwords negate all other privacy measures. One breach exposes everything.
Password Manager (Required)
Use a password manager. No exceptions. Recommended options:
- Bitwarden: Open source, free tier, audited
- 1Password: Excellent UX, family/team features
- KeePassXC: Local-only, no cloud sync (maximum control)
Generate a unique 20+ character password for every account.
Two-Factor Authentication
Enable 2FA on every account that supports it. Priority order:
- Email (most critical - controls password resets)
- Financial accounts
- Cloud storage
- Social media
Best 2FA methods:
- Hardware keys (YubiKey) - strongest
- Authenticator apps (Aegis, Raivo) - good
- SMS - weakest (but better than nothing)
Avoid SMS 2FA for important accounts if possible (SIM swapping attacks are real).
Putting It All Together
Here's the complete stack:
┌─────────────────────────────────────────┐
│ Your Device │
├─────────────────────────────────────────┤
│ Password Manager (Bitwarden) │
│ ↓ │
│ Private Browser (Firefox/Brave) │
│ + uBlock Origin │
│ + Private search (DuckDuckGo) │
│ ↓ │
│ Encrypted DNS (via VPN or DoH) │
│ ↓ │
│ VPN (LookerVPN + WireGuard) │
│ ↓ │
├─────────────────────────────────────────┤
│ Internet │
└─────────────────────────────────────────┘
Quick Start Checklist
Essential (do today):
- Set up a VPN and keep it on
- Install a password manager and migrate passwords
- Switch default search to DuckDuckGo
- Enable 2FA on email and financial accounts
Important (do this week):
- Install uBlock Origin
- Configure DNS (use VPN's DNS or set up DoH)
- Review browser privacy settings
- Set up email aliases for new signups
Advanced (when ready):
- Set up Tor Browser for sensitive research
- Migrate to encrypted email
- Use hardware security keys
- Compartmentalize with browser profiles
Common Mistakes
Using a VPN but staying logged into Google Your VPN hides your IP, but Google still knows everything you do while logged in.
Installing too many browser extensions Each extension increases your fingerprint and attack surface. Less is more.
Using the same email everywhere One breach exposes your email to spam and phishing. Use aliases.
Trusting "private browsing" mode Incognito mode doesn't hide your traffic from your ISP or employer. It just doesn't save history locally.
Setting and forgetting Privacy tools need occasional updates and configuration checks. Review quarterly.
The 80/20 Rule
You don't need to do everything. The first four items on the checklist - VPN, password manager, private search, and 2FA - will protect you from 80% of common threats.
Add layers as you become comfortable. Privacy is a practice, not a destination.
Start with the foundation. Get LookerVPN and take the first step toward real online privacy.
LookerVPN Team
Writes for The Looker Dispatch on privacy, threat research, and how the modern web actually works.
Detach your identity from your fingerprint.
LookerVPN won't stop the canvas test. It will stop it from being linked to your name.