What is SNI?

Server Name Indication and Encrypted Client Hello

SNI (Server Name Indication) is a TLS extension that sends the requested hostname in plaintext during the TLS handshake. While SNI enables virtual hosting, it also reveals which site you're visiting — and ECH (Encrypted Client Hello) aims to change that.

Learn About DNS Security

Step 1: What is SNI?

Server Name Indication (SNI) is an extension to the TLS protocol that allows a client (your browser) to indicate which hostname it's trying to connect to at the start of the TLS handshake.

SNI was created to solve a practical problem: many websites share the same IP address (virtual hosting). Without SNI, the server wouldn't know which TLS certificate to present when multiple domains share one IP. With SNI, the server reads the hostname from the handshake and serves the correct certificate.

The challenge: SNI is sent in plaintext before encryption is established. This means anyone monitoring network traffic can see which website you're connecting to — even though HTTPS encrypts everything after the handshake.

Step 2: SNI and Content Filtering

Some content filtering approaches inspect SNI to determine which sites users are visiting:

  • SNI inspection: Network firewalls and proxy filters can read the SNI field to identify the destination hostname, even for HTTPS traffic
  • Blocking by SNI: If the SNI matches a blocked domain, the connection can be terminated before it completes
  • Privacy concern: SNI inspection reveals browsing destinations to anyone on the network path (ISPs, corporate networks, WiFi operators)

DNS filtering doesn't rely on SNI inspection — it operates at the DNS layer before any TLS handshake occurs. This makes DNS filtering both simpler and more privacy-respecting than SNI-based approaches.

Step 3: Encrypted Client Hello (ECH)

ECH (formerly called ESNI) is a TLS extension that encrypts the SNI field during the handshake. With ECH enabled, network observers can no longer see which hostname the client is connecting to.

ECH has significant implications for content filtering solutions that rely on SNI inspection — those approaches become ineffective when the hostname is encrypted.

For a deep dive into ECH and its impact on content filtering, see our article: How Encrypted Client Hello (ECH) Impacts Content Filtering.

Step 4: Why DNS Filtering Still Works

DNS filtering is unaffected by ECH because it operates at a fundamentally different layer. Before any TLS handshake (with or without ECH), the browser must resolve the domain name via DNS:

  • DNS query: Browser asks CleanBrowsing "what's the IP for blocked-site.com?"
  • Filtering decision: CleanBrowsing checks the domain against your blocklist and blocks or allows
  • No TLS involved: The filtering happens before any TLS handshake begins — SNI and ECH are irrelevant

This is why DNS-based filtering remains effective as encryption technologies evolve. Combined with encrypted DNS to protect the query itself, and firewall rules to prevent bypass, DNS filtering provides reliable content control.

Future-proof content filtering with DNS

Learn About DNS Security