Depends on the header information, I think, if there is some sort of packet inspection. If you are sending an encrypted DNS request you already have some sort of encrypted tunnel so may as well do the rest, at a bit of a speed penalty.
Also, when using a VPN, or tunnel to a SSH proxy at home (as I do for phone and browsing from work etc.), make sure to enable "far end DNS" in browser options otherwise your DNS requests will be dealt with locally .
You can send encrypted DNS as a standard now. I don't believe too many DNS servers support it though. Set your own DNS up of you want It.
fYI it is just as easy to sniff the paylod of the packet as the header. Nearly all IDSs do it by default
Packet inspection can only inspect the header and can not inspect the payload unless the encrypted payload is known. So it will not be possible to know the packets are DNS requests unless they are for known domains that's IDS are aware of the packets
EDIT...
When I say known, i mean IDS can not know what is known in the paylod unless the encrypted and decrypted version of the payload is known.
The only IDSs that know what is in the payload are big companies that use proxy servers that migate the end to end encryption
We use essential cookies to make this site work, and optional cookies to enhance your experience.