Just when many thought HTTPS was already bulletproof, AdGuard’s latest 7.5 series update (version 7.17 on Windows, with Android and Mac getting CoreLibs upgrades) adds another critical privacy layer: experimental support for **Encrypted ClientHello (ECH)** has taken a big step forward, while also bringing on-the-fly DNS-over-HTTPS filtering to all devices. If you’ve ever wondered what your ISP can actually see about the sites you visit, this update is worth five minutes of your time.
What Exactly Is ECH and Why Is It Called the Last Piece of the Privacy Puzzle?
Every time you open an HTTPS website, your browser sends a “hello” to the server — this is the
ClientHello message in the TLS handshake. The problem is that even though the page content is fully encrypted, this initial “hello” **clearly contains the domain you want to visit** (Server Name Indication, or SNI). Your ISP, the Wi-Fi admin at the airport, or even a passive listener on your network can see you’re visiting `example.com` — they may not know what you’re doing there, but “where you go” is no secret at all.
ECH fixes this awkward issue. It encrypts the entire ClientHello so only you and the target server can decode it. An intermediary can only see that you’re connecting to some ECH-capable CDN node — but which specific site? Good luck guessing. In other words, ECH finally enables true end-to-end encryption for HTTPS, from the first packet to the last.
How Does AdGuard 7.5 Do It? Global ECH Without Browser Dependency
In the past, ECH could only be used through individual browsers like Chrome or Firefox with experimental flags enabled, and it still depended on whether the website supported it. AdGuard takes a completely different approach: it handles traffic at the system level.
In the Android update log, the developers even joked, “The first step to supporting ECH is learning how to ‘suppress’ it.” That’s because AdGuard has an internal switch `pref.dns.block.ech` that, combined with `pref.https.redirect.doh`, can first intercept the native ECH request, then let AdGuard re‑initiate a truly ECH‑capable connection. This means **any app or browser on your phone — as long as its traffic goes through AdGuard — can enjoy the privacy gains of ECH without waiting for app developers to adapt**.
Windows version 7.17 and Mac version 2.10 also include this experimental feature. To make ECH work smoothly, AdGuard has, for the first time, enabled **DNS filtering by default**. The reason is simple: ECH requires encrypted parameters obtained via DNS HTTPS records. Without using AdGuard’s own DNS protection module, you can’t locally retrieve those parameters to complete global encryption.
Three Steps to Verify That ECH Is Actually Working
AdGuard provides an extremely simple verification method:
- In the advanced settings, make sure Block ECH is turned off and DNS protection is enabled.
- Turn on the experimental Use Encrypted ClientHello option (on Windows/Android it’s under “Advanced Settings”; on Mac it’s in the network‑related configuration).
- Visit
crypto.cloudflare.com/cdn-cgi/trace – if you see sni=encrypted, or go to www.cloudflare.com/ssl/encrypted-sni/ and see SSL_ECH_STATUS: success, then ECH is running successfully.
If the test doesn’t pass, don’t worry. Currently, ECH requires server‑side support (most Cloudflare‑hosted sites already have it), and since it’s still experimental, it may occasionally have a slight impact on browsing speed — the team is actively optimizing performance.
Beyond ECH: On‑the‑Fly DoH Filtering and Major Engine Upgrades
The privacy improvements in AdGuard 7.5 series go far beyond ECH. The CoreLibs filtering engine has been updated from v1.12.80 to v1.14.59, introducing several hard‑core enhancements:
- On‑the‑fly DNS‑over‑HTTPS filtering: Previously, filtering DoH requests was more passive. With this update, AdGuard can intercept and redirect secure DNS requests to the local proxy in real time, preventing any attempts to bypass filtering via encrypted DNS — meaning any app trying to sneak out using encrypted DNS will be caught.
- ECH GREASE and parameter extraction: AdGuard extracts ECH configurations from intercepted DNS HTTPS queries and injects GREASE values into the traffic. This prevents middleware that doesn’t support ECH from interfering, and ensures that ECH‑capable connections…