Yup, when you're not using a VPN, even with encrypted DNS and HTTPS, you're still sending hostnames (e.g. wikileaks.org) over plaintext in TLS SNI for every HTTPS connection. I believe most firewall appliances now even prefer to use SNI for deep-packet-inspection since it's so reliable.