Learn me DNS over TLS

Why / what DNS over TLS? I'm hiding my requests, but when it comes back everyone knows I'm looking for broadband porn at 80.249.106.141.

What's it all about?


(A coincidence that Banger has also posted a DNS/TLS question today. I've also tried it but it didn't work... Anyway, didn't want to hijack his thread.)

You encrypt the DNS request and response with either DoT (DNS over TLS) or DoH (DNS over HTTPS).

Your subsequent connection to the site then is using HTTPS so encrypted, you can enjoy your broadband porn

https://www.cloudflare.com/en-gb/learning/dns/dns-ov...

In reply to a post by Pheasant:

Your subsequent connection to the site then is using HTTPS so encrypted, you can enjoy your broadband porn

But you still know I'm looking at porn. The IP address I request is still recorded by my ISP, isn't it? You might not know if I get my kicks from ADSL or FTTP but you know where I've been.

I'll go and read the link in case I'm making a complete fool of meself.

VPN tunnel time

In reply to a post by Woolwich:

The IP address I request is still recorded by my ISP, isn't it?

The destination IP address isn't necessarily a good indicator since IP addresses can be shared amongst many websites, shared hosting, content delivery networks, etc.

That said, privacy is also hampered by the fact that the TLS certificate name is sent in plain text due to SNI. This is another thing that is being worked on by the privacy gurus.

But it's not just about privacy. DNS queries sent in plain text can theoretically be modified in transit. When the queries are encrypted you can be sure that the reply is genuine and not spoofed.

In reply to a post by Pheasant:

VPN tunnel time

Yeah but they're all run by the CIA...

In reply to a post by Oliver341:

But it's not just about privacy. DNS queries sent in plain text can theoretically be modified in transit. When the queries are encrypted you can be sure that the reply is genuine and not spoofed.

This is about the only bit I understand and see a need for.

That's why you use a VPN too, as long as you pick a VPN provider you can trust. It's definitely a bit of a guessing game, they all claim "no logging" bla bla bla, the trick is in reading the small print.

FYI, in my opinion DNS over TLS is a non-starter from a privacy standpoint. Because it uses it's own port, anyone can see you are trying to hide your DNS traffic. DoH just goes with the rest of your HTTPS traffic so is better hidden. I see why business prefer DoT though, as there is a legitimate need to filter DNS traffic in a business environment.

Edited by severedsolo (Thu 09-Sep-21 18:29:33)

Even using a VPN someone will know what you are looking at. If the VPN is reputable they will be logging requests as per Gov instructions and if not reputable they will be logging for potential future usage against you if it is ever worthwhile.

Do you trust your ISP or some other unknown party?

DPI can also be used by any UK ISP under Govn instruction so even VPNs are 'monitorable' but who in Gov / ISP cares if you are looking at Porn according to most surveys over 65% of connections are used for Porn People looking for pead porn is all they are interested in and most people would agree with this.

In reply to a post by kitcat:

Even using a VPN someone will know what you are looking at. If the VPN is reputable they will be logging requests as per Gov instructions and if not reputable they will be logging for potential future usage against you if it is ever worthwhile.

Do you trust your ISP or some other unknown party?

Considering we live in a country where we know that ISPs are (or are about to start) logging everybodies internet traffic regardless, and my VPN provider has been tested in court (a subpoena was made, and the only thing they could verify was "yes this person is a customer") I trust my VPN provider more than I trust my ISP.

I take your point though, in my case this is very much a protest against the Investigatory Powers Act and the aforementioned logging. If I can do anything (legal) to protest it and make life more difficult for those trying to erode our civil liberties I will do so.