In reply to a post by bambuko:

In reply to a post by ian72:

... just the fact it is going through their routers they will know the domain it is destined for.

that's my understanding as well
but... what are the options to keep them out of my business???

AFAIK it's not just your business, it's theirs as well, they are legally obliged to keep records of your activity, I suspect in the small print you will have agreed to let them use your data for whatever they want.
The answer will be a VPN, this should mean the ISP can't tell what you are doing, although I would bet on 'others' still being able to view what you do.

In reply to a post by jpm:

They shouldn't know what sites you're accessing if it's HTTPS

Actually, HTTPS *does* reveal the domain name of the site you're talking to, in plain text, as part of the initial TLS negotiation (before encryption kicks in). It's called Server Name Indication (SNI). You'll see it with tcpdump or wireshark.

But more likely, the ISP is looking at DNS logs.

In reply to a post by ian72:

My bold but it needs this information to route the packet so whilst you won't be able to see the contents of a packet you will know the destination without having to do any specific deep packet inspection - just the fact it is going through their routers they will know the domain it is destined for.

At a routing level, they won't know what domain it's destined for; they will know what *IP address* it is destined for. These days, the same IP address can be shared by hundreds or thousands of sites - particular those being hosted on a content delivery network like Cloudflare. So from the destination IP address of the packet, all you can tell is that it's some site hosted on Cloudflare.

This is why you never use your ISPs DNS.
Spread your traffic around a bit. It won't stop tracking but at least it will not be concentrated with a single provider.

Look at using Pihole or Adguard home with blocklists for ads and dangerous sites and set those devices to use root DNS (Unbound) for their own lookups.

You could always add a VPN on top of that if you really want to stop them snooping on you and check with something like doileak.com to ensure none of your DNS lookups bypass the VPN.

Some of you guys (thank you) are suggesting VPN,
as far as I am concerned (feel free to correct me?)
this is not a "solution"

It simply shifts the point at which one can be snooped on,
from ISP to VPN provider...

I am afraid then that there isn't a solution. The domain you are accessing is in plain text - it is how the technology is designed. Without a massive redesign the destination domain is going to be visible by anyone that owns technology in the path.

In reply to a post by ian72:

In reply to a post by jpm:

They shouldn't know what sites you're accessing if it's HTTPS, maybe they can if you're using the ISP DNS servers or they are intercepting DNS traffic somewhere. Look at DNS over HTTPS.

I don't think you will find that is correct. Wikipedia states

HTTPS encrypts all message contents, including the HTTP headers and the request/response data. With the exception of the possible CCA cryptographic attack described in the limitations section below, an attacker should at most be able to discover that a connection is taking place between two parties, along with their domain names and IP addresses.

My bold but it needs this information to route the packet so whilst you won't be able to see the contents of a packet you will know the destination without having to do any specific deep packet inspection - just the fact it is going through their routers they will know the domain it is destined for.

Encrypted SNI in TLS 1.3 prevents the hostname being visible - https://blog.cloudflare.com/encrypted-sni/

Obviously if there's only one site hosted at an IP then you can make a good guess what is being accessed, but if you're making a secure connection to a website hosted behind load balancer infrastructure shared by thousands of other sites, and you didn't make the DNS request to a server that your ISP controls or via a protocol that they can see, then they can't tell what domain you requested.

There are obvious caveats such as requiring support in the client and server, but you'd think someone running a dubiously legal file sharing site might be on top of that.

Edited by jpm (Wed 26-Apr-23 18:16:49)

Have a read through this thread elsewhere on the forum, it provides the answer.

https://forums.thinkbroadband.com/fibre/t/4734682-su...

In reply to a post by Zarjaz:

Have a read through this thread elsewhere on the forum, it provides the answer.

https://forums.thinkbroadband.com/fibre/t/4734682-su...

That’s a different issue @Zarjaz - that’s about poor quality / out of date geo-location lookups for IP address blocks which ISPs buy / sell / rent / trade. The source blocks are assigned a different country region in various geolocation databases, such that a user when assigned such an address from said block could appear to be in say the USA or Australia or wherever those address were previously assigned.

The OP issue here is proactive black-listing of particular websites by their ISP.

They are quite different things.

In reply to a post by Pheasant:

The OP issue here is proactive black-listing of particular websites by their ISP.

indeed, thank you

BTW I have managed to get in touch with customer services at ISP.
They have raised a "case" and now I am waiting....

Righto. Thanks for the correction