DoT is not really protecting us against ISP snooping is it?

[dvohwinkel]

I get that it is making it so our ISP cannot snoop directly on our DNS queries but can't they just log all the IP addresses you connect to and get the exact same info? Sure they have to do an extra step to then get the ip to name resolution. DoT is more for protecting against DNS hijacking correct? It gives you an assurance that the named address you want to connect to is the actual ip address you connect to and not some hackers misdirection.

I ask this because I think some people will incorrectly think this protects them from people knowing what they are connecting to.. and it will not. You need a VPN for that. This is HIGHLY useful though as it protects you against being misdirected to a hijackers address.

 

[heysoundude]

bingo! and that's why VPN server and client capability exists...the gold standard.

 

[martinr]

.. This is HIGHLY useful though as it protects you against being misdirected to a hijackers address.

That’s all I want from it.

 

[maxbraketorque]

bingo! and that's why VPN server and client capability exists...the gold standard.

Unfortunately though, some entity, i.e., your VPN provider will have access to this info. Not sure if that represents better privacy for the average internet user.

 

[heysoundude]

Unfortunately though, some entity, i.e., your VPN provider will have access to this info. Not sure if that represents better privacy for the average internet user.

They would have to have some reason to target you, and if they purge their logs often enough...


Sent from my iPhone using Tapatalk

 

[Mutzli]

My ISP is Comcast and since activating DoT I see a lot of attempts from dns101.comcast.net to connect to the router. Just wondering if that has something to do with them logging my DNS calls.

 

[dvohwinkel]

All about who you trust more. ISP, VPN Provider, DNS provider, etc..

 

[sinshiva]

There's actually a bit more to this as the web and TLS advances;

So, as you know, many sites are behind CDNs; things like Cloudflare, which leverages things like Anycast to load balance, cache and proxy to the actual host semi-transparently and protecting the host. Because of things like this, if most of your sites use Cloudflare, then all the ISP can really see is that you are connecting to Cloudflare.

Something else they can currently track would be the Server Name Indicator (SNI) in https certificates; with TLS1.2 this bit of information is still sent in the clear. TLS1.3 brings Encrypted SNI, which plugs that little hole, meaning all they'll be able to see is encrypted traffic traversing the network to some IP.

Not suggesting any of this obviates the need for a VPN, of course.

 

[bits]

TLS1.3 brings Encrypted SNI, which plugs that little hole, meaning all they'll be able to see is encrypted traffic traversing the network to some IP.

Tls 1.3 allows for encrypted sni it does not mandate it.
1)dot does not support encrypted sni
2)browser must support doh and encrypted sni eg current only Firefox with non default settings

 

[Swistheater]

Run a tcpdump and track how many times your router sends traffic between isp and your DoT destination. I find it extremely hard to believe isp have any issues on tracking if they have to.