• 0 Posts
  • 5 Comments
Joined 1Y ago
cake
Cake day: Jun 15, 2023

help-circle
rss

ISPs can always see what domains you visit due to it being leaked in plain text via the SNI portion of the Client Hello sequence of establishing a TLS connection to a web server, whether your DNS requests are encrypted or not.

It’s important to remember that using encrypted DNS does not shield the domains names you visit from your ISP. I feel this is a fundamental misunderstanding that gives some a false sense of privacy. At best, from a privacy perspective, you might avoid DNS-based logging which are slightly more trivial to log than domain taken from SNI.


Yes. In fact, using DNS-based blocking solutions are pretty much the only way to protect against first party trackers that use CNAME cloaking tactics if you’re not using a Firefox browser with UBo, since Chromium browsers have no ability to defend against this type of attack (with the exception of Brave as they implemented their own method of protecting against this with their Shields system.)


Encrypted DNS doesn’t really do much for privacy. It does, however, accomplish two main things:

• Ensures the authenticity of the DNS server you’re receiving a response from due to the certificate exchange.

• Preserves the integrity of the response as it would be difficult for it to be tampered with in-transit.

The domain names you visit are leaked in plain text regardless of your DNS provider and how you connect to them via the “client hello” process of TLS, specifically the Server Name Indication (SNI) portion. ISPs could, in theory, use this to see which domains you’re visiting, even if you’re using encrypted DNS, but not the specific pages within the domain.

Note that there are mechanisms like ECH (Encrypted Client Hello) and ESNI (Encrypted Server Name Indication) that attempt to solve the domain name leakage issue, but each require domains that wish to support these technologies to include an entry specific to those in their DNS records to facilitate key exchange for the encryption to be viable. You’ll also need a DNS client that supports ECH/ESNI. Very few domains and clients presently do this, meaning it is almost certain all/the vast majority of your visited domains would be transmitted in plain text at this point in time.


That’s neat, but anyone using Piped on a regular basis should probably look into something like LibRedirect for their browser to redirect every YouTube link to Piped regardless of where they encounter them.