It seems a bit presumptive to assume I’m unfamiliar with how DNS works. While it’s true that DNS traffic to your ISP is generally readable, using HTTPS still offers significant privacy benefits. A single domain, like twitter.com, can transmit a vast amount of data. Additionally, with the ease of obtaining a free SSL certificate these days, neglecting to implement one could be considered careless.
I’m going to reply to both you and your sibling comment because they’re basically the same from the perspective of what I wanted to say: just because you know some stuff about DNS isn’t actually enough, because there’s a wider context that you’re missing. Most importantly, without a VPN the traffic you send will often go to an IP that is controlled by a single entity, so your ISP is going to route packets from you to [Phrack IP]. Of course the content of those packets is going to be encrypted, but it doesn’t take a genius to figure out that everyone is reading Phrack 71 that just came out. So that’s basically enough to figure out everything already. But to bring it back to DNS even then it’s riddled with issues as you’re aware of: it’s complete unencrypted by default, so that just gives you the domain directly. Often you’re going to be sending that traffic to your ISP directly but even if you’ve set things up to use a different server you still haven’t solved the problem of people being able to know what you’re doing.
I have bad news to share about how DNS works
It seems a bit presumptive to assume I’m unfamiliar with how DNS works. While it’s true that DNS traffic to your ISP is generally readable, using HTTPS still offers significant privacy benefits. A single domain, like twitter.com, can transmit a vast amount of data. Additionally, with the ease of obtaining a free SSL certificate these days, neglecting to implement one could be considered careless.
I’m going to reply to both you and your sibling comment because they’re basically the same from the perspective of what I wanted to say: just because you know some stuff about DNS isn’t actually enough, because there’s a wider context that you’re missing. Most importantly, without a VPN the traffic you send will often go to an IP that is controlled by a single entity, so your ISP is going to route packets from you to [Phrack IP]. Of course the content of those packets is going to be encrypted, but it doesn’t take a genius to figure out that everyone is reading Phrack 71 that just came out. So that’s basically enough to figure out everything already. But to bring it back to DNS even then it’s riddled with issues as you’re aware of: it’s complete unencrypted by default, so that just gives you the domain directly. Often you’re going to be sending that traffic to your ISP directly but even if you’ve set things up to use a different server you still haven’t solved the problem of people being able to know what you’re doing.
1 reply →
And who said everyone uses ISP's upstream DNS? Please stop assuming
Uh, nobody? It’s not relevant.
I have good news to share about how DNS over HTTPS, archive.is and/or Tor works.