← Back to context

Comment by AshamedCaptain

1 day ago

In addition, your ISP can also extract whichever metadata it wants from your communications, incl. a very likely perfect guess of the hostnames you visit at which times _even if you don't use DNS at all_, just by looking at IP traffic metadata such as addresses and packet sizes.

So you already have to trust your ISP anyway -- but there was no need to trust Cloudflare *. DoH to Cloudflare is almost certainly a net loss in privacy compared to using your ISP's DNS over clear text.

* Right until they became hosters of half of the WWW. So Cloudflare can pretty much also guess your activity even if you don't do DNS with them anyway.

13 comments

AshamedCaptain

Reply
josephcsible  1 day ago

> In addition, your ISP can also extract whichever metadata it wants from your communications, incl. a very likely perfect guess of the hostnames you visit at which times _even if you don't use DNS at all_, just by looking at IP traffic metadata such as addresses and packet sizes.

Big CDNs and ECH make that impossible.

  • AshamedCaptain  1 day ago

    Does it, really? Have you seen wireshark output lately? (the GUI can be configured to do reverse lookup on all IP address)

    If I check up right now, form the top 10 links in HN right now, it is trivial to distinguish the top-level domain from just the IPv4 or IPv6 address. Heck, even _for this website itself_ the current IPv4 reverse DNS points to ycombinator.com. I don't even need to go into packet size heuristics, or the myriad of ad networks, etc.

    Sure there are some instances where you will share the IP of the CDN. This has been seen recently e.g. in the recent article of the "LaLiga" blocks in Spain. But bigger sites cannot afford for this to happen, and even smaller sites tend to have at least one paid IP address for mail (reputation is a bitch, and Cloudflare doesn't have any).

    • josephcsible  1 day ago

      > If I check up right now, form the top 10 links in HN right now, it is trivial to distinguish the top-level domain from just the IPv4 or IPv6 address.

      Two of the top 10 links in HN right now (https://news.ycombinator.com/item?id=44212446) are to different subdomains of github.io that resolve to the exact same IP addresses, so reverse DNS doesn't tell you which one is being visited.

      And you can't even tell the TLD, because the TLD is "io", but the reverse lookup on the IPs will give you a TLD ending in "com".

      > Heck, even _for this website itself_ the current IPv4 reverse DNS points to ycombinator.com.

      That's because HN isn't behind the kind of CDN I'm talking about. But a lot are. Is your argument "since your ISP can see some of the sites you're going to, we should remove all protections and let them see all sites you're going to?"

      7 replies →

koakuma-chan  1 day ago

> IP traffic metadata such as addresses and packet sizes.

Even if you use a VPN?

  • gruez  1 day ago

    That just shifts the trust from your ISP to your VPN provider. Moreover if you're already using a VPN, your DoH requests to cloudflare is already anonymized.

    • mlhpdx  1 day ago

      If you are using WireGuard between endpoints your traffic if opaque, but yeah if/where it exits it becomes (depending on the encapsulated protocol) visible.