1

I'm trying to understand the different roles that DoT / DoH and HTTPS are playing when it comes to protecting sensitive data in the internet. I spend the day reading a lot of stuff about DoT, HTTPS, TCP and IP.

But there is one thing that doesn't become clear to me: say I want to surf to https://www.myForbiddenSite.org and download an image from there. At first, my device has to retrieve the IP address for myForbiddenSite.org (e. g. 1.2.3.4). When using DoT / DoH, any third party (e. g. my ISP) does not know that I want to access myForbiddenSite.org.

Now my browser will do the TCP handshake and TLS handshake with 1.2.3.4 and I can start communicating with the website via HTTPS. The image I want to download will be encrypted.

But isn't my public IP address part of all IP packages that are send across the wire? So basically every node between my router and myForbiddenSite.org sees my public IP address and 1.2.3.4? If this is the case, are there any projects that address that issue? And if not, why? Is it related to the fact the resolving the IP address for a DNS name is easy, but not vice versa?

mu88
  • 125
  • 6
  • 3
    Not only that, but look into the TLS SNI value. It shows the domain name of the site in clear text. – multithr3at3d Apr 10 '21 at 17:52
  • 1
    @multithr3at3d good point, +1. Now with the majority of sites using TLS, and the growing adoption of DoH and DoT, the weak link seems to be SNI as far as browsing privacy is concerned. Encrypted SNI looks promising. Cloudflare seems to be behind it, hopefully browser adopt it. https://blog.cloudflare.com/encrypted-sni/ https://tools.ietf.org/html/rfc8744 – mti2935 Apr 12 '21 at 11:18

2 Answers2

3

If you want to hide your browsing activity from your ISP (and every other router that your traffic passes through), then you might want to consider using a VPN. This will prevent your ISP from knowing which sites your are connecting to, as the ISP only sees that you are connecting to the VPN. However the VPN will know which sites your are connecting to. Some VPN's claim that they do not log this information, but this is difficult to verify.

As another option, you might want to consider using TOR. With TOR, your traffic is routed through several nodes, so that no single node is privy to both your source address and your destination address. See https://2019.www.torproject.org/about/overview.html.en for more info on how TOR works.

mti2935
  • 19,868
  • 2
  • 45
  • 64
  • Thank you! And could you please explain how DoT / DoH fit into this puzzle? I mean, what is the sense of DoT if the ISP can read the destination address anyways in the IP package? – mu88 Apr 11 '21 at 08:56
  • Most VPN providers will provide you with DNS service as well (e.g. see https://www.expressvpn.com/features/dns). But, if you are using a VPN provider that does not provide DNS service, then you will want to connect to your DNS provider by DoH or DoT to hide your browsing activity from your ISP - otherwise your ISP can monitor your browsing activity by sniffing your unencrypted DNS traffic. – mti2935 Apr 11 '21 at 23:20
  • So is it okay to phrase it like this: using DoT / DoH in a non-VPN environment does not provide a lot of benefit. It only makes it harder for the ISP to get source and destination address because they have to sniff all the IP packages instead of DNS traffic. – mu88 Apr 12 '21 at 06:09
  • 1
    Your question is about privacy. But, there is another reason to use DoH / DoT - integrity. Without a secure connection to your DNS provider, an attacker between you and your DNS provider can alter the results returned by your DNS provider, and send you to a fraudulent site. This is much harder for the attacker to do, if you connect to your DNS provider by DoH or DoT. – mti2935 Apr 12 '21 at 10:58
  • Ah yeah, I see - thank you – mu88 Apr 12 '21 at 11:00
2

Is it related to the fact the resolving the IP address for a DNS name is easy, but not vice versa?

No, it is related to the fact that routers on the way need to actually know where the data should be send to (i.e. the address of the server) and the server needs to know where the response needs to send back to (i.e. the address of the client).

If there are untrusted systems on the way which should not see this information a VPN can be used to tunnel the real traffic. In this case these untrusted systems will see the public IP of the client and of the VPN exit only.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • So my assumptions are correct that without any other service (e. g. VPN), every node receiving an HTTPS package can see both source and destination address? – mu88 Apr 10 '21 at 16:48
  • @mu88: Correct. HTTPS is only about protecting the application data and is not for hiding source and destination of the traffic. – Steffen Ullrich Apr 10 '21 at 17:01