-1

I guess I have understood the basic concepts of DoT and DoH and how they prevent providers (ISPs) from analyzing my DNS queries and creating profiles. However, I have got a question which is so basic that it is probably quite stupid, but I'll take the risk to make a fool of myself:

Nearly all of my DNS queries arise because a connection to the respective servers will be established afterwards. If a provider can't see my DNS queries, they can instead simply log the IP addresses of the servers I connect to, perform a reverse DNS query on these addresses, and that way create nearly the same profile as if they could log the DNS queries directly.

So what exactly is the sense of DoT when it comes to privacy?

A few remarks:

  • Of course, this question only makes sense if I am not using a VPN; let's assume that.

  • I am aware that we must also take into account a few other things like integrity etc.; however, this question explicitly relates only to privacy (apart from that, we can have DNS integrity via DNSSEC which works well without DoT).

  • I am also aware of DoH and the main differences between DoT and DoH; however, I could have asked the very same question about DoH, and the answer would be the same. Therefore, it would be nice if we could concentrate on DoT to avoid distraction.

  • I am aware that sometimes multiple services of the same kind can run under the same IP address and port (especially, different web domains), which will make the profile my provider can create by analyzing destination IP addresses less detailed. But IMHO, this doesn't change the situation fundamentally.

It currently seems to me that DoT isn't particularly useful with respect to privacy (although everybody claims exactly that), unless there are laws which allow a provider to record and analyze DNS queries, but not destination IP addresses. Could somebody please explain where my misunderstanding is?

Binarus
  • 557
  • 5
  • 16
  • 1
    You introduce a specific and narrow context (what the ISP can know if they decide to go looking and you don't use a VPN), and then make claims regarding the universal context. Don't do that. Your question is ***actually*** "How does DoT protect my privacy from my ISP if I don't use a VPN?" and really, that's a silly question. – schroeder Jun 12 '22 at 21:15
  • Thanks for the comment, and +1. But actually "How does DoT protect ..." is not my question, because I have understood how DoT works, and I have understood how it protects my privacy. My actual question is why we should use DoT at all, given that it obviously can be easily circumvented by providers, or if the latter is not case, where my misunderstanding is. It would be interesting for me why you call the question silly, given that you weren't able to answer it. Instead of calling me silly, look at @Steffen Ullrich's answer, which is appropriate with valid reasoning and facts. – Binarus Jun 12 '22 at 21:32

1 Answers1

2

Encrypted DNS traffic serves two major purposes:

  • prevent profiling based on DNS queries - that's what you focus on
  • prevent blocking based on DNS queries - that's what you ignore in your question

As for profiling, i.e. privacy:

I am aware that sometimes multiple services of the same kind can run under the same IP address and port (especially, different web domains), which will make the profile my provider can create by analyzing destination IP addresses less detailed. But IMHO, this doesn't change the situation fundamentally.

It does. According to this site around 20% of all websites used Cloudflare CDN - which means that they are basically all end up being served by the same IP addresses. Also because it is cheaper many smaller sites are served by shared hosting, i.e. they share the same IP address with others. In all of these cases reverse lookup will not help to find out the actual domain but instead way more expensive deep packet inspection is needed - if possible at all, with the emergence of encrypted SNI or encrypted ClientHello.

As for the larger sites which have their own non-shared IP addresses: they often serve lots of different content on these addresses (take Google or Facebook) so there isn't that much useful information for user profiling.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • Thank you very much, accepted and +1. Although blocking circumvention (IMHO) does not have too much to do with privacy, your answer is very interesting. I really wouldn't have expected that the percentage of different sites (or totally different content) which run on shared IP addresses, and sites or content which are delivered via CDN is that high. Under these circumstances, DoT and DoH make sense. Mission accomplished - question answered. Thanks again. – Binarus Jun 12 '22 at 21:42