0

I use an encrypted DNS server that supports DNSSEC and DoH, these features are useful for hiding from the ISP, VPN server provider etc. which website you are trying to look up, but eventually those parties will know which website you looked up and are visiting because in the end it all comes down to IP addresses because that's what TCP/IP model is build upon.

So I really don't understand why some people think DoH/DoT/DNSSEC/ECH and so on are useful for privacy while all they can do is to hide the "look up" process, basically hiding the fact that you are using a guide to match a domain name to an IP address. why is this looking up process important to hide?

my ISP still knows which websites I visit, maybe can't pinpoint the exact webpage but that's not important, all those security features just to hide the exact web page you are visiting!

VPNs aren't the answer here either because they just swap your ISP with another ISP somewhere else around the world who can do the exact same thing as your ISP can.

  • "that supports DNSSEC and DoH, these features are useful for hiding from the ISP". DNSSEC does not "hide" anything to anyone. It adds integrity and authenticity. Basically it makes the ISP or anyone on-path unable to change the answer (if the domain was using DNSSEC) – Patrick Mevzek Jul 05 '22 at 14:59
  • This really depends on your threat model. I value encrypted DNS not because it provides confidentiality against my ISP, but because it provides integrity and some level of confidentiality, especially on mobile devices that connect to all kinds of sketchy networks like airport or hotel Wifis – so a similar value proposition to VPNs. The HTTPS sites you visit aren't really secret anyway since the domain name is sent unencrypted during the TLS handshake. – amon Jul 05 '22 at 18:17
  • @amon "it provides integrity" DoH/T/Q does not provide any kind of integrity guarantee from what the recursive nameserver you query will do. If you want that guarantee you need DNSSEC in addition of any transport level protection. Same for confidentiality, that is only on path, and not for the nameserver getting the request itself. For which DNSSEC can not help, which is why there are proposals like "oblivious DNS". – Patrick Mevzek Jul 05 '22 at 18:55
  • @PatrickMevzek You are completely correct that these limitations exist, but that last network leg from the DoH/T/Q server to the client device is what I'm most concerned about from a privacy/security standpoint. If I'm using such encryption, I'm using it mostly to prevent ISPs and LAN/WiFi operators from meddling with my DNS. – amon Jul 05 '22 at 19:56
  • @amon Agreed, but for me doing that (protecting last network leg) but blindly trusting the DNS operator is just moving trust (and everyone is free to choose of course who it trusts and how much), not raising the global level. It is also suddenly giving more power to a small set of operators (yes you can do DoHTQ to arbitrary servers, in practice there are already clear silos) which can later only yield questions on market dominance and privacy issues. – Patrick Mevzek Jul 05 '22 at 20:23

2 Answers2

4

my ISP still knows which websites I visit, maybe can't pinpoint the exact webpage but that's not important, all those security features just to hide the exact web page you are visiting!

Many sites share IP's. E.g. knowing that a user visits a Cloudflare IP won't tell you very much about what website it actually is. You can rule out everything not served by CF, but not much more.

Same goes for other large cloud providers and CDN's: the IP won't reveal a lot in many scenarios.

Xan
  • 103
  • 3
vidarlo
  • 12,850
  • 2
  • 35
  • 47
2

Encrypted DNS is more about someone not being able to perform MITM for the DNS request itself (which protects against the rogue party replacing the IP address which many ISPs do routinely in order to "protect" you from websites or because the government mandates that), rather than anonymizing your DNS requests.

Artem S. Tashkinov
  • 1,389
  • 5
  • 13
  • 1
    dnssec ensures that MITM is not possible, without encrypting the answer. – vidarlo Jul 05 '22 at 19:14
  • Yeah, by using public key **cryptography** and oh boy it's easy to downgrade from DNSSEC to normal DNS by a MITM party if your DNS resolver is not set up correctly. – Artem S. Tashkinov Jul 05 '22 at 19:17
  • @ArtemS.Tashkinov how can I make sure it's set up correctly? is there any other steps than setting the correct DoH address in the browser? or using Cloudflare Warp? –  Jul 05 '22 at 19:36
  • DNSSEC by itself without using DoH/DoT can be downgraded: https://arxiv.org/abs/2205.10608 If you're using DoH or DoT you must be safe (granted your DNS provider can be trusted) if your certificate authority storage is not poisoned/compromised. Certain governments make people install their own certificates (e.g. Kazakhstan), certain applications install root certificates, e.g. antiviruses. In these two cases all bets are off. – Artem S. Tashkinov Jul 05 '22 at 20:26
  • @ArtemS.Tashkinov Thank you, i will keep that in mind. –  Jul 07 '22 at 08:49