6

For example, if I use my ISP DNS and open this page they will see:

https://security.stackexchange.com/questions/ask

It would show up in their logs for sure.

But if I use Google DNS, then what EXACTLY can they see?

Do they log this as:

http://204.93.58.117/questions/ask

or just:

http://204.93.58.117/

I'm asking this because my government seems to monitor too much. I know about VPN but I don't use VPN all the time. I simply want to know what can ISP log when I'm not using VPN, only Google public DNS.

Community
  • 1
Marko
  • 69
  • 1
  • 1
  • 3
  • possible duplicate of [Are URLs viewed during HTTPS transactions to one or more websites from a single IP distinguishable?](http://security.stackexchange.com/questions/4388/are-urls-viewed-during-https-transactions-to-one-or-more-websites-from-a-single) – WoJ Jun 28 '15 at 19:30
  • 1
    No it is not duplicate – Marko Jun 28 '15 at 19:45
  • Can you specify what you mean by "their log files"? It's too broad. Short answer: They can log everything. They can ready everything that's not well encrypted. For example, it could be logging your computer/router's MAC, or logging routed traffic both to one of Google's DNS servers (to resolve the FQDN) and to 204.93.58.117 or to Tor nodes, or the DNS query itself, or TCP flags, or SSL / TLS negotiations, or logging the URL and cookies in the HTTP layer of the subsequent page request, or the PNG image or XML in the request body, or... you get the picture. But many logs reduce performance. – Courtney Schwartz Sep 29 '16 at 03:39

2 Answers2

11

Short answer: they are only able to log the hosts you visit (e.g. security.stackexchange.com, google.com, etc) and not the full address (e.g. https://stackexchange.com/login). If you access unencrypted webpages (http instead of https), they are able to see everything. ISP are not known to log unencrypted webpages en masse, but I wouldn't not be surprised if the NSA or china logs this kind of meta information.

Long answer:
Since DNS traffic is not encrypted, your ISP could see every host you visit (it does not matter if you use Google's DNS or theirs). If you visit https://security.stackexchange.com/questions/ask (note the s after http), your ISP will see that you visited security.stackexchange.com and that you used HTTPS. If you use HTTP, the will see everything (the content of the webpage, url, and sometimes even cookies. Note that security.stackexchange.com will always redirect you to their HTTPS version. This means your ISP will only see that you were redirected to the encrypted version. If you are not on the https version, you're being MITM'd. You should then use a VPN).

If you request http://security.stackexchange.com/questions/ask (as you have originally asked), your ISP will also be able to tell that you requested the very page since it is not encrypted. It does not matter that Stack Exchange is redirecting you to the encrypted version because the you have already access the unencrypted version once. Make sure you always use https when possible.

If you access google via 216.58.192.110 (one of their IPs), your ISP will still be able to see that you visited 216.58.192.110. Since your ISP is also probably running a DNS server, they could also check where 216.58.192.110 resolved to (which will probably return google). They could also check that by hand, but this would take more time.

The only way to protect you from these attacks is if you use a VPN. Note that by using a VPN you simply shift the trust to someone else. If you use a public VPN, there are many more parties who can monitor your traffic: the VPN provider (their server might log everything you do), the server host, and the government the server is located in.

Lanklaas
  • 103
  • 3
Matt3o12
  • 511
  • 2
  • 4
  • 10
  • ISP uses DNS servers to log visited pages right? If I use third party DNS like Google Open DNS then they cant? Right? I know they can track anything if they really want to but what usually happens if you use third party DNS? I gues they dont have logs about visited pages... – Marko Jun 27 '15 at 17:32
  • @Marko No, ISPs don't use DNS to log visited pages. All DNS can log is what *domains* you're talking to, but that's already visible to the ISP (even with TLS, the domain is generally sent unencrypted). DNS is not capable of logging visited URLs, because it has nothing to do with URLs (just domain names, but not the protocol or the path). – cpast Jun 27 '15 at 17:39
  • @Marko I added a short answer, which hopefully clarifies my explanation. – Matt3o12 Jun 27 '15 at 17:47
  • @cpast If you open page like httpsfacebook.com/somepage and you get this in your adress bar httpsfacebook.com/somepage and 503 error message for that page is full URL recorded by ISP? Thanks – Marko Jun 27 '15 at 18:53
  • @cpast Matt3o Thanks you for you answers.This is my real question...I stopped using Facebook some times ago as accused of sending insults to some people...I live in a country which has bad cooperation with Facebook... I did not do that, I just didn't. Few days ago I used search engine to find FB page of a woman who accused me. When I opened that page it sent 503 error code... so it should be only visible that I opened fb because it is HTTPS but it returned HTTP error page (error code 503)because server was down.In address bar was full address, it said http instead HTTPS with full adress of tha – Marko Jun 27 '15 at 18:23
  • If the address bar said http, your ISP could save it although I doubt that will be checked unless the woman is suing you. If you are looking for an easy way to access pages in a more secure way, use https://hide.me just make sure you use HTTPS and the site has a valid certificate. They offer a free proxy and a free VPN (up to 300mbs). Disclaimer: I'm not affiliated with that company. I only use it and I'm a happy customer). – Matt3o12 Jun 27 '15 at 19:13
  • Please don't add "thank you" as an answer. Once you have sufficient [reputation](http://security.stackexchange.com/help/whats-reputation), you will be able to [vote up questions and answers](http://security.stackexchange.com/help/privileges/vote-up) that you found helpful. – Jens Erat Jun 27 '15 at 19:33
  • @Matt3o Even if I used Google public DNS servers? – Marko Jun 27 '15 at 19:51
  • @Marko yes. It does not matter because it is not encrypted. Your ISP will aways know what ip addresses you have accessed unless you use a VPN. Also remember that you access Facebook unknowingly every time a site uses a like button (because our browser access Facebook in order to load the button). If you found my answer helpful, could you please upvote and accept it. – Matt3o12 Jun 27 '15 at 19:55
  • @Matt3o Thanks. I don't care if they know which IP adress I visited, in this case facebook, I only care if they know full url about that page since I used Google Public DNS. I cant upvote because I don't have credits of some kind.So it is ok for me that isp knows I have visited fb, not ok they know full url. I promise to come back and upvote – Marko Jun 27 '15 at 20:09
  • Please use the edit link on your question to add additional information. The Post Answer button should be used only for complete answers to the question. – S.L. Barth Jun 27 '15 at 20:13
  • Then who can see the full url? No one? – user12458 Jun 19 '16 at 19:17
  • 2
    @JavaTechnical, assuming you have not been MITM'ed, only your computer and the webserver you visited (although your browser might sync your history to some kind of cloud service). – Matt3o12 Jun 19 '16 at 19:23
  • If you're on a corporate network or cafe hotspot, by the way, MiTM (aka SSL inspection) is pretty standard practice, so their network admins will have seen the URL, too, as long as they have it enabled. SSL inspection is common in network security gear like Juniper and Fortinet: https://www.juniper.net/documentation/en_US/junos15.1x49/topics/concept/security-utm-enhanced-web-filtering-functionality-understanding.html – Courtney Schwartz Sep 29 '16 at 03:54
2

An ISP is literally an "internet provider". As such they provide you the wires and equipment to access the global scaled network.

Since they are in between you and the rest of the world, you have to assume that anything not encrypted is potentially logged by your ISP. Even if you use Google DNS, the DNS request will be send from your computer, to your modem, to an equipment of your ISP, then to Google DNS.

DNS is not commonly encrypted and contains the name of the site you ask for resolution, thus they can log it. Furthermore, IPs can be passed through a reverse DNS which will return the name the IP is associated with (actually the main name).

Whether they do log DNS request or not is not in the scope of the site.

After your DNS request, your computer has to access the website. In the same way, if the session is not encrypted, it can be logged.

As a matter of fact, even encrypted traffic can be logged, but it can't be read (unless you can break the crypto).

M'vy
  • 13,033
  • 3
  • 47
  • 69