6

If I make an HTTP request to:

https://hello.domain.com

will the connection also encrypt the domain address (hello.domain.com) ? So that sniffing the traffic still makes it impossible to guess what the requested DNS address is.

Note: I'm talking about the DNS address, not the resolved IP address.

Mark
  • 442
  • 5
  • 12

4 Answers4

11

No.

In order for the web browser to determine the IP address of some host, say example.com, it must look that up in the DNS, and that separate connection is not encrypted.

SSL/TLS, therefore, does not completely protect against malicious ISPs. Such an attacker can still determine which site the web browser wants to access, even if he can't read the actual data.

In addition, current TLS implementations will always send the fully qualified domain name of the server in cleartext, to support Server Name Indication. Thus a malicious ISP doesn't even need to look at your DNS queries.

Michael Hampton
  • 237,123
  • 42
  • 477
  • 940
  • Correct me if I'm wrong, but the DNS resolution is done by the client before it submits the request. So the outgoing packets will not contain info about the DNS adrress, but only the final IP address, right? – Mark Nov 11 '12 at 22:42
  • Outgoing packets _will_ contain information about the DNS lookups. That's the whole point. DNS is entirely separate to the connection to your web page. – Michael Hampton Nov 11 '12 at 22:43
  • So the next question would be: is there a way to encrypt DNS resolutions? – Mark Nov 11 '12 at 22:45
  • That's definitely a separate question and you should ask it separately. Be sure to include as much information as you can regarding the threats you are facing, so that you can get an appropriate answer. – Michael Hampton Nov 11 '12 at 22:46
  • http://serverfault.com/questions/447657/is-there-a-way-to-make-encrypted-dns-resolutions – Mark Nov 11 '12 at 23:05
4

No, the IP address will not be encrypted.

I was going to write a simple example using the postoffice/envelope version but realised just for DNS/HTTPS this become more confusing.

You can see http://www.tcpipguide.com/free/t_IPDatagramEncapsulation.htm to get an understanding of encapsulation.

In the image below, using your example, only the Upper Layer Message would be encrypted. All other layers are un-encrypted.

Datagram Image

Wayne
  • 3,084
  • 1
  • 21
  • 16
1

The SSL/TLS transmits the hostname (not the URL) unencrypted during handshake. The URL(https://domainname.com/bla bla bla ...) is encrypted.

But a sniffer will always able to get IP and port information. Because without that, your packet can't be delivered.

If you want full encryption, you should consider using a VPN tunnel with proper dns setting. That will at least protect you from sniffer in your local network.

John Siu
  • 3,577
  • 2
  • 15
  • 23
  • I added a note in the original question. I would like to know if the DNS address is discoverable, not the IP address. – Mark Nov 11 '12 at 22:41
  • If you have one, you can obtain the other. – Sirex Nov 11 '12 at 23:08
  • 2
    @Sirex, though hostname and ip can be easily found out from each other, the URL can be totally unrelated due to virtual host setting. A single web server may host unknown number of domain web sites. – John Siu Nov 11 '12 at 23:17
  • True, but that's not fool proof, either. http://tinyurl.com/bkgukpj – Sirex Nov 11 '12 at 23:38
1

A http request looks like this:

GET /index.html HTTP/1.1
Host: www.domain.com

In order to send a request browser must first resolve a domain name (in this case it must get the IP address of www.domain.com), connect to the IP address and send the request. If you're using https then the content of the request will be encrypted and it can't be sniffed. Query to the dns server will not however be encrypted, so it's possible to detect what sites you're browsing. If you're browsing http sites using a HTTP proxy or a VPN, your browser will not send any dns queries, so it won't be possible to say what sites you're browsing or sniff your traffic.

FINESEC
  • 1,371
  • 7
  • 8
  • Generally, yes this is the case, but I should note that the `Host:` header is optional. – EEAA Nov 12 '12 at 00:03