What information can an ISP record solely from DNS queries?

I realized recently that my VPN's DNS requests were transmitted to my ISP's DNS server (even though my HTTP and HTTPS requests were properly transmitted via the VPN).

I did some research and have a couple of questions about the level of detail that an ISP is able to record.

My question is specifically about DNS requests. I am aware that there are other questions on this and related forums about the details that ISPs can glean from the HTTP and HTTPS traffic.

In terms of privacy, there is a significant difference in an ISP recording a user's DNS request to:

https://www.google.com/

and a request to:

https://www.google.com/search?source=hp&q=ultra+left+wing+support

There is a difference between an ISP recording:

https://www.reddit.com/

and:

https://www.reddit.com/r/hot-babes

My understanding is that DNS queries from users to an (ISP's) DNS server will show the host (https://www.google.com/) but not the specific search term or any part of a URL after the TLD (e.g. .com). Is this correct?

I am asking about both HTTP and HTTPS although I can't see that there would be a difference for DNS requests.

In other words, an ISP can record the sites the user visited (via their DNS look-up logs), but cannot record the search query the user made in the search engine or the specific page(s) of a site that a user visited. To do so, the ISP would have to record the URLs when the user directly accessed the website pages. Is this right?

MetalMan

Posted 2017-08-17T19:29:08.230

Reputation: 51

1Your ISP could be recording every bit sent to/from your connection. – DavidPostill – 2017-08-17T19:39:55.533

Depending on what resolutions happen they could guess your OS, software you use and with timing information also usage patterns. They won't (assuming a VPN is used) be able to easily decipher that traffic. – Seth – 2017-08-18T10:12:36.680

Answers

If the entire connection the web browser makes is over HTTPS, then the ISP will simply see you are communicating with a server address. Remember, DNS requests are not part of the browser, usually. Your computer can make DNS queries all it wants, which will only be, in your examples, www.reddit.com and www.google.com.

Once the web browser knows the IP address to send the request to, the browser encrypts the entire URL you're requesting - For example, https://www.reddit.com/r/hot-babes is encrypted into a string that your computer and Reddit's server would understand. The ISP cannot read this in normal circumstances.

Normal circumstances are for people like me. My ISP does not attempt any sort of Man In The Middle (MITM) attacks, such as making me accept their own root certificate (!). If they forced you to install their own certificate, then it's fair game for them.

This is also mitigated if the sites support HSTS (Hypertext Strict Transport Security). This will hopefully be up to date, and built in to your browsers (Firefox and Chrome both do). If your browser attempts a connection to a site with HSTS setup, the browser will upgrade the connection to HTTPS automatically before making the connection.

Canadian Luke

Posted 2017-08-17T19:29:08.230

Reputation: 22 162

In terms of BIND, you cannot. Incoming queries come in and only the hostnames that are queried are shown in the logs along with the source external IP that is making the query, because DNS simply provides the name resolution. You don't really have the ability to view the full URL in the path. If the ISP was somehow intercepting web traffic in order to obtain your internet requests and its request methods, then your privacy would be exposed, but on an ISP level your queries would be a tiny needle in a very large haystack.

If they wanted to suppress a political activist, they would have to begin to monitor for those sites generally in the BIND logs based on those hostnames that point to said web sites. Even if they get your IP, they really can't do much with the IP alone unless they want to brute force attack the IP all day, which mostly will not expose the privacy of the individual unless the target network does get penetrated.

If you are curious about ISPs, just use another DNS server or serve your own DNS queries by using a default root hints configuration with no forwarders set, and by keeping your root server list up-to-date. A Microsoft DNS Server provides this simple setup by default and so does BIND from my experience as long as you do not specify any forwarders. If you specify a forwarder on your server, then you are effectively funneling your network DNS requests for zones outside of your network to those public servers. So just keep a basic DNS server config that is untouched (except you'll still want your internal zones of course), and then you are good for DNS privacy, because your server will handle those DNS queries by sending them directly to the root servers bypassing everyone except the biggest of the big boys of each domain jurisdiction. Your DNS will be clean as a whistle, which is why using a server-class OS is worth the time and/or money...

Paul Latour

Posted 2017-08-17T19:29:08.230

Reputation: 21

Decent answer to an old question. – JakeGould – 2019-01-02T01:53:21.067

1This question was showing up in "Hot Network Questions" just today – Paul Latour – 2019-01-02T01:57:42.400

Well, who knows how the “community” logic filtering works. Regardless, good work! – JakeGould – 2019-01-02T02:39:48.813

DNS is used to translate domains into IP addresses, thus regardless of whether you are going to "http://www.google.com", "https://www.google.com", "https://www.google.com/q=none_of_your_business", "http://www.google.com/?q=myob" the DNS query will only show a lookup for "www.google.com" because that is all the browser needs in order to find the server.

Its probably largely irrelevant here, but DNS can also have additional generic information about the domain name you are requesting, like what IP addresses it can send email from - but none of this would be specific to your connection or leak your activity save as to the extent it can tell which domain name you are looking at, and sometimes what kind of service you are using. (For examplw if you are acting as a mail server it will see you are asking for a mail record - but most of the time not even this much.

davidgo

Posted 2017-08-17T19:29:08.230

Reputation: 49 152

Consider some issue where you and two other person using same vpn provider but different website. Now if some attacker wants to find who is visiting forbidden.com using vpn from ISP dns log it will be simply one query distence to find. I understand it is not common to have access to ISP data but recent trend shows some real big organization have wholesale access to lots of log around world.

Even DNS log have no info for URL access but with correlate attack it will easy to match 2+2 = 4!

A. Bauani

Posted 2017-08-17T19:29:08.230

Reputation: 59