On Thu, Jul 17, 2025 at 2:05 PM Tom Beecher <beecher@beecher.cc> wrote:
not to mention probably exposed in the TLS SNI, so it's not like you're gaining that much privacy anyways. Older versions of TLS have this weakness, yes.
That does not mean you stop trying to mitigate other points where your data may be leaking; especially in regards to DNS packets which are easily analyzed, because the protocol is so simple, and because there is such a smaller number of DNS packets traversing a network it becomes low-hanging fruit to capture, record, and analyze all the DNS packets, and is entirely feasible for any ISP to do. On the other hand capturing, saving, and analyzing every TCP port 443 packet for a large ISP network would require an insane amount of storage and computation power - hopefully costing a much greater number of dollars than the possible profit value an ISP could expect to generate by violating the privacy of all their subscribers. My understanding is about half of internet traffic is HTTP/3. And the protocol as designed specifically to encrypts headers and metadata such that a 3rd party cannot analyze the packets anymore to figure out the actual domain name requested for that very purpose. And TLS 1.3 as well has added an extension for Encrypted SNI, so if domains you are visiting have implemented ESNI, then a 3rd party cannot identify the domain or server name being requested over HTTPS.
When using DoH, your ISP can't see your DNS requests, but they can absolutely still see the IP of the thing you try to connect to right after making that DNS request,
In theory, but feeding off DNS packets is a much smaller volume of traffic for an ISP to sniff packets from -- it is extremely easy and much lower cost, since the volume of DNS packets is going to be miniscule compared to the volume of HTTPS packets traversing their networks. With DNS the ISP just places a small inexpensive box on the network sold by one of the companies that specializes in messing with your customers' DNS traffic -- probably handles auto-redirecting "non-existent domains" to Ad-supported search pages as well. On the other hand sniffing every single port 443 packet and deconstructing the headers is a much higher amount of computation, so at least you are making privacy invasion more expensive. Hopefully expensive enough that they give it up. Also; same issue as with just using Netflow to track customer surfing: a single web server IP address often hosts many websites. You can be tunneling your HTTPS connections through a Proxy, another privacy service, or a VPN, and your DNS requests are simply leaking through your main connection, which is common. You can be hitting websites behind a Cloudflare reverse proxy IP, and there are hundreds or thousands of domains virtually hosted on the same IP address. -- -JA