1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

DoT is not really protecting us against ISP snooping is it?

Discussion in 'General Network Security' started by dvohwinkel, May 8, 2019.

  1. dvohwinkel

    dvohwinkel Regular Contributor

    Joined:
    Feb 19, 2016
    Messages:
    167
    I get that it is making it so our ISP cannot snoop directly on our DNS queries but can't they just log all the IP addresses you connect to and get the exact same info? Sure they have to do an extra step to then get the ip to name resolution. DoT is more for protecting against DNS hijacking correct? It gives you an assurance that the named address you want to connect to is the actual ip address you connect to and not some hackers misdirection.

    I ask this because I think some people will incorrectly think this protects them from people knowing what they are connecting to.. and it will not. You need a VPN for that. This is HIGHLY useful though as it protects you against being misdirected to a hijackers address.
     
    heysoundude likes this.
  2. heysoundude

    heysoundude Senior Member

    Joined:
    Sep 20, 2016
    Messages:
    379
    bingo! and that's why VPN server and client capability exists...the gold standard.
     
    no_name and dvohwinkel like this.
  3. martinr

    martinr Very Senior Member

    Joined:
    Nov 27, 2014
    Messages:
    1,813
    Location:
    United Kingdom
    That’s all I want from it.
     
    L&LD and QuikSilver like this.
  4. maxbraketorque

    maxbraketorque Very Senior Member

    Joined:
    Dec 6, 2015
    Messages:
    560
    Unfortunately though, some entity, i.e., your VPN provider will have access to this info. Not sure if that represents better privacy for the average internet user.
     
    SMS786 and dvohwinkel like this.
  5. heysoundude

    heysoundude Senior Member

    Joined:
    Sep 20, 2016
    Messages:
    379
    They would have to have some reason to target you, and if they purge their logs often enough...


    Sent from my iPhone using Tapatalk
     
    L&LD likes this.
  6. Mutzli

    Mutzli Regular Contributor

    Joined:
    Dec 22, 2014
    Messages:
    198
    My ISP is Comcast and since activating DoT I see a lot of attempts from dns101.comcast.net to connect to the router. Just wondering if that has something to do with them logging my DNS calls.
     
  7. dvohwinkel

    dvohwinkel Regular Contributor

    Joined:
    Feb 19, 2016
    Messages:
    167
    All about who you trust more. ISP, VPN Provider, DNS provider, etc..
     
    SMS786 and jsbeddow like this.
  8. sinshiva

    sinshiva Very Senior Member

    Joined:
    Nov 8, 2013
    Messages:
    1,067
    Location:
    FL
    There's actually a bit more to this as the web and TLS advances;

    So, as you know, many sites are behind CDNs; things like Cloudflare, which leverages things like Anycast to load balance, cache and proxy to the actual host semi-transparently and protecting the host. Because of things like this, if most of your sites use Cloudflare, then all the ISP can really see is that you are connecting to Cloudflare.

    Something else they can currently track would be the Server Name Indicator (SNI) in https certificates; with TLS1.2 this bit of information is still sent in the clear. TLS1.3 brings Encrypted SNI, which plugs that little hole, meaning all they'll be able to see is encrypted traffic traversing the network to some IP.

    Not suggesting any of this obviates the need for a VPN, of course.
     
    heysoundude likes this.
  9. bits

    bits Regular Contributor

    Joined:
    Oct 13, 2011
    Messages:
    56
    Tls 1.3 allows for encrypted sni it does not mandate it.
    1)dot does not support encrypted sni
    2)browser must support doh and encrypted sni eg current only Firefox with non default settings
     
  10. Swistheater

    Swistheater Very Senior Member

    Joined:
    Jul 8, 2017
    Messages:
    815
    Location:
    Florida
    Run a tcpdump and track how many times your router sends traffic between isp and your DoT destination. I find it extremely hard to believe isp have any issues on tracking if they have to.