Re: Are public DNS a good thing? (was: Re: 1.1.1.1)

[Jay Acuna via NANOG <nanog () lists nanog org>]

On Thu, Jul 17, 2025 at 2:05 PM Tom Beecher <beecher () beecher cc> wrote:

> not to mention probably exposed in the TLS SNI, so it's not like you're gaining that
> much privacy anyways.
Older versions of TLS have this weakness, yes.

That does not mean you stop trying to mitigate other points where your data may
be leaking; especially in regards to DNS packets which are easily analyzed,
because the protocol is so simple,  and because there is such a smaller number
of DNS packets traversing a network it becomes low-hanging fruit to capture,
record, and analyze all the DNS packets, and is entirely feasible for any ISP
to do.  On the other hand capturing, saving, and analyzing every TCP port 443
packet for a large ISP network would require an insane amount of storage and
computation power - hopefully costing a much greater number of dollars than the
possible profit value an ISP could expect to generate by violating the
privacy of all
their subscribers.

My understanding is about half of internet traffic is HTTP/3.  And the protocol
as designed specifically to encrypts headers and metadata such that a 3rd party
cannot analyze the packets anymore to figure out the actual domain
name requested
for that very purpose.

And TLS 1.3 as well has added an extension for Encrypted SNI, so if domains
you are visiting have implemented ESNI, then a 3rd party cannot identify the
domain or server name being requested over HTTPS.

> When using DoH, your ISP can't see your DNS requests, but they can absolutely
> still see the IP of the thing you try to connect to right after making that DNS request,

In theory, but feeding off DNS packets is a much smaller volume of
traffic for an ISP to
sniff packets from -- it is extremely easy and much lower cost, since
the volume of
DNS packets is going to be miniscule compared to the volume of HTTPS packets
traversing their networks.

With DNS the ISP just places a small inexpensive box on the network
sold by one of the
companies that specializes in messing with your customers' DNS traffic
--  probably
handles auto-redirecting "non-existent domains" to Ad-supported search
pages as well.
On the other hand sniffing every single port 443 packet and
deconstructing the headers
is a much higher amount of computation, so at least you are making
privacy invasion
more expensive.   Hopefully expensive enough that they give it up.

Also; same issue as with just using Netflow to track customer
surfing: a single web server IP address often hosts many websites.

You can be tunneling your HTTPS connections through a Proxy, another
privacy service, or a VPN, and your DNS requests are simply leaking
through your main
connection, which is common.

You can be hitting websites behind a Cloudflare reverse proxy IP, and
there are hundreds
or thousands of domains virtually hosted on the same IP address.

--
-JA
_______________________________________________
NANOG mailing list 
https://lists.nanog.org/archives/list/nanog () lists nanog org/message/72B3MRTP36ECEZRFKX7LYXSHDGJBOXHO/