1

Let's say I visited a website which uses HTTPS. So my ISP can't see the HTTPS traffic between us but it can see which website I'm connecting due to my DNS request. If I use a public DNS server such as OpenDNS or Google, is my ISP still able to see which website I'm using? Imho, they can see since my DNS query is plaintext.

Also some VPN providers claims that they don't leak our DNS queries. How do they do that?

Arminius
  • 44,242
  • 14
  • 143
  • 138
Kalsm
  • 11
  • 1

3 Answers3

2

No. The DNS protocol has no built-in security, it is not encrypted. So your ISP will be able to read the DNS request and response regardless of the public server you choose.

Also, due to Server Name Indication (SNI), HTTPS reveals the target domain name during the TLS handshake. So an attacker wouldn't even need to sniff the DNS traffic in order to learn which domain you're connecting to.

There are however projects that aim to encrypt DNS traffic, for example DNSCrypt. But note that encrypting the DNS traffic still doesn't prevent leaking the domain name via other channels such as SNI. So this doesn't replace a properly configured VPN. From the website:

Please note that DNSCrypt is not a replacement for a VPN, as it only authenticates DNS traffic, and doesn't prevent "DNS leaks", or third-party DNS resolvers from logging your activity. The TLS protocol, as used in HTTPS and HTTP2, also leaks leaks websites host names in plain text, rendering DNSCrypt useless as a way to hide this information.


Also some VPN providers claims that they don't leak our DNS queries. How do they do that?

They configure your system so that all your DNS queries go through the VPN tunnel to their own DNS server and block traffic to the ISP's DNS. The exact measures necessary depend on you OS. Here are some suggestions on how to configure your system to prevent DNS leaks yourself.

Arminius
  • 44,242
  • 14
  • 143
  • 138
0

... my ISP can't see the HTTPS traffic between us ...

Not exactly. As it routes the traffic coming from your computer, the ISP does know the public IP address of the host you are connected to. What is encrypted is the data exchanged, including the part of the URL after the host and port.

But as HTTPS uses TCP as its transport protocol, the TCP headers that contain the IP address and the port cannot be encrypted.

That why DNS requests are generally not logged, but at least in France ISP must log the consulted sites for about 1 year and must give the logs to the authorities in case of a legal investigation. And AFAIK, it is the same in many european countries.

Serge Ballesta
  • 25,952
  • 4
  • 42
  • 84
0

Two things.

  1. DNS Queries are not encrypted, so that even though you have HTTPS, the original DNS Query can be logged and viewed by your ISP.

  2. Some services run on dedicated IPs, one IP hosting just one service. In this case, even with HTTPs, the ISP can figure out who you're connecting to simply by viewing the IP traffic.

  3. Most websites don't run on dedicated IPs. Consider Cloudflare, where LOTS(!) or websites are hosted behind their IPs, in this case IP traffic would be useless, and most cloudflare sites enable HTTPs already. However, as your browser is connecting to cloudflare it's sending the hostname via SNI.

The only true way to ensure nothing leaks is via VPN, and ensure the VPN doesn't leak DNS (DNS query is done via the VPN

keithRozario
  • 3,631
  • 2
  • 12
  • 25
  • A VPN is absolutely _not_ the only way to prevent this, much less the only "true" way. Tor for example does not even use DNS on the client. – forest Mar 12 '18 at 09:45