3

Forgive me for the simple question, I have very little knowledge about networks.

The new DNS service from Cloudflare claims to offer a "more private" connection but I don't understand if/how it can prevent my ISP from seeing what websites I visit.

As far as I understand, if I use this service my ISP will not have access to the address I type in my browser, but it will know the IP this address is resolved to, is this correct? Is the extra privacy coming only from the fact that my ISP would know the machine I'm connecting to but (if the connection to the machine is encrypted) not the actual pages I'm visiting within that server?

Also, and possibly unrelated, if I am on an HTTPS site while using my ISP's DNS servers, and I click on a link pointing to a page within the same site, does that constitute a new DNS lookup in which my ISP could see the exact link address? Does the site encryption help in any way here?

foglerit
  • 133
  • 5

1 Answers1

3

I don't understand if/how it can prevent my ISP from seeing what websites I visit.

It doesn't. Cloudflare's promise is that they don't keep records of your DNS queries. Your ISP can still log them by inspecting your traffic.

if I use this service my ISP will not have access to the address I type in my browser, but it will know the IP this address is resolved to, is this correct?

Your ISP will have access to the domain you're visiting because your DNS query is unencrypted by default and HTTPS may leak the hostname due to Server Name Indication. Even without that, they may narrow down possible hostnames by looking at the IP you're connecting to.

if I am on an HTTPS site while using my ISP's DNS servers, and I click on a link pointing to a page within the same site, does that constitute a new DNS lookup in which my ISP could see the exact link address?

Your system caches DNS, so navigating within the same domain usually doesn't trigger a new DNS query. Also, the exact URL isn't directly leaked when using HTTPS, you're only revealing the domain.

That said, there are protocols for encrypting DNS traffic such as DNSCrypt, DNS over HTTPS and DNS over TLS (which by now has been standardized). However, just encrypting DNS won't prevent leaking the hostname through other channels, such as SNI.

Community
  • 1
Arminius
  • 44,242
  • 14
  • 143
  • 138
  • There is DNS over TLS too, already standardized (DNS over HTTPS is not yet) and provided by various servers. CloudFlare supports it: https://developers.cloudflare.com/1.1.1.1/dns-over-tls/ – Patrick Mevzek Apr 15 '18 at 17:49
  • Its not (AFAIK) yet available as a service, but oblivious DNS addresses a lot of the shortcomings of other approaches to DNS encryption - https://odns.cs.princeton.edu/ – symcbean Apr 15 '18 at 19:13
  • @Arminius, thanks for the great answer. So assuming we are using Cloudflare's DNS over HTTPS, does that mean that my ISP will not see the URL I'm visiting, but just the IP of the server I'm connecting to? – foglerit Apr 15 '18 at 19:47
  • @foglerit If you're using DNS over HTTPS, your ISP will see *that* you're using Couldflare's DoH service (but doesn't know which hostname you're querying). Then, if you connect to the resolved IP over HTTPS, your ISP obviously sees that IP (and again, they may learn the hostname due to SNI in the handshake, but not through the DNS query anymore). – Arminius Apr 15 '18 at 19:56