Ad and tracker blocking at the DNS level is a solid way to improve privacy right? Whether it be using your VPN’s DNS or something like NextDNS.
Comment on What ISP see when I use custom DNS?
TiffyBelle@feddit.uk 11 months ago
Encrypted DNS doesn’t really do much for privacy. It does, however, accomplish two main things:
- Ensures the authenticity of the DNS server you’re receiving a response from due to the certificate exchange.
- Preserves the integrity of the response as it would be difficult for it to be tampered with in-transit.
The domain names you visit are leaked in plain text regardless of your DNS provider and how you connect to them via the “client hello” process of TLS, specifically the Server Name Indication (SNI) portion. ISPs could, in theory, use this to see which domains you’re visiting, but not the specific pages within the domain.
Note that there are mechanisms like ECH (Encrypted Client Hello) and ESNI (Encrypted Server Name Indication) that attempt to solve the domain name leakage issue, but each require domains that wish to support these technologies to include an entry specific to those in their DNS records to facilitate key exchange for the encryption to be viable. Very few domains presently do this.
ViciousTurducken@lemmy.one 11 months ago
TiffyBelle@feddit.uk 11 months ago
Yes. In fact, using DNS-based blocking solutions is pretty much the only way to protect against first party trackers that use CNAME cloaking tactics if you’re not using a Firefox browser with UBo, since Chromium browsers have no ability to defend against this type of attack (with the exception of Brave as they implemented their own method of protecting against this with their Shields system.)
Boinketh@lemm.ee 11 months ago
The ISP can still see which IPs you’re visiting, so couldn’t they cover most cases by just doing their own lookup, but backwards?
outlying_demotion_nemeses@lemmy.sdf.org 11 months ago
A good chunk of the web uses CDNs (content delivery networks) which puts a bunch sites behind the same IP and those gateways rely on SNI to figure out which site to send to the requestor.