
How to keep your ISP’s nose out of your browser history with encrypted DNS - azizuysal
https://arstechnica.com/information-technology/2018/04/how-to-keep-your-isps-nose-out-of-your-browser-history-with-encrypted-dns/
======
mike-cardwell
If you care about privacy, use your ISPs DNS servers.

Your ISP can see exactly which websites you're visiting regardless of how you
do DNS, thanks to being able to see which IPs you're sending packets to, and
thanks to SNI.

The only thing you get from adding some third party encrypted DNS service to
the mix, is an _additional_ party which can also see what websites you're
visiting.

~~~
aaomidi
I'm still pissed off we didn't get encrypted SNI in TLS 1.3

It would've broken so many dpi based censorship systems in countries like
Iran, Turkey, and Russia.

~~~
gruez
how would encrypted SNI work? sure, you can probably do some sort of DHE, but
that's vulnerable to MITM, which is why we have certificates to begin with.

~~~
bscphil
What if we could have first class SSL certs for IP addresses? You connect to
the IP and verify the cert it presents you with your PKI, then switch to the
desired host via SNI or some other mechanism after DHE is established. I
suspect you could do this without any extra hops but I haven't really thought
through how that would work.

~~~
ori_b
> What if we could have first class SSL certs for IP addresses?

They're not routable.

~~~
rmwaite
What does this mean?

~~~
ori_b
What's the next hop for a cryptographic hash? With IP addresses, you have a
heirarchy: You match on a prefix to find the router to handle the next path,
and that one matches on a longer prefix to find the next hop, and so on.

That allows you to have routing tables that don't include every single host on
the internet. This is what allows efficient routing to happen.

------
berkut
I'm probably being really stupid, but how does using encrypted DNS prevent
your ISP seeing what websites you go to? (I haven't done network stuff for
many years, and am a bit out of touch with the current stuff).

Can't ISPs still see the eventual target IP address, and do a reverse DNS
lookup of that? Even with HTTPS/TLS I thought encryption is done after a
handshake isn't it, which would imply a TCP level connection is made first
which would be sniffable?

~~~
Someone1234
It increases the cost and complexity of an ISP tracking you, which is a win
within itself. Plus some services share public IPs or are behind a global
cache (e.g. Cloudflare) making it harder to pinpoint exactly which endpoint
you tried to access.

Is it perfect? No. It is better than yesterday? Yes.

I call these "micro-wins." One micro-win won't make a difference, but two,
three, four, and so on eventually start to have an impact. And that's all we
can hope for.

Even often cited VPNs just shift the problem downstream. Instead of your ISP
monitoring you, the VPN provider themselves could, or if you host it yourself
then your server/virtual server's ISP could. VPNs themselves are another
"micro-win" but people often claim they're a complete bulletproof solution.

~~~
bogomipz
>"I call these "micro-wins."

I like this term :)

It's also believe its a win when computer privacy and security begin to edge
into main stream lexicon. Somewhat anecdotal but I recently saw that NordVPN
is advertising on CNN.

------
therealmarv
Also mentioned in article: Use DNSCrypt Proxy V2 (a golang rewrite) for DNS
over TLS and/or DNScurve [https://github.com/jedisct1/dnscrypt-
proxy](https://github.com/jedisct1/dnscrypt-proxy)

E.g. on a Mac with Homebrew. First:

    
    
        brew install dnscrypt-proxy
    

Second: Edit your /usr/local/etc/dnscrypt-proxy.toml and put e.g. google or
cloudflare there inside

Third: Put your DNS to 127.0.0.1

~~~
rnhmjoj
I'm a bit concerned about using it yet because it was written from scratch
just about three months ago and probably hasn't gone through enough testing.

~~~
shakna
How about an actively-maintained 3-year-old project? [0]

[0] [https://github.com/alterstep/dnscrypt-
osxclient](https://github.com/alterstep/dnscrypt-osxclient)

~~~
therealmarv
I used that one before. I don't like it technically. It only supports DNScurve
and installs itself deeply into the system (e.g. system preferences). I also
think it's more unreliable because they don't do the caching in a good way
(sometimes a DNS server fails is my experience). I like dnscrypt proxy V2 more
because it's more rock solid, works better on caching and also supports DNS
over TLS. Only downside on dnscrypt proxy is that you don't have a nice UI and
you have to type the local DNS 127.0.0.1 manually into your Wifi or LAN
connection point.

~~~
jedisct1
I use this as an UI for dnscrypt-proxy v2:
[https://getbitbar.com/plugins/Network/dnscrypt-proxy-
switche...](https://getbitbar.com/plugins/Network/dnscrypt-proxy-
switcher.10s.sh)

------
throw2016
This preoccupation with ISPs is akin to concern about a pin prick while blood
gushes out of knife wound unattended.

All sorts of solutions are offered enthusiastically while the elephant in the
room, tens of thousand of engineers and billion dollar companies incentivized
to hoover up and collate every minutiae of user data as a business model, is
met with hand wringing and apologism about ad revenue.

In this case solutions have to emerge from outside the tech community by
something like GDPR. Given that reality and the primacy of ad driven business
models in SV its difficult to contextualize this preoccupation with ISPs. It
feels like a distraction, insincere and driven by commercial concerns.

~~~
supertrope
I agree. To play devil's advocate you can choose not to use Facebook or Gmail
or Android. In many areas (of USA) there's exactly two choices for Internet
access, and in some there's only one. Additionally the quid pro quo of free
online services for personal data may be considered less objectionable than
additional monetization on top of the monthly fee.

------
woofcat
Sadly not really a solution yet for SNI being unencrypted. So while they may
not see your DNS query they can just use DPI to capture the sites.

VPN is a solution but not always deployable.

~~~
adrianN
VPN is not really a solution because you have no reason to trust your VPN
provider more than your ISP.

~~~
iotku
>you have no reason to trust your VPN provider more than your ISP.

A lot of people really do distrust their ISP enough that even with knowledge
that you're shifting the responsibility to the VPN provider they still trust a
random VPN more than their ISP.

Would I trust some random unknown VPN provider more than Comcast? Maybe.

~~~
paulie_a
I would trust the Russian mob before I would trust Comcast

~~~
JorgeGT
Well, as in anything human it is a matter of incentives. Comcast probably has
an incentive for logging and selling your data to advertisers, whereas the
Russian mob probably has other, more pressing things to worry about.

I follow the same logic by setting up my own VPS in a rented $big_provider
VPN. VPS companies are succulent targets that surely attract many eyes,
whereas I doubt any non-state actor has the capacity of capturing and
filtering the traffic of the millions of random VPNs that $big_provider has.

------
tempz
I cannot begin to understand how is it better to reveal your DNS access
patterns to the global company like Cloudflare, as opposed to revealing them
to your local ISP?

Who do you think can smoother monetize your data - your local ISP or
Cloudflare? Or maybe Cloudflare solemnly promised never to do it?

If an effort is to be taken, the best thing is to run your own DNS resolver
that will query root servers and follow the chains directly.

~~~
stordoff
It's fragmenting the data - CloudFlare _only_ gets your DNS data, whereas your
ISP has DNS, content of non-HTTPS traffic (Cloudflare gets a non-zero
percentage of this anyway), billing information, real identity etc. Your ISP
can _immediately_ tie your DNS records to a real identity (or a member of your
household at the very least), whereas CloudFlare can only make inferences from
the data and the source IP location. It gives two companies an incomplete
picture, rather than one knowing EVERYTHING. CloudFlare promise to not do so
is also a non-zero consideration - it's clearly unenforceable/you would never
know, but the mere promise is probably better than many ISPs.

I'd also say most users' ISPs are probably are global companies (or at least
national) anyway.

> the best thing is to run your own DNS resolver that will query root servers
> and follow the chains directly

Only if the first step is also encrypted. If it is plain DNS, then your ISP
can see the requests almost as easily as if going to their own servers (or
transparently redirect the requests to their servers).

------
JumpCrisscross
Dumbass question: is there a difference between setting one’s DNS to
[https://1.1.1.1](https://1.1.1.1) versus 1.1.1.1 unadorned?

~~~
tomcooks
I am not a sysadmin but you can't add [https://](https://) (or any other
prefix) in front of a DNS address. Secure HTTP is a different protocol, suited
for web page hosting.

~~~
alwillis
DNS over HTTPS (DoH) works in the latest Firefox Nightly:
[https://facebookexperimental.github.io/doh-
proxy/tutorials/f...](https://facebookexperimental.github.io/doh-
proxy/tutorials/firefox-nightly-doh-proxy.html)

------
evolve2k
From the article it seems like 'DNS over HTTPS' (DoH), seems to be the
_winner_. Seems the authors best advice is to set up DoH via DNSCrypt Proxy 2,
possibly using a raspberry pi to make it easier to manage ur whole network.

Do people here agree this is a pretty good approach?

~~~
arca_vorago
I thought that dnscurve was the method to actually prevent domain snooping.
Regardless, I think running your own authoritative dns which updates from root
servers is the real way to go.

~~~
pbhjpbhj
Your traffic still has to go to those servers, so your ISP still can track the
terminal server IP, can't it? (TOR, or tunneling aside)

~~~
pixl97
An almost unlimited number of domains can be hosted off a single IP. That
said, the SNI header can still be sniffed on an HTTPS connection.

------
Sami_Lehtinen
After all these posts, I still don't get what is the problem with the ISP
seeing my DNS queries. That's still private telecom information protected by
law. Unless you're doing something obviously illegal, and are under
investigation. They can't do anything with that data legally. Using Cloudflare
or VPN most likely won't solve the problem anyway, at least if you're doing
something criminal enough. Therefore claiming it making you untraceable on
net, is snake oil anyway.

------
xorcist
Why are so many clients still running stub resolvers?

Just type "apt-get install unbound" already. You won't miss that 200 kB
resident memory.

------
Annatar
...Or one could just run one's own DNS servers.

~~~
ohiovr
Yes, it isn't that hard to do:

[https://www.digitalocean.com/community/tutorials/how-to-
conf...](https://www.digitalocean.com/community/tutorials/how-to-configure-
bind-as-a-caching-or-forwarding-dns-server-on-ubuntu-16-04)

------
rmdoss
It is not much about privacy, but about the integrity of your data.

Your ISP can see the IP addresses and all the meta data for your traffic. With
the current way DNS is setup, they can modify the responses and re-route you
any where they want.

With HTTPS and encrypted DNS, it makes a lot harder for them to inject content
or redirect you without browsers warnings.

------
amelius
Isn't there an option to polute the information the ISP sees to such a level
that their information is useless?

E.g. contact a friendly service that gives back N different random domain
names; then lookup those domain names, spread over, say, an hour; then repeat.

~~~
written
I just realized I'm obfuscating my internet usage inadverently. Here's how:

Good source of reasonable randomness is twitter. I've set up a scrapper for
various twitter accounts and I'm downloading every page that is linked by
those accounts automatically.

With this approach you can even select what you want to look like based on
your browsing data by selecting proper accounts. Gold bug? Bitcoin fool?
Knitting expert? No problemo. ;)

------
itakedrugs
Now we just need a an encrypted DNS provider that isn't NSA's puppet...

~~~
quickthrower2
Namecoin?

------
plg
does/can Pi-Hole use encrypted DNS?

I have a raspberry-pi on my home network running Pi-Hole and my router’s DHCP
server gives all devices on my network the Pi-Hole as the DNS address

~~~
Machado117
Yes, you can follow the instructions from the wiki [https://github.com/pi-
hole/pi-hole/wiki/DNSCrypt-2.0](https://github.com/pi-hole/pi-
hole/wiki/DNSCrypt-2.0)

------
StillBored
Now if we can just get a default encrypted email protocol....

~~~
h1d
I thought the reason that these critical infrastructures are not encrypted
after decades and decades of use is that there are powerful agencies who want
to snoop on them.

------
aorth
This is the first I've heard of cloudflared (aka Argo). It's a DNS over HTTPS
proxy. As far as I know Firefox is working to get DNS over HTTPS into Nightly
so it can be used directly in the browser, but this proxy allows your whole
system to use DNS over HTTPS without having to change anything (other than
pointing /etc/resolv.conf or equivalent at 127.0.0.1). Pretty cool!

