On 23/10/17 11:15, Peter Reutemann wrote:
The problem for those security conscious out there is that these requests are done in plain text through UDP or TCP protocols which are readable by anyone that can see your connection, including your ISP. This is where DNS over TLS comes in.'
Given that most people use the default assigned nameservers which are usually the caching servers of the ISP, DNS over TLS won't have any effect, since the ISP can log all the requests to the name server. And as the article points out, whenever you access a page over HTTPS, the host name is sent in plain text too. The only way to avoid your ISP knowing what you are up to is to use a VPN. That way all they see is encrypted traffic to a VPN end point. To me, enabling DNSSEC is more important than DNS over TLS. DNSSEC ensures that a caching nameserver can verify that the DNS request has not been tampered with during transit. -- Simon