Android getting “DNS over TLS” support to stop ISPs from knowing what websites you visit
'DNS (Domain Name Server) is what translates a website address from a URL that you enter to an IP address which your computer actually connects to. For example, when you type “www.xda-developers.com” into your browser, your computer queries a DNS which looks up and returns the IP address “209.58.128.90” to the client. This process is hidden from the user, but every website you visit (so long as it has a human-readable URL) will go through this same process. The problem for those security conscious out there is that these requests are done in plain text through UDP or TCP protocols which are readable by anyone that can see your connection, including your ISP. This is where DNS over TLS comes in.' -- source: https://www.xda-developers.com/android-dns-over-tls-website-privacy/ Cheers, Peter -- Peter Reutemann Dept. of Computer Science University of Waikato, NZ +64 (7) 858-5174 http://www.cms.waikato.ac.nz/~fracpete/ http://www.data-mining.co.nz/
On Mon, 23 Oct 2017 11:15:28 +1300, Peter Reutemann wrote:
'The problem for those security conscious out there is that these requests are done in plain text through UDP or TCP protocols which are readable by anyone that can see your connection, including your ISP. This is where DNS over TLS comes in.'
The DNS caching server you use will still know which sites you visit. Will you have a choice of caching servers, or will it have to be Google?
On 23/10/17 11:15, Peter Reutemann wrote:
The problem for those security conscious out there is that these requests are done in plain text through UDP or TCP protocols which are readable by anyone that can see your connection, including your ISP. This is where DNS over TLS comes in.'
Given that most people use the default assigned nameservers which are usually the caching servers of the ISP, DNS over TLS won't have any effect, since the ISP can log all the requests to the name server. And as the article points out, whenever you access a page over HTTPS, the host name is sent in plain text too. The only way to avoid your ISP knowing what you are up to is to use a VPN. That way all they see is encrypted traffic to a VPN end point. To me, enabling DNSSEC is more important than DNS over TLS. DNSSEC ensures that a caching nameserver can verify that the DNS request has not been tampered with during transit. -- Simon
On Mon, 23 Oct 2017 14:02:45 +1300, Simon Green wrote:
To me, enabling DNSSEC is more important than DNS over TLS. DNSSEC ensures that a caching nameserver can verify that the DNS request has not been tampered with during transit.
Which is hardly a big issue, when you have end-to-end encryption (SSH, SSL/TLS). And also quite different from the issue being addressed here.
participants (3)
-
Lawrence D'Oliveiro -
Peter Reutemann -
Simon Green