On 23/10/17 11:15, Peter Reutemann wrote:
The problem for those security conscious out there is
requests are done in plain text through UDP or TCP protocols which
are readable by anyone that can see your connection, including your
ISP. This is where DNS over TLS comes in.'
Given that most people use the default assigned nameservers which are
usually the caching servers of the ISP, DNS over TLS won't have any
effect, since the ISP can log all the requests to the name server. And
as the article points out, whenever you access a page over HTTPS, the
host name is sent in plain text too.
The only way to avoid your ISP knowing what you are up to is to use a
VPN. That way all they see is encrypted traffic to a VPN end point.
To me, enabling DNSSEC is more important than DNS over TLS. DNSSEC
ensures that a caching nameserver can verify that the DNS request has
not been tampered with during transit.