Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

DNS is in the clear by default.


I thought that once DNS is resolved the DNS request doesn't go any further and the actual request is sent to the IP address...


Yes, but the parent comment you replied to was, I believe, referring to data leakage via DNS, not data leakage over HTTP requests. Two different things. What they were getting at is your ISP's DNS servers--and every DNS server hit along the path of resolution--know something about every request made by one of your devices when your devices route DNS through them. Assuming every request to domain.com is encrypted, your ISP may not know what you're sending to domain.com, but they do know you are sending data to domain.com because DNS is in the clear by default. This has led a number of ISPs to capture this information and use it for purposes a customer often does not know about, understand, or may object to--such as selling that information, using it for injecting advertising or hijacking requests, and other actions. What's worse is that many ISPs (in the US, at least) ensure this behavior can occur by requiring customers to use gateways/routers that are locked down to ISP DNS servers, and many of these devices prevent users from modifying the DNS servers used.

Encrypted DNS and devices like the Pi-hole provide end users a means of bypassing this behavior by avoiding ISP DNS servers entirely so even where you're trying to go isn't known by them.


This is one of the many concerns, yes.

Another big concern is privacy from the other side: if you're using Tor or an anonymizing VPN while visiting a website looking to deanonymize users, and the website owners see a DNS query to their nameserver from a Comcast DNS server somewhere in a midwestern state timed perfectly before your HTTP request coming from a Tor exit node or anonymizing VPN, they can potentially infer your broad location and ISP, and potentially narrow your identity down from there (especially if you ever visited that site, or an affiliated site or site that shares data with them, in the past without using an anonymizer), negating the purpose of the anonymizer.

If all they see is a query from 1.1.1.1 or 8.8.8.8, you could be anywhere in the world, using any ISP.

And your ISP can do this in an even more precise way. Customer makes DNS query for siteispsdontlike.com and then immediately sends a lot of traffic to a server registered to an anonymizing VPN company. That tells the ISP "this customer is visiting this 'suspicious' website, and also covering it up by using this specific anonymizer".


And the original GP was pointing out that they had carefully selected an ISP that they trust and wanted to use as their DNS provider and did not want the browser ignoring that...

We basically seem to both agree with the original GP. Things just got a little confused.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: