Memes

44073 readers

2240 users here now

Rules:

Be civil and nice.
Try not to excessively repost, as a rule of thumb, wait at least 2 months to do it if you have to.

founded 5 years ago

MODERATORS

[email protected]

1059

Cough Cough... Chrome... Chough... (slrpnk.net)

submitted 2 months ago by [email protected] to c/[email protected]

145 comments fedilink hide all child comments

you are viewing a single comment's thread
view the rest of the comments

[–] [email protected] 5 points 2 months ago (6 children)

DoT also encrypts the request, so the ISP cannot spy on the Domain Name you have requested.

And thanks to Https the ISP only sees the IP address which cannot in every case be resolved to a unique Domain, especially large sites that are hosted on service providers like Cloudflare, amazon etc etc

[–] [email protected] 2 points 2 months ago* (last edited 2 months ago) (5 children)

But what's not encrypted by either is the Server Name Indicator or SNI, ie: the initial request to a webserver stating which host you're trying to reach at that IP, before establishing the TLS connection, contains the domain you'd requested via DoH/DoT, in plaintext.

[–] [email protected] 1 points 2 months ago (1 children)

https://www.cloudflare.com/learning/dns/dns-over-tls/

If I understand it correctly DoH (which I use with NextDNS) should prevent ISP from snooping.

[–] [email protected] 1 points 2 months ago* (last edited 2 months ago)

It will prevent the ISP from snooping on, or tampering with, the DNS request. However when you go to use the IP you've retrieved via DoH/DoT; your first request establishing a TLS connection to that IP will contain an unencrypted SNI which states the domain you are trying to use. This can be snooped on by your ISP.

load more comments (3 replies)