ISP sniffing Cloudflare DNS resolver 1.1.1.1


#1

Question fallowing article https://arstechnica.com/information-technology/2018/04/how-to-keep-your-isps-nose-out-of-your-browser-history-with-encrypted-dns/ and https://developers.cloudflare.com/1.1.1.1/setting-up-1.1.1.1/

When my router uses Cloudflare DNS resolver 1.1.1.1 :

  1. is my ISP still able to monitor my Internet browsing history? How I can test and perhaps fight it?
  2. is my ISP able to rewrite my network request data and serve “not real content”? How to fight with it?
  3. how I can test if my Cloudflare DNS resolver is configured correctly and working properly (has no interruptions (from ISP); for example I may use my ISP provided router with its software on it)?

#2

Hi,

When you browse the web, DNS is just one part of the story. Your ISP can still see the IP addresses you are connecting to. And even if some tricks exist to mitigate this, they can usually still see the host names.

DNS is the easiest, cheapest and most widely deployed way to do mass surveillance and censorship. But if an ISP wants to specifically look at your traffic, they will look at everything else.

DNS-over-HTTP and similar protocols improve security, but they are not designed to work around legislation.

Your ISP can hijack your queries. A lot of efforts are being made to make this more and more difficult, at least when connecting to websites using HTTPS or HTTP/2. If you blindly click “continue” when your browser issues a warning, the whole point of these efforts is moot, though.


#3

If you don’t trust your ISP, DNS-only approaches just won’t be enough. Names from SNI in https are one example, so they can still easily track site names and selectively block them.


#4

Perhaps “running a DNS over HTTPS client” https://developers.cloudflare.com/1.1.1.1/dns-over-https/cloudflared-proxy/ would stop ISP from sniffing?


#5

It stops your ISP from sniffing your DNS traffic or blocking or modifying specific domains.

Your ISP could still totally block access to Cloudflare’s DoH servers, or sniff other protocols like HTTP or TLS SNI, as mentioned above.