ISP Tracking - Confusion


#1

Ok, so the big selling point of CloudFlare’s DNS (besides being super fast), is that it keeps your ISP from tracking which sites you go to because you’re not using their DNS servers.

I have some issue/questions about this, because I don’t totally by into it.

All packets on the Internet have a destination and source IP address, and this is in the clear. I must be, so that all routers must know where a packet is going to be able to properly router it.
Since your ISP is the first external node all your packets hit, then they automatically know who you are (they assigned you that source IP address after all) and where you are browsing (the destination IP address). So all then need to do is a reverse IP address lookup to the get Domain name your accessing.

Even with Encrypted DNS (DoH), while the Domain Name you are looking up is encrypted, the subsequent data packets your browser, email, app, etc. uses to access that web site is still in the clear. As I said before, it MUST be in the clear to get properly routed.

So while CloudFlare flushes all DNS requests after 24 hours, and you can use DoH for your DNS lookups, I don’t see how this helps keep your ISP’s snooping eyes out of our browsing habits.

Did I miss something, or is this just all marketing hype?

Thanks.


#2

Your ISP can’t see the domains you entered but the IPs you connected to. That’s correct. Your ISP is still able to see the IPs you were connected to. That’s nothing DNS related. Other peers don’t know you. Their routers only see the ip of their next peer. But yes: if they do a reverse lookup, they may get the domain name.
If you’re concerned about this you need to use services like Tor. However: there a countries with a “great” firewall. And they do deep packet inspection…

There is no 100% guarantee to stay secure and private on the internet. But DNS over TLS or DoH help to make it harder for them. For example: If a law enforcement agency requests a list of website names you’ve visited from your ISP they will get… no names.

This is not a marketing thing. 1.1.1.1 is free. As well as 8.8.8.8 and 9.9.9.9.


#3

Thank you for your response.
‘Marketing hype’ was probably a bit harsh - sorry.
I see a lot of YouTubers and articles exalting the use of CloudFlare DNS or DoH as ‘preventing your ISP from tracking you’, and I really didn’t think it was so absolute. And its not.
Yes, its better than using the ISP’s DNS servers: faster, more secure, more complete, and offers DoH, so I have switched (including DoH) and loving it.
Again, thanks for your reply!


#4

It is worth noting that hostnames for HTTPS are still transmitted in the clear, as the web server must know which certificate to present. This is done using Server Name Indication (SNI).

Currently this is primarily used for HTTPS traffic, there is no reason it can’t be used for any TLS based connection and if implemented by the client the information would be made available to anyone in a position to monitor packets.

While it wouldn’t be impossible to design systems that are at least partially immune to this, I’m not aware of any implementation which attempts to address this in any meaningful way.


#5

This topic was automatically closed after 14 days. New replies are no longer allowed.