As web users, what we say and do online is subject to pervasive surveillance. Although we typically associate online tracking with ad networks and other th
Ordinary DNS requests are always plaintext and readable to anyone between you and the DNS server. So regardless of which DNS server you use, your ISP can see all your DNS lookups.
For any amount of privacy for DNS, the minimum is something like DNS-over-TLS or DNS-over-HTTPS, the latter of which Firefox uses by default in some countries and supports everywhere.
Ordinary DNS requests are always plaintext and readable to anyone between you and the DNS server.
Not just readable… The ISP can inject their own responses too. Regular DNS is both unencrypted and unauthenticated, with most clients not enforcing DNSSEC.
It’s easy to setup something like AdGuard Home that provides malware blocking, ad blocking if you’re interested in that, and supports DNS-over-HTTPS out of the box (unlike PiHole, which needs a bunch of manual setup)
Yes and no. If your isp is still providing unencrypted DNS for you, then they can still see the domain name you’re visiting.
What if you force a dns, like say cloudflare?
Ordinary DNS requests are always plaintext and readable to anyone between you and the DNS server. So regardless of which DNS server you use, your ISP can see all your DNS lookups. For any amount of privacy for DNS, the minimum is something like DNS-over-TLS or DNS-over-HTTPS, the latter of which Firefox uses by default in some countries and supports everywhere.
I mean with this + DNS over HTTPS can we guarantee the isp can no longer see anything?
They’ll only see the IP you’re connecting with and encrypted data packets being transferred on.
Not just readable… The ISP can inject their own responses too. Regular DNS is both unencrypted and unauthenticated, with most clients not enforcing DNSSEC.
so you’re saying self host an authoritative DNS server
It’s easy to setup something like AdGuard Home that provides malware blocking, ad blocking if you’re interested in that, and supports DNS-over-HTTPS out of the box (unlike PiHole, which needs a bunch of manual setup)
If you can protect it from leaks than why not, but beware the fines are big