• mipadaitu@lemmy.world
    link
    fedilink
    English
    arrow-up
    7
    arrow-down
    2
    ·
    8 months ago

    That solves a completely different problem. The ISP can still see who you requested data from.

    That’s more about security around retrieving the correct IP address from a DNS query, and doesn’t do that much for privacy.

    • ShortN0te@lemmy.ml
      link
      fedilink
      arrow-up
      5
      ·
      8 months ago

      DoT also encrypts the request, so the ISP cannot spy on the Domain Name you have requested.

      And thanks to Https the ISP only sees the IP address which cannot in every case be resolved to a unique Domain, especially large sites that are hosted on service providers like Cloudflare, amazon etc etc

      • Darkassassin07@lemmy.ca
        link
        fedilink
        English
        arrow-up
        2
        ·
        edit-2
        8 months ago

        But what’s not encrypted by either is the Server Name Indicator or SNI, ie: the initial request to a webserver stating which host you’re trying to reach at that IP, before establishing the TLS connection, contains the domain you’d requested via DoH/DoT, in plaintext.

          • Darkassassin07@lemmy.ca
            link
            fedilink
            English
            arrow-up
            4
            ·
            8 months ago

            True. Known as Encrypted Client Hello now, as part of TLS1.3.

            It seems many more browsers support it than last I’d looked. I’m curious to see how much of the general web has adopted support for it onnthe server side. I’ll have to look into that more, and see what it’ll take to setup for self-hosting.

          • Darkassassin07@lemmy.ca
            link
            fedilink
            English
            arrow-up
            1
            ·
            edit-2
            8 months ago

            It will prevent the ISP from snooping on, or tampering with, the DNS request. However when you go to use the IP you’ve retrieved via DoH/DoT; your first request establishing a TLS connection to that IP will contain an unencrypted SNI which states the domain you are trying to use. This can be snooped on by your ISP.

        • ShortN0te@lemmy.ml
          link
          fedilink
          arrow-up
          1
          ·
          8 months ago

          That is correct. HSTS helps to some degree but the very first request is still unprotected.