>DNS query [...] in the clear. [...] (DoH) plugs this privacy leak [...] no one on the network, not your internet service provider [...] can eavesdrop on your browsing
Whoever could see DNS traffic can still see the target you're connecting to...
The promise is especially dangerous when a huge fraction of traffic doesn't use Encrypted Client Hello, [1] so the domain name is sent in the clear with the initial request to the server.
A while back I wrote a quick proof-of-concept that parses packet data from sniffglue [2] and ran it on my very low powered router to log all source IP address + hostname headers. It didn't even use a measurable amount of CPU, and I didn't bother to implement it efficiently, either.
I think it's safe to assume that anyone in a position to MITM you, including your ISP, could easily be logging this traffic if they want to.
But if that request is going to a large provider (GCP, AWS, CloudFlare), without the hostname, the request is going to be close to meaningless for the snoop.
This is correct. The right way to think of DoH is as part of a package of mechanisms (including ECH) that collectively are designed to close network-based leakage of browsing history. Used alone, it has some value but that value is limited.
bscphil|5 months ago
A while back I wrote a quick proof-of-concept that parses packet data from sniffglue [2] and ran it on my very low powered router to log all source IP address + hostname headers. It didn't even use a measurable amount of CPU, and I didn't bother to implement it efficiently, either.
I think it's safe to assume that anyone in a position to MITM you, including your ISP, could easily be logging this traffic if they want to.
[1] https://en.wikipedia.org/wiki/Server_Name_Indication#Encrypt...
[2] https://github.com/kpcyrd/sniffglue
kyrra|5 months ago
wander_forever|5 months ago
wander_forever|5 months ago
ekr____|5 months ago