X
Tap here to go to the mobile version of the site.

ஆதரவு மன்றம்

ISP can still know the URLs when DoH running

  • 7 replies
  • 1 இந்த பிரச்சனை உள்ளது
  • Last reply by christ1
பதிவிடப்பட்டது

Version: Firefox 68.1.1, Android 6.0

I did these settings below to turn on the DoH: network.trr.bootstrapAddress:104.16.249.249 network.trr.mode:3 (Others were kept default)

Then, I visited some websites. After a while, I went to the website of my ISP (China unicom) to lookup the details of my data usage, the URLs and visit time were presented there! And were exactly correct ! How??

Version: Firefox 68.1.1, Android 6.0 I did these settings below to turn on the DoH: network.trr.bootstrapAddress:104.16.249.249 network.trr.mode:3 (Others were kept default) Then, I visited some websites. After a while, I went to the website of my ISP (China unicom) to lookup the details of my data usage, the URLs and visit time were presented there! And were exactly correct ! How??
மேற்கோள்

Additional System Details

பயன்பாடு

  • User Agent: Mozilla/5.0 (Android 6.0; Mobile; rv:68.0) Gecko/68.0 Firefox/68.0

கூடுதல் தகவல்

christ1
  • Top 25 Contributor
2171 தீர்வுகள் 15897 பதில்கள்
பதிவிடப்பட்டது

Can you give an example of what exactly is logged by your ISP?

Can you give an example of what exactly is logged by your ISP?
இது உங்களுக்கு பயனுள்ளதாக இருந்ததா?
மேற்கோள்
பதிவிடப்பட்டது

கேள்வியின் உரிமையாளர்

christ1 said

Can you give an example of what exactly is logged by your ISP?

Here are two screenshots: one is the settings config, and the other one is the data usage details I just queried from my ISP's website.

Before that, I had visited the Alibaba's online shopping website -- www.taobao.com. Although the URL of www.taobao.com wasn't presented, some related URLs(aeu.alicdn.com, img.alicdn.com, g.alicdn.com) were still known by my ISP. Are these URLs not resolved via DoH ?

''christ1 [[#answer-1259732|said]]'' <blockquote> Can you give an example of what exactly is logged by your ISP? </blockquote> Here are two screenshots: one is the settings config, and the other one is the data usage details I just queried from my ISP's website. Before that, I had visited the Alibaba's online shopping website -- www.taobao.com. Although the URL of www.taobao.com wasn't presented, some related URLs(aeu.alicdn.com, img.alicdn.com, g.alicdn.com) were still known by my ISP. Are these URLs not resolved via DoH ?
இது உங்களுக்கு பயனுள்ளதாக இருந்ததா?
மேற்கோள்
Seburo
  • Top 10 Contributor
  • Moderator
798 தீர்வுகள் 5912 பதில்கள்
பதிவிடப்பட்டது

Hi

You may want to try setting network.trr.bootstrapAddress to 1.1.1.1

I have used that setting and it appears to work when I have tried it.

Hi You may want to try setting network.trr.bootstrapAddress to 1.1.1.1 I have used that setting and it appears to work when I have tried it.

Seburo மூலமாக திருத்தப்பட்டது

இது உங்களுக்கு பயனுள்ளதாக இருந்ததா?
மேற்கோள்
christ1
  • Top 25 Contributor
2171 தீர்வுகள் 15897 பதில்கள்
பதிவிடப்பட்டது

See https://cdt.org/blog/dns-strengthening-the-weakest-link-in-internet-privacy/

DoH does improve both, the privacy and security for DNS. However, it does not make you anonymous for your ISP.

When connecting to a website, your ISP still has to carry all your traffic, and has visibility of source and destination IPs. So I suppose your ISP does this deep, granular analysis of your network traffic, and you can see the result on their website. Note, with TLS encrypted traffic they won't see the content of the communication. For unencrypted traffic this gives the ISP (and anyone else looking at web traffic, like the government or hackers) an opportunity to observe your internet usage in great detail, regardless of whether DoH is used for DNS or not.

If the target is to be anonymous for your ISP use a VPN.

See https://cdt.org/blog/dns-strengthening-the-weakest-link-in-internet-privacy/ DoH does improve both, the privacy and security for DNS. However, it does not make you anonymous for your ISP. When connecting to a website, your ISP still has to carry all your traffic, and has visibility of source and destination IPs. So I suppose your ISP does this deep, granular analysis of your network traffic, and you can see the result on their website. Note, with TLS encrypted traffic they won't see the content of the communication. For unencrypted traffic this gives the ISP (and anyone else looking at web traffic, like the government or hackers) an opportunity to observe your internet usage in great detail, regardless of whether DoH is used for DNS or not. If the target is to be anonymous for your ISP use a VPN.
இது உங்களுக்கு பயனுள்ளதாக இருந்ததா?
மேற்கோள்
பதிவிடப்பட்டது

கேள்வியின் உரிமையாளர்

Seburo said

Hi You may want to try setting network.trr.bootstrapAddress to 1.1.1.1 I have used that setting and it appears to work when I have tried it.

I've tried 1.1.1.1 address, but it still can't prevent my ISP from observing what URLs I visited.

''Seburo [[#answer-1259752|said]]'' <blockquote> Hi You may want to try setting network.trr.bootstrapAddress to 1.1.1.1 I have used that setting and it appears to work when I have tried it. </blockquote> I've tried 1.1.1.1 address, but it still can't prevent my ISP from observing what URLs I visited.
இது உங்களுக்கு பயனுள்ளதாக இருந்ததா?
மேற்கோள்
பதிவிடப்பட்டது

கேள்வியின் உரிமையாளர்

christ1 said

See https://cdt.org/blog/dns-strengthening-the-weakest-link-in-internet-privacy/ DoH does improve both, the privacy and security for DNS. However, it does not make you anonymous for your ISP. When connecting to a website, your ISP still has to carry all your traffic, and has visibility of source and destination IPs. So I suppose your ISP does this deep, granular analysis of your network traffic, and you can see the result on their website. Note, with TLS encrypted traffic they won't see the content of the communication. For unencrypted traffic this gives the ISP (and anyone else looking at web traffic, like the government or hackers) an opportunity to observe your internet usage in great detail, regardless of whether DoH is used for DNS or not. If the target is to be anonymous for your ISP use a VPN.

Hi, thanks for your warm-hearted help. You said "with TLS encrypted traffic they won't see the content of the communication." But, are the URLs not the content of the communication with TLS encrypted by DoH ?

''christ1 [[#answer-1259760|said]]'' <blockquote> See https://cdt.org/blog/dns-strengthening-the-weakest-link-in-internet-privacy/ DoH does improve both, the privacy and security for DNS. However, it does not make you anonymous for your ISP. When connecting to a website, your ISP still has to carry all your traffic, and has visibility of source and destination IPs. So I suppose your ISP does this deep, granular analysis of your network traffic, and you can see the result on their website. Note, with TLS encrypted traffic they won't see the content of the communication. For unencrypted traffic this gives the ISP (and anyone else looking at web traffic, like the government or hackers) an opportunity to observe your internet usage in great detail, regardless of whether DoH is used for DNS or not. If the target is to be anonymous for your ISP use a VPN. </blockquote> Hi, thanks for your warm-hearted help. You said "with TLS encrypted traffic they won't see the content of the communication." But, are the URLs not the content of the communication with TLS encrypted by DoH ?
இது உங்களுக்கு பயனுள்ளதாக இருந்ததா?
மேற்கோள்
christ1
  • Top 25 Contributor
2171 தீர்வுகள் 15897 பதில்கள்
பதிவிடப்பட்டது

There were no URLs in your screenshot, just FQDNs of the websites you access. That information can be obtained from the destination IP of the packet(s) generated by your web browser. Those packets have to pass through your ISP, and the IP header isn't encrypted. The actual URL you access on the site is invisible to your ISP, as long as it's a secure site, i.e. if it offers TLS encryption.

There were no URLs in your screenshot, just FQDNs of the websites you access. That information can be obtained from the destination IP of the packet(s) generated by your web browser. Those packets have to pass through your ISP, and the IP header isn't encrypted. The actual URL you access on the site is invisible to your ISP, as long as it's a secure site, i.e. if it offers TLS encryption.
இது உங்களுக்கு பயனுள்ளதாக இருந்ததா?
மேற்கோள்
கேள்வி எழுப்பு

You must log in to your account to reply to posts. Please start a new question, if you do not have an account yet.