Re: Securing DNS traffic

[Niels Dettenbach <nd%syndicat.com@localhost>]

Am Sonntag, 24. Mai 2020, 20:02:45 CEST schrieb Aaron B.:
> I'm also worried about this, but also fear datamining by my ISP. So I
> completely ditched Google, and split my queries between Cloudflare and
> Quad9 - neither gets the complete picture.
This relys on a typical misunderstanding what most of these data collecting N 
services are after. "getting to know what websites / servers some single user  
connects to" usually not, because that would be very inefficient.

If you fear that your ISP "can do that" - DNS is the wrong vector to "block 
that", because he can much more easily use netflow, firewall / router "logging" 
and similiar efficient ways to see (and collect / process) with which servers a 
single customer (not user) really got connected and (each time!) when 
(without the huge "caching blindness" of DNS) and how often / how intensive 
(even with SSL/TLS - except SNI / "virtual hosts", but this often can be 
uncovered by "traffic correlation" if really required).

I would trust my (paid) ISPs NS much more then any other "free" one by all 
what i've seen in my life there - especially if your ISP grants you no usage 
logging by contract. And what i knew from Mozilla and Co., these are much 
less "selfless" too as their public image project it...

If your ISP really cheat you - he could/would do this (as explained) without 
his DNS (except in some countries where local ISPs filter third party DNS at 
all because of "regulation", what usually means censorship...).

-- 
 ---
 Niels Dettenbach
 Syndicat IT & Internet
 http://www.syndicat.com
 PGP: https://syndicat.com/pub_key.asc
 ---