DOH and it's effectiveness against ISPs

Hi all,

So I’m finally getting around to setting up ad guard home and I was debating between putting it on my server at home or my vps. The benefit of the VPS is I can use it even when I’m out of the house such as on my mobile. The downside is that ubiquiti doesn’t seem to ever want to support DOT so all my DNS queries to my VPS will be open to my ISP to read. So before I start trying to install nextdns on my dream machine I was curious how much DOH matters for the ISP anyway. I read on a different forum that since the ISP can see all the IPs I connect to they could still easily enough know my browsing history and I’m kind of at a loss to disagree with that. But I have only a basic level of networking knowledge so I thought I would turn to you gurus :slight_smile:

So my question is does using a third party DNS server even matter without also using a VPN and would DOH make any difference?

The bottom line depends on how paranoid you are…

People often confuse concepts and are not fully able to visualize the sequence of actions.

Let’s start from the beginning.

Someone will always see the network traffic you generate. There is nothing groundbreaking or shocking about it. You just have to imagine it well.

The ISP and the network traffic of its clients are visible to the company and you can’t do anything about it because the network must work and transmit data. However, you can adapt some schemes of operation that somewhat limit this view.

What does the ISP see? Everything that is technically possible.
It sees how much data a specific client sends down/up with a time/date stamp, what protocol, what port, to what IP addresses, it is able to recognize to some extent every popular application protocol, even the encrypted ones. It can see if, for example, given traffic regarding torrent, https, vpn, etc.

Can ISP see content that is properly encrypted? No, but isp is aware of such network traffic all the time, but what exactly it contains will not be seen.

What does the ISP see in the case of dns over https traffic?
The ISP sees which client, time/date, how many KB/MB data in which direction, destination IP address, whether v4/v6, port, and that https.
However, it is not able to see the content, i.e. domain names.

The fact that you restrict your ISP’s view of your activities does not change the fact that another ISP will see your content. Your VPS will query some dns server for these domains and this traffic will be visible to brokers. Unless you also use DOH for the dns server here.

The same principle applies to tunnels of all kinds. If you initiate a vpn to your server from home, your ISP and server provider will still see the same things… data amount, protocol, port, IP address, time/date. They will be aware that there is a tunnel between A-B, but the content is encrypted and they will not know it, with one exception! Your traffic needs to go out into the world so your vps provider will still see what you are doing over their network but as long as you use encryption the content will remain a secret.

People hear a lot about vpn, doh and sometimes they think that they can become invisible everywhere, anytime, and to everyone. No, because network traffic has to be transmitted and sometimes has to travel through many networks and reach the recipient in some form, it’s not magic that packets teleport from your home pc to a server in the forest and there will be no trace left.
Data collection and tracking is something else, but that’s another story, much more complicated and very difficult and often impossible. But that’s where the FBI is after you, not a nosy ISP. :slight_smile:

If you want your home ISP to have absolutely no insight into the content of dns queries, use DOH. But don’t forget that any other ISP you use mobile will be able to see the domains if you don’t use DOH there too.

P.S
Does it make sense to create a tunnel between PC-VPS and run DOH in it? No, imho it doesn’t make sense. Either we send all traffic via VPN or we use DOH.
The ISP will still see our https traffic, so if you don’t hide your https activity to different sites, there is no point in hiding DOH traffic either.

P.S 2
ISP data correlation? Possible and to some extent theoretically effective.

The ISP does not know the content of dns queries for domain names but will see that you are making other thicker https connections in the same time interval. Which will suggest that you received a response from dns and on such a correlation the ISP could determine domain names. But it’s a bit like chasing your own tail.

Will the spying ISP be able to determine the domain name if communication takes place with a large data aggregator, in 2023 web hosting is a mass of clouds, cdn, and all sorts of large servers with thousands of domains. On the basis of correlation, it will be difficult to guess the domains in such noise.
Is it possible in some cases to make a correct correlation between unknown content, dns transmission and https traffic to the target server? If that IP address only serves one domain then yes.
And what about the content of https packets, does the ISP see the domain before establishing the tls? Yes… SNI, before the TLS handshake is performed, the correct domain must be defined.

So we come to chasing our own tail… On the one hand, we hide our requests for domain names, and on the other hand, we generate traffic to these domains where, if the ISP wants it, it will find out.
Does the ISP see the full url? No, the data remains encrypted.

And suddenly TLS 1.3 arrives on a white horse… but :wink:

P.S 3
A bit of a side topic is when the ISP not only wants to see but also to modify our network traffic. I personally use DOH everywhere I can and only https.

If you really want to stay as hidden as possible from your ISP’s eyes, then run a VPN/tunnel/proxy (encrypted) between the LAN-Server. Then you will limit your ISP’s ability not only to look at dns queries (obviously don’t use dns from isp) but to look at SNI. But remember, you’re limiting it to just that one ISP!

6 Likes

Sh*t, rabbithole… thx Tim… it is 01:42 in the Morning here and i Beginn my Research to understand what you are telling here… :smile:

1 Like

These days, one IP address could be any one of hundreds of web sites. If your DNS is in the clear, then they can tell which site you are connecting to. I guess you have to pick your own level of paranoia.

One could likely infer a lot about where you were going based on how the IP addresses chain together.

If you’re on the internet your activities are known. If not by the ISP, by the remote sites logging and selling your activity, your OS vendor doing the same in some cases etc.

QUBES plus Tor might help but it’s a losing battle.

1 Like

Thanks for taking the time to explain all that. I live in Germany so I’m not overly paranoid about my ISP since it’s bound by the strong German privacy laws. But if there’s an option to keep data mine then I try to take it because I know they do some shady stuff. As an example if I visit their website the price showed there sometimes change compared to accessing it via a vpn. Almost like they want to show cheaper prices to potential new customers without telling their existing ones :). But seems here it’s just not worth the hassle of doing that so I’ll take the advantage of the vps.

Again thanks for taking the time to help me improve my understanding.

1 Like

In short… Use DoH/DoT and https with the latest TLS available at the moment. But still the problem is unencrypted SNI where the ISP has clear text domain to which the client directs his traffic.

Someone will ask but what is the domain name there for? Because the client must inform the web server about what specific domain he wants to get. One server IP that hosts the site can serve thousands/millions of domains at the same time and for this reason the domain name information must be included in the communication.

The browser asks the dns server what IP address is for yourdomain.com, then after obtaining the IP address, it directs tcp traffic to it and the appropriate port, but the scheme of operation of this communication must also contain one piece of information… the domain name. Then TLS is set up and further communication as well as other url data and payload of the website is already encrypted. But before this happens, the server must see what domain you are talking about and must have this information to provide the correct certificate per domain. Without this information, the server does not know what specific domain on its IP you mean. I am talking here about large web hostings with many domains / IPs.

Anyone can do a test and run a sniffer on themselves and look at the content of https packets that their browser sends to the server when you enter a website. As long as encryption is not implemented globally and absolutely for the domain name being transmitted, this information will be available to the ISP if they wish to look at it.

A lot of people just forget this little loophole and think that if they have DoH/DoT, the ISP doesn’t see anything about domains anymore.

So is it worth using DoH if ISP can get information about the domains we visit anyway? Yes imho, it’s always a slight separation of data that an ISP might collect.

Someday the time will come that every communication will have the domain name already provided in encrypted form and then the ISP will not see it, but it is not yet today…

:wink:

While that’s true, it’s an entirely different topic. And it’s a difference in kind because your ISP can potentially see everything you do and everywhere you go, whereas web tracking is just a patchwork with no single entity possessing all of it.

Saw a thing on SNI by Theo Joe of all people. Looks like something to look into

I didn’t manage to read it before you deleted it… :slight_smile: Any gruesome errors in my reasoning above? :wink:

In general, sometimes ISPs are bad, but I wouldn’t treat them as a major security or privacy issue.

The principle is quite simple, everything you do online is being watched by someone somewhere. Let’s not get paranoid that the NSA is watching us 24/7. Yes, probably our online activities are somewhere in their databases, but no one is looking at it because there is no reason.

Apply the principle wherever possible, use encryption as good as possible and keep your software up-to-date.
If you ever start to worry about your ISP, think about changing it, and if that’s not an option, start using as much traffic separation as possible. And for the paranoid, you can always add white noise on the link. Generated 24/7, always with the same scale to a wide audience and then you hide your target traffic in the crowd. It doesn’t make it invisible, but it creates a crowd from which the adversary must deduce the right one or take everything as a source of information, in effect creating less precise models of your behavior.

There are people who practice zero trust in their ISP. They use many vpn tunnels and each suitable for a specific traffic/geo. But as I wrote earlier, you only transfer this mystery from one subject to another.
People buy commercial VPNs and think they are now invisible. Yes, for your ISP, the detail of online activity falls to the awareness that only a tunnel is set up and traffic is generated by it. But the company that provides the VPN sees you for who you are. :slight_smile:

When money is not a problem and paranoia knocks on the door, you can play with multi-vector segmentation of your online activity by doing it in several ways where collecting it all by one entity will be extremely difficult if sometimes even impossible, but that’s another story. :slight_smile:

Back to the point of the thread… Use a vpn and take your traffic away from your ISP, ie you will execute an exit node on your server away from your ISP.
Or just ignore the idea that your ISP is spying on you over and above normal monitoring of their network and collecting logs.
At the end of the day it would be nice to have DoH + encrypted SNI but it’s out of my power. :slight_smile:

1 Like

I understand the question here and see its answered but has anyone considered the ramifications of DoH in terms of network consent

Every helpful tool has a dark side. While you can use it to remain private. You must also consider has google or any manufacturer of a device using it to bypass your DNS and network configuration/rules unless of course you perform SSL interception on your network which ive begun setting up to mitigate that.

Im asking you to think and evaluate the facts and your own position on it. I dont desire to argue whether one should use it or not. Just consider the ramifications of a technology with good intentions

Sample material:

That is all

1 Like

Everything has two sides of the coin. :slight_smile: Is the world based on DoH ideal? Absolutely not but… :slight_smile:
I don’t care if someone will use naked DNS or DoH/DoT. The only thing I wish for was “choice”, as long as I’m free to choose what I want to use I’m ok.

A separate issue is network control and supervision over dns traffic. Does DoH cause a problem in restricted environments? Yes, without exaggeration.
Is it hard to block such dns traffic? Yes, but to some extent it is doable.
If we have networks where we block almost everything, especially dns, you can use different lists of public DoH servers and block connections to them… perfect? No, it will block every DoH? No, but the most famous ones do.

Publicly available servers
DNS over HTTPS · curl/curl Wiki · GitHub

Deep analysis of packets without breaking encryption is also possible to some extent and if implemented correctly, it may try to catch packets from https traffic that may be intended for DoH and then we block them.
There are known commercial solutions that can even catch vpn traffic pushed via https… Just because something is encrypted doesn’t mean that it doesn’t bear the characteristic features by which the type of transmission can be recognized. Masking traffic and wrapping it in many other solutions is a big topic.

Detection of DoH Traffic Tunnels Using Deep Learning for
Encrypted Traffic Classification
https://www.mdpi.com/2073-431X/12/3/47/pdf

An Explainable AI-based Intrusion Detection System for
DNS over HTTPS (DoH) Attacks
https://ueaeprints.uea.ac.uk/id/eprint/85477/1/T_IFS_13877_2021.R2_Proof_hi.pdf

Peeking into the depths of encryption to determine the type of data being sent is a dirty job and I don’t support it, but there are networks that do it because they have the ability to install their own certs on employees’ endpoints.

Should dns traffic be blocked? A matter of decision of those responsible for this network.

:wink:

https://defo.ie/ech-check.php

https://crypto.cloudflare.com/cdn-cgi/trace

Its a nuclear arms race in tech. It can only lead to destruction or detente

On a public network absolutely. On any privately ran network your choice should be based on asking permission and if its cool or their permissive in general. No problem. There was no need for DoH. We had DoT for authenticated stuff and dnssec for verification

I mean tbch yes but it requires large systems with tons of power. Its easier and simpler to perform ssl interception as a cert authority on your network

As is interception as a viable means to control their network :wink:

Much like paul vixie im appalled I have to go to this level… Do you understand why @TimHolus . yes us nerds can do this but the average person is left undefended against the dark side of this tech and I hate that thought. Particularly for the elderly

1 Like

I think I already have DoH because I set my firefox to it, but how does one set up SNI (I’m a bit busy at work and at home I am pulled in all directions, a sort of quick guide is massively appreciated).

CloudFlare and Akamai would certainly see a large chunk….

1 Like

ESNI or as they call it now ECH is not just a matter of the client but must also be handled on the other side, at the moment ECH is probably not even an officially published and approved RFC.

Firefox supports ESNI/ECH since version 85 (don’t quote me). And now I think it’s even turned on right away, although I’m not sure. But so what if not every hosted resource supports it. Similarly with solutions like Pi-Hole, the devs do not touch the subject seriously until the RFC is approved.

You have three urls to check, among others…
Just even if ECH works for you, it doesn’t mean other sites support your ECH calls, probably not.

Currently, the situation is somewhat similar to a few years ago with https vs http, slowly some people are starting to support ECH, but currently the overwhelming majority still do not.

Just keep in mind that DoH/DoT doesn’t work wonders at hiding the domain names we visit from our ISP. A little worm like SNI sometimes spoils this anonymity. :slight_smile:

https://defo.ie/ech-check.php

https://crypto.cloudflare.com/cdn-cgi/trace

https://www.cloudflare.com/ssl/encrypted-sni/
1 Like

You’re being terribly pessimistic about it. :slight_smile: I’ll be dead before it’s fully gone anyway. :slight_smile:

Depends on what we define as private, corporate networks and all that, yes. There is a central body to govern and set the rules of the game and they should be followed.
But if someone has such a mess on the network that DoH becomes a threat to him, he should look for the root of the problem rather elsewhere.
What’s more, in such networks, DoT is not even necessary, ordinary DNS is enough. But I understand your conclusions.

Yes, if there is such a technical, organizational and legal possibility, then installing your certificate on the company’s equipment will be a quick solution. Provided that all the time we are talking about resources that belong to the company.
I will never allow an ISP to require a certificate on client machines. And even worse, if the country requires it.

Old people and children, do not forget the children! :slight_smile: Politicians love to introduce sick ideas in “defense of children”.

DoH as a threat to non-technical people… Well, that’s a bit of a stretch. :wink: Ok but everything else can be pulled into this category as well!
DoH is and will probably stay for good. Now is the time to learn to live in symbiosis with it. Network concepts are slowly taking small steps of evolution and admins will have to adapt to the new reality. The old thinking that we can do everything with one central firewall has been wrong for some time now.

At our company, we also had moments of reflection on the DoH issue and the network policy update in general. But the solution is not to bury DoH in the grave, but to try to fit in with new models…

Nothing is perfect and never will be. DoH has its advantages and disadvantages. It creates problems in some situations and solves other problems.
DoH is not the biggest problem and threat to corporate networks imho, it is a stone in the shoe, but without exaggeration how big and dangerous it is. :slight_smile:

2 Likes