In Part 2 I wrote about the fact that different DNS servers have different speeds and different availability depending on whether they support anycast. If they do then the nearest DNS server to you will be used. In the same way as the nearest Google server to you physically is the one you get regardless of where you are in the world — as a general rule of thumb.
We have all been taught that the Internet is insecure and we should browse sites that support SSL, those that have the https prefix — like this one. With https sites nobody on the internet can see the contents of the pages you view or anything that you enter into a page — such as these very words. Only you and the person / company hosting the website can see the content — well in theory, and we'll leave that muddy area there for now.
When you enter a domain name into a web browser, a DNS lookup is performed to find out the IP Address to connect to. This DNS Lookup is not encrypted. Everyone on the network between you and the DNS Server can see what domain you are looking up, and there are plenty of companies in between.
To combat this a couple of proposals exist, in the real-world. DNS over HTTPS (DoH) is one, which runs DNS Lookup queries over a HTTPS connection and the second is DNS over TLS which is encrypted DNS.
The more popular DNS providers already provide DNS over HTTPS and DNS over TLS. Eg: Cloudflare, Google, Quad9. There, however, a couple of issues:
Your browser doesn't support either of these protocols. Google & Firefox are working on it and given Apple's privacy stance you would expect them to be working on it too.
The DNS Service still gets to see what you are looking up, so you had better be happy with them being able to track which sites you access, even if your ISP can't. Are Google still not evil?
Which brings us to the overall issue with Encrypted DNS. Many would claim that it doesn't really solve anything. The HTTPS connection contains the IP Address of the server, and depending on the way the server is configured the domain name. It is quite a simple process to convert an IP Address back into the destination domain and thus your ISP can still see what sites you are looking at, even if they can't see the content.
There are ways around this. If you use a Content Delivery Network (CDN) to speed up your site then you never get the real IP address for a website. If you look up the IP address for this site you'll get an address that matches millions of other domains, because they all use CloudFlare. However, this is a red-herring because when one IP address is used for multiple domains the requesting Browser has to send the name of the domain at that address it wishes to connect to, and it sends it unencrypted.
So, all in all Encrypted DNS is not really going to help provide that much privacy. Turns out it is generally a nice idea, but that's it. Until something is done to solve the SNI problem using an encrypted DNS doesn't really gain you anything, other than falsely making you feel good about it.
Doesn't stop the likes of Comcast — who claim that they don't track their users — from trying to stop it though.
Next up, will a VPN help and if so why