Hi. On Tue, Apr 14, 2020 at 10:26:09PM +0100, Liam O'Toole wrote: > On Tue, 14 Apr, 2020 at 23:42:48 +0300, Reco wrote: > > [...] > > > > 2. Having completed a DNS lookup unbeknownst to the ISP, we still have > > > to make a connection to the resulting IP address through the ISP's > > > gateway. The ISP can perform a reverse DNS lookup of the IP address if > > > they are determined to snoop. > > > > And that is why it's important to use DNS over TLS. > > Unless your ISP can magically decrypt TLS on the fly, the scenario > > you're describing is impossible. > > I think you misunderstand me. I'm talking about making a connection to > an IP address that you have already obtained by (encrypted) DNS.
I misunderstood you indeed. While it's true that this particular threat is something that DNS over TLS cannot guard against, I suggest you to consider this: 1) Not every IP on the Internet has PTR record. 2) There are multiple cases of sharing the same IP between multiple sites (including HTTPS). 3) For HTTPS (and TLS in general) there's more precise method called SNI snooping (there's TLSv1.3 against *that*, but it's not widely adopted). Reco
