Who cares about trying to MITM the HTTPS when chances are they’re sending DNS requests to the ISPs DNS server on unencrypted UDP/53? Comcast is the only ISP doing large scale DNSSEC, and even then that’s with their DNS, so they could still see what you’re looking at.
I may not know what specific page you’re looking at but I can sure as shit make some assumptions about all of the DNS lookups for FurAffinity.net or Missile-Gayboy.com. That’s probably enough for marketing purposes.
Correct me if i am wrong but DNSSEC has nothing to do with encryption of your request. It is used to verify that the record you received is from the correct authority. Furthermore your DNS requests have to go through your ISP even if you don’t use their DNS server as it is your only connection to the Internet.
The only thing you could do is encrypt the traffic somehow (dns over https exists), but then you have to trust that provider instead, and your ISP can still see the IP addresses you try to reach after you know them and might be able to still do a domain lookup using DNS if it is also configured to return the domain when looking up the IP. If they would put in the effort of course.
Correct, DNSSEC is like a signature, you can be reasonably sure that DNS wasn’t poisoned. If you’re looking for encrypted DNS, use DoH (DNS over HTTPS) or DoT (DNS over TLS).
While I have great confidence in my ISP, I use Quad9 as they also provide the above plus don’t do ECS (optional) and block malicious domains.
Who cares about trying to MITM the HTTPS when chances are they’re sending DNS requests to the ISPs DNS server on unencrypted UDP/53? Comcast is the only ISP doing large scale DNSSEC, and even then that’s with their DNS, so they could still see what you’re looking at.
I may not know what specific page you’re looking at but I can sure as shit make some assumptions about all of the DNS lookups for FurAffinity.net or Missile-Gayboy.com. That’s probably enough for marketing purposes.
Correct me if i am wrong but DNSSEC has nothing to do with encryption of your request. It is used to verify that the record you received is from the correct authority. Furthermore your DNS requests have to go through your ISP even if you don’t use their DNS server as it is your only connection to the Internet.
The only thing you could do is encrypt the traffic somehow (dns over https exists), but then you have to trust that provider instead, and your ISP can still see the IP addresses you try to reach after you know them and might be able to still do a domain lookup using DNS if it is also configured to return the domain when looking up the IP. If they would put in the effort of course.
Correct, DNSSEC is like a signature, you can be reasonably sure that DNS wasn’t poisoned. If you’re looking for encrypted DNS, use DoH (DNS over HTTPS) or DoT (DNS over TLS).
While I have great confidence in my ISP, I use Quad9 as they also provide the above plus don’t do ECS (optional) and block malicious domains.
That’s a good point. Almost everyone uses their ISP’s DNS.