curben
/
blog
mirror of https://gitlab.com/curben/blog
1
0
Fork 0
Code Issues Releases Wiki Activity

post: add new reference

This commit is contained in:
curben 2019-09-24 23:08:06 +01:00
parent e8ec5ccd96
commit be57b4edab
No known key found for this signature in database
GPG Key ID: 5D9DB57A25D34EE3
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
source/_posts/doh-tls-privacy.md
View File

@ -12,11 +12,11 @@ Recently I stumbled upon this [bug report](https://lists.zx2c4.com/pipermail/wir
ISP still knows what **IP address** you are connecting to. Even with HTTPS and DoT/DoH, ISP currently can sniff the website domain you are visiting/visited including the complete URL due to a security weakness in the [Server Name Indication](https://en.wikipedia.org/wiki/Server_Name_Indication). This weakness can be fixed by using [Encrypted SNI](https://blog.cloudflare.com/esni/) (ESNI).
But even with all that, I repeat, ISP still *knows* what IP address you are connecting to. A simple reverse DNS lookup or even just by visiting the IP address can reveal what website it belongs to. Reverse DNS lookup is indeed not as easy as ten years ago due to the current proliferation of content delivery network (CDN) like Cloudflare. But it is still possible. For example, A `dig startpage @9.9.9.9` returned `216.218.239.2`. When you go to the IP through a web browser, it redirects to startpage.com. Going to gitlab.com's IP resulted in SSL warning with gitlab.com shown as the valid hostname.
But even with all that, I repeat, ISP still *knows* what IP address you are connecting to. A simple reverse DNS lookup or even just by visiting the IP address can reveal what website it belongs to. While reverse DNS lookup is not as easy as ten years ago due to the current proliferation of content delivery network (CDN) like Cloudflare, yet it is still possible. For example, A `dig startpage @9.9.9.9` returned `216.218.239.2`. When you go to the IP through a web browser, it redirects to startpage.com. Going to gitlab.com's IP resulted in SSL warning with gitlab.com shown as the valid hostname.
{% image '20190404/gitlab-ip.png' 'Reverse domain lookup through browser' %}
Websites that are behind Cloudflare can be harder to lookup. For example, `dig is.gd @9.9.9.9` returned `104.25.23.21`, but going to that IP resulted in a Cloudflare error page. So, every website should use Cloudflare, I guess?
Websites that are behind CDN can be harder to lookup. For example, `dig is.gd @9.9.9.9` returned `104.25.23.21`, but going to that IP resulted in an error page. Even then, with sufficient dataset, it is still [possible](https://blog.apnic.net/2019/08/23/what-can-you-learn-from-an-ip-address/) to infer a website from an IP.
Anyhow, DoT/DoH helps to address DNS spoofing issue by preventing the DNS query/answer from being maliciously modified. It makes it *harder* for the ISP from recording your browsing history because it prevents them from doing DNS logging. But they can still continue doing **IP logging**. Not to mention DoT/DoH resolvers also can log DNS traffic. Even [DNSCrypt](https://en.wikipedia.org/wiki/DNSCrypt) cannot prevent that.