What information can an ISP record solely from DNS queries

dnsnameserverprivacyvpn

I realized recently that my VPN's DNS requests were transmitted to my ISP's DNS server (even though my HTTP and HTTPS requests were properly transmitted via the VPN).

I did some research and have a couple of questions about the level of detail that an ISP is able to record.

My question is specifically about DNS requests. I am aware that there are other questions on this and related forums about the details that ISPs can glean from the HTTP and HTTPS traffic.

In terms of privacy, there is a significant difference in an ISP recording a user's DNS request to:

https://www.google.com/

and a request to:

https://www.google.com/search?source=hp&q=ultra+left+wing+support

There is a difference between an ISP recording:

https://www.reddit.com/ 

and:

https://www.reddit.com/r/hot-babes 

My understanding is that DNS queries from users to an (ISP's) DNS server will show the host (https://www.google.com/) but not the specific search term or any part of a URL after the TLD (e.g. .com). Is this correct?

I am asking about both HTTP and HTTPS although I can't see that there would be a difference for DNS requests.

In other words, an ISP can record the sites the user visited (via their DNS look-up logs), but cannot record the search query the user made in the search engine or the specific page(s) of a site that a user visited. To do so, the ISP would have to record the URLs when the user directly accessed the website pages. Is this right?

Best Answer

  • If the entire connection the web browser makes is over HTTPS, then the ISP will simply see you are communicating with a server address. Remember, DNS requests are not part of the browser, usually. Your computer can make DNS queries all it wants, which will only be, in your examples, www.reddit.com and www.google.com.

    Once the web browser knows the IP address to send the request to, the browser encrypts the entire URL you're requesting - For example, https://www.reddit.com/r/hot-babes is encrypted into a string that your computer and Reddit's server would understand. The ISP cannot read this in normal circumstances.

    Normal circumstances are for people like me. My ISP does not attempt any sort of Man In The Middle (MITM) attacks, such as making me accept their own root certificate (!). If they forced you to install their own certificate, then it's fair game for them.

    This is also mitigated if the sites support HSTS (Hypertext Strict Transport Security). This will hopefully be up to date, and built in to your browsers (Firefox and Chrome both do). If your browser attempts a connection to a site with HSTS setup, the browser will upgrade the connection to HTTPS automatically before making the connection.