Internet service providers (ISPs) and network-level hackers cannot spy on secure https communications – that’s a given.
But ISPs can still see all of your DNS requests, allowing them to know what websites you visit.
Thankfully, Google is working on a new security feature for Android that could prevent your Internet traffic from network spoofing attacks.
Nearly every Internet activity starts with a DNS query, making it a major building block of the Internet. DNS works as an Internet’s phone book that resolves human-readable web addresses, like deVere-group.com, against their IP addresses.
DNS requests and responses are sent in unencrypted clear text, making it vulnerable to eavesdropping thus compromising privacy.
By default, ISPs resolve DNS queries from their servers. So when you type in a website name in your browser, the query first goes to their DNS servers to find the website’s IP address, which eventually exposes this information (metadata) to your ISPs.
In addition, DNS Security extensions only offer data integrity, not privacy.
To solve this problem, Internet Engineering Task Force (IETF) last year proposed an experimental feature called — DNS over TLS (RFC 7858), which works roughly the same way as https.
Just like Transport Layer Security (TLS) encrypted protocol secures HTTPS connections cryptographically, DNS-over-TLS massively improves privacy and security with end-to-end authenticated DNS lookups.
Google is allegedly adding “DNS over TLS” support to the Android Open Source Project (AOSP), (currently experimentally), to allow smartphone users to turn on or off “DNS over TLS” feature under Developer Options settings
“Presumably, if such an option is being added to Developer Options, then that means it is in testing and may arrive in a future version of Android such as version 8.1.” Xda-developers said in a blog post.
Still, merely enabling “DNS over TLS” feature would not prevent your ISP to know what websites you visit.
Server Name Indication (SNI) — an extension of the TLS protocol — also indicates ISPs that which hostname is being contacted by the browser at the beginning of the ‘handshake’ process.
So to enjoy full anonymity, users are still required to use a trusted secure VPN service in combination with DNS-over-TLS protocol.