What does my ISP see if I change my DNS server?

So, I think, that when I type certain URL in my browser (for example https://google.com) I send request through ISP to ISP DNS and my provider gets response (ip of google.com) and goes by this IP and send request to this server (google.com) and gets response - html page that will be sent to me by my provider. Is it so?

No, this does not work as you described.

When you use the ISP's DNS server you get the IP address of the target server (google.com in your example) from the ISP. The ISP's DNS server itself provides this IP address from a cache or resolves the DNS query for you - see DNS Lookups Explained for the finer details.

Then your browser uses this IP address to access the target site itself, i.e. the ISP does not retrieve the site for you. The ISP will forward the packets from your client to the target server though, but what's inside the packets is usually irrelevant for the ISP.

There are some exceptions from this behavior though: In some cases there might be an explicit proxy at the ISP involved, where the client (i.e. your browser) asks the proxy and the proxy will retrieve the data and send it back to the client. The proxy might also cache data to serve the client faster and also to save bandwidth. Such setup was pretty common in the early days of the internet where bandwidth was more scare, but is much less common today.

Some ISP might also snoop at the traffic with Deep Packet Inspection (DPI) and might also block or delay traffic based on this. Some might also enforce an implicit proxy to modify the traffic. This is especially true in countries where the ISP is ordered to block specific sites. It happened also in the past that ISP injected their own advertisements in the traffic. Or mobile ISP where found to "enrich" the traffic to provide information about the client (like the phone number) to the final server in order to provide more targeted advertisements. Traffic modification is mostly impossible when HTTPS is used though, but blocking traffic will even work with HTTPS.

Secondly, when I use other DNS: I think, that when I type certain URL in my browser (for example https://google.com) I send request through ISP to other DNS and my provider gets response (ip of google.com) and goes by this IP and send request to this server (google.com) and gets response - html page that will be sent to me by my provider.

Again the provider is (usually) only involved in forwarding the data between client (your browser) and server, but not in requesting the data from the server itself. The main difference between using the DNS from your ISP vs using a different DNS server is that another DNS server now resolves the query for you. This might be desired if one does not trust the ISP and fears blocking of sites or logging of what sites you access (i.e. privacy invasion). It might also be desired if the new DNS provider offers some useful features, like blocking malicious domains.

It is still possible and not uncommon though that your DNS query does not actually end at the DNS server you want to use but will still be handled by the ISP's DNS server. This can be done with a cheap redirection of all packets destined for port 53 to the ISP's DNS server. Enforcing the use of the ISP's DNS server is usually done if the ISP is ordered to block access to specific domains. But even without redirecting the ISP might be able to see what domains you query: DNS queries are by default not encrypted and thus visible to Deep Packet Inspection. When using DNS over HTTPS (DoH) or DNS over TLS (DoT) the ISP will no longer be able to intercept these DNS requests though, nor will it be able to see the content of the DNS queries. It can still determine the domains you visit from DPI on the web traffic itself though in most cases.

It`s follows third question: will I be connected to DNS if I type just IP (not domain name) of google.com in my URL bar?

If one explicitly uses the IP address no DNS lookup is needed to access the server. Note though that most servers will not work if just accessed by IP address. It is pretty common that multiple domains are served on the same IP address. Thus the server also needs the domain name to find out which certificates to provide for HTTPS and which content to serve. If one just puts the IP address in the browser, the browser does not know which domain is meant and thus cannot provide this crucial information to the server.


Essentially, you are making the incorrect assumption that your DNS request is encrypted because you visit an HTTPS site.

That is NOT the case. HTTPS web traffic on port 443 may be encrypted but the DNS lookup on port 53 is not.

What you appear to be looking for is encrypted DNS which is available - for example in Firefox. The correct term is DNS over HTTPS.

However, in terms of the browsing traffic itself, there are plenty of systems now that offer wire-speed HTTPS inspection the great firewall of china is probably the most obvious example of that in action.

Now, I'm not suggesting that any UK ISPs are engaging in mass HTTPS hijacking but there are far more common similar real-world things that do happen, the most likely will be man-in-the-middle spoofing of public WiFi hotspots.

If anonymity of DNS lookups and the traffic therein is the primary objective then the best recommendation I can give you is to use a personal VPN service that both encrypts your traffic and offers their own DNS service within the tunnel.

I use PIA

Tags:

Dns

Network

Isp

Related

What's a "safe" URL shortening algorithm? Is it really safe to use Signal or Telegram on untrusted phone hardware? What impact does an installed extension have on the browser fingerprint (uniqueness)? Why is social engineering often excluded from bug bounties? How does "Somewhere you are" authentication add further security? Solution to the ‘Browser Crypto Chicken-and-Egg Problem’? How critical is encryption-at-rest for public cloud hosted systems? Should http basic auth passwords be stored hashed serverside? Is there any security risk in not setting a maximum password length? Should I only let my TV connect to the guest WiFi? Prevent a bot accessing login page with multiple IPs and massive list of username/ passwords Password entry: are "paste from password manager" and "eyeball to view passwords" mutually-exclusive features?

Recent Posts