ISPs don't have to log your DNS requests in order to know which sites you visit. It would be stupid and futile anyway and so for several reasons. For your ISP it is totally irrelevant if you use his DNS-servers or those of a third party. What they log are connections of your client, made to sites/servers you visit irrespective of how and by whom your DNS request are done.
I know that ISP logs my IP and remote IP of server I am connected to. Your turn. How do ISP know what website I am visiting? I don't mean IP of server, but actual website.
That's what ISPs are logging. IP and time span. If a server (IP) is hosting several websites over a secure connection than your ISP can't tell for sure which of those websites you are visiting, irrespective of what kind of DNS service you use. In case of a criminal investigation the ISP will have to take further steps.
From what I heard ISP in USA can sell user browsing history, so it is rather possible they have started logging DNS queries. In EU privacy laws are tighter, but there are some free Wifi hotspots (shopping center, train) and I doubt none of them log browsing history.
By the way, the setting for DoH is already present in Firefox 61, but I don't know if it can be enabled in v61. How would you test to see which DNS servers Firefox is using and whether or not DNS queries are encrypted?
Wherefrom do you take the nonsense that ISPs are logging DNS queries? Logging the IPs you connect to and time stamp of the connection is more reliable whether they sell the collected data or not.
Here you go: https://blog.nightly.mozilla.org/2018/06/01/improving-dns-privacy-in-firefox/#comments Irrespective of what client you use, you can always monitor outgoing and incoming packets by using a decent sniffer.
There are very many ISPs, as well as companies/groups which operate their own network and would be considered an ISP for this discussion. Not to mention DNS providers. We can't assume the same logging policies across so many, diverse, entities. ISPs logging remote IP Addresses is surely a common practice. So that must be a scenario that is considered. Logging DNS queries can be advantageous including from the "maximize information collection for advertising/other purposes" POV (think DNS prefetch and/or "Smart Multi-Homed Name Resolution" like scenarios). So we should assume it is being done in some contexts. Server certificates are in the clear prior to TLS 1.3. SNI is in the clear prior to TLS 1.3 and encrypted SNI for TLS 1.3 is still being worked out. That has the potential to be inspected and used to acquire more information about the remote site/server/party being contacted. So we should assume that is being done in some contexts. Also, that TLS 1.3 adoption will take time. Point being: one has to consider a specific context, and related assumptions about *actual* logging/sharing/uses, in order to weigh switching from an ISP DNS server to another DNS provider.
-First- It is common practise to give the source in case of quoting someone and this for good reasons. -Second- Excerpt from the cited text: "ISPs logging remote IP Addresses is surely a common practice. So that must be a scenario that is considered." That's correct. As for ISPs logging DNS requests, they are wild speculations without any rationale and unreliable to say the least. -Third- Please give a rationale for why an ISP would log DNS queries instead IPs of the sites its customers are visiting. ------------ There are a few situations when it makes sense not to use the DNS-servers of your ISP, such as slowness or censorship. There are also reasons not to use Firefox' DoH. Read carefully the comments at the end: https://blog.nightly.mozilla.org/2018/06/01/improving-dns-privacy-in-firefox/#comments
Nothing in my post was a quote from someone else. I was just making a clearly reasonable point about it being very foolish to assume identical logging policies across all the entities in the world that act as ISPs. You may attempt to substantiate how many of those there are, if you wish. Even CloudFlare's Resolver for Firefox FAQ states that their systems perform logging (should be read for details of course). What is their rationale? Could some other DNS service operators, including ISPs, have similar rationales? Could some ISPs have even worse stated policies and/or unstated ones? Logging is generally common [in part] because it aids in understanding/addressing technical issues with systems. Frankly, and especially when the discussion involves privacy, we acknowledge that... and also acknowledge that there are other less legitimate uses for logged data that might come into play... and start with the assumption that logging *is* taking place. No one, that I've seen, has suggested that there is an ISP that is logging DNS queries instead of remote IP Addresses. DNS logging and remote IP Address logging aren't mutually exclusive. The rationale for DNS logging came up in -Second- above, but I would also point out what I said in my earlier post: If there is means by which some additional information is leaked to a service provider, there are probably at least some service providers and/or partners of said taking advantage of that information leak.
As TheWindBringeth said: DNS logging and remote IP Address logging aren't mutually exclusive. Why ISP would log IP and DNS queries? Because list of visited domains is more valuable for advertising industry than list of visited IP addresses.
Let me disagree. I'll even give you an example for better understanding. All modern and less modern browsers have a feature. It's called DNS prefetch and it is enabled by default. As a result, a bunch of DNS requests - by visiting a single site. There is no way to tell if or which of those sites have been visited for good or not. As a prospective buyer of gathered data, I want to know exactly which sites have been visited and how much time users have spent on each site. Without these informations the gathered data is unreliable, of less value and hence I will pay less for it.
DNS responses have resolved IP addresses, so ISP can combine together data from IP and DNS logs to remove DNS queries that were not used to connect to IP address. Technically this is possible - i.e. basic inner join in SQL language can do that.
I sometimes use DNS logs in conjunction with remote IP Address logs in order to determine what hostname was being communicated with. Particularly when rDNS on the remote IP Address is a CDN, I'll search said DNS logs to find a queried for name that resolved to the remote IP Address shortly before the network traffic of interest began. It isn't a perfectly reliable approach and I try to avoid utilizing it where I can, but sometimes it is just what I have to work with and it helps. So I'd chalk that up as a plus for having both DNS logs and IP Address logs. DNS logs can also reveal lookups that won't result in traffic that would be captured in an ISP's IP Address logs, and that information may reveal something of interest. In addition to previously mentioned things, possibilities include lookups for [now] non-existent domains, lookups which resolve to loopback or private-use or link local space, cases where disabling a local software feature disables connection attempts but not the DNS lookups.
In my mind, there are three cases where ISP DNS servers could be logging the client requests: 1) Censorship. Take example, Great Firewall of China: Goverment enforced DNS-level blocking done by ISPs. (but thats just one tool in it's toolbox, like deep packet inspection). Other example is DNS poisoning done in 2014 by Turkish ISPs. 2) Make a buck. Sell client browsing data to advertisers. 3) Preventing abuse. If ISPs (or any other party) is providing DNS service, then it's only smart to have at least somekind of logs for maintenance reasons. And sometimes it's not only the domain names visited that can be collected via DNS logging. If the edns0 extension is on then practically any data could be slapped into the DNS packets like client IP, MAC address, etc... https://www.ietf.org/archive/id/draft-tale-dnsop-edns0-clientid-01.txt "A similar EDNS option is already being used on the public Internet in two different implementations. One is between the [dnsmasq] resolver on the client side and Nominum's [Vantio_CacheServe] upstream. It uses EDNS option code 65073 from the "Reserved for Local/Experimental Use" range to pass the client's Media Access Control (MAC) address. The other implementation is for Cisco's [Umbrella], aka OpenDNS, which encodes the client's MAC address and complete IP address. It uses option codes 26946 and 20292, respectively, from the middle of the "Unassigned" range." EDIT: Nice summary of current state of DNS and privacy (EDNS in page 9) https://datatracker.ietf.org/meeting/97/materials/slides-97-edu-sessc-dns-privacy-01.pdf BTW, It's crazy that TCP as mandatory fallback DNS delivery mechanism is as late as 2010 ....
@Stefan Froberg: Thank you for the EDNS stuff. I've looked at some things, including: https://hacks.mozilla.org/2018/05/a-cartoon-intro-to-dns-over-https/ https://developers.cloudflare.com/1.1.1.1/nitty-gritty-details/ It sounds like CloudFlare's server won't send client identifier/address information on to other servers. I don't think I saw explicit comments on what Firefox will be sending, but given the privacy claims perhaps it won't send such information to CloudFlare either. I did find an assigned bug (https://bugzilla.mozilla.org/show_bug.cgi?id=1466462) which requests that Firefox send an ECS source prefix length of 0 by default, so I guess it isn't already doing that. I haven't looked at related code. Do you have, or know of any, concerns in the EDNS area involving Firefox? While I'm posting, and for the convenience of others: https://datatracker.ietf.org/wg/dprive/documents/ https://datatracker.ietf.org/doc/draft-ietf-dprive-bcp-op/ (updated August 8, 2018) https://github.com/Sinodun/draft-dprive-bcp-op
I honestly don't know at this point. It would be interesting to test if Cloudflare claim is true and they don't send the EDNS stuff. One could try check that by setting up authoritative server to rented VPS, use cloudflare dns and then check from the DNS server logs what stuff is actually received and if there is any EDNS stuff there. Other than using Cloudflare, I guess we have to wait till that network.trr.disable-ECS preference appears to firefox.
May be some test servers around too. Although, a given resolver might be using a whitelist to selectively forward.
Firefox has a decade-old bug that serves users Apple and crypto scams But odd 'drag and drop' flaw is unlikely too much of a threat August 09, 2018 https://www.theinquirer.net/inquirer/news/3060865/firefox-decade-old-bug-apple-crypto-scams
I usually have about 25 to 50 tabs open, that isn't a problem in Opera 12 and Firefox 52, but Vivaldi will drain your RAM. I have not yet tested Firefox 62 with so many tabs open but I guess it won't be as bad as the Chromium based browsers.
Just for kicks and giggles, I currently have 35 tabs open in latest Chrome beta for the last 10 minutes, with the flags I mentioned above enabled. One tab is Wilders, 33 are google search page (my home page) and one is Youtube currently playing a video as I'm typing this response. Process Explorer is open and showing from 88-90% RAM usage. This is on my laptop with 4 GB RAM. It is very high usage, but there is no noticeable instability so far.
Yup, and guess what happens if you open more bloated sites at the same time. The reason why I have so many tabs open is because when I go to a news site for example, I first open all of the articles I want to read.
I'd be curious to see what the RAM load would be if I had 8GB. I plan to add another 4 GB soon, but at any rate I would never have more than 5-7 tabs open at any one time.