[paulddraper]

(1) Your ISP and employer know which sites you're visting (modulo virtual hosting) by inspecting your IP packets and doing a reverse DNS lookup. It's the price you pay for someone routing your traffic: they have to know where to send it.

(You can use a proxy/VPN tunnel. Your ISP knows knows you're sending traffic to the proxy, and your proxy knows where you're sending traffic.)

(2) DNS encryption is certainly possible. DNSCurve and DNSCrypt are the ones I know of. But there's just not a lot of motivation. IP packets have an address on them already; the only additional thing DNS or SNI reveals is which of several (usually enumerable) hostnames they are interested at that IP. So...interesting, but generally not compelling.

[lol768]

> (1) Your ISP and employer know which sites you're visting (modulo virtual hosting) by inspecting your IP packets and doing a reverse DNS lookup. It's the price you pay for someone routing your traffic: they have to know where to send it.

You have a point, but as a webmaster there's surely no requirement for me to create a PTR record, right? As long as there's an A record somewhere, surely things will work? This is perhaps what you were getting at with "(modulo virtual hosting)" I guess (though to me that would suggest SNI-based certificate serving from one IP)?