[NaliSauce]

I really like this even though I think it only makes for a minimal increase in privacy due to either SNI[1] or quickly grabbing the cert of an IP revealing the hostname if no SNI is supported.

[1] https://en.wikipedia.org/wiki/Server_Name_Indication

[jedisct1]

DNS-over-TLS and DNSCrypt are more about authentication than privacy. They are useful against the guy sitting behind you at Starbucks doing DNS injection.

They don't replace a VPN.

[knorker]

Doesn't TLS 1.3 fix this SNI hostname leak though?

[aaomidi]

Nope, they kept it because there weren't better alternatives.

[richardjennings]

SNI will show the hostname of the "DNS over TLS" server the TLS connection is made with but not the DNS queries made.

[Ajedi32]

DNS isn't very useful unless you're actually planning to visit the IPs you just looked up. And as soon as you do that, you'll send the domain name in plaintext via SNI.

[johannes1234321]

It will also show the hostname of the server I access after doing the DNS lookup.

[LogicX]

I don't think so.

The purpose of SNI is to pass the domain name to the final destination server, so it can serve up the correct SSL cert where there are multiple domains hosted on the same IP