[icebraining]

> This is actually why I use my own DNS server and resolve against the root, like anyone else who cares about privacy ought to be doing.

How do you prevent the ISP from logging those requests to the root?

[LinuxBender]

I can't speak for them, but I do the same thing and use a VPN to resolvers on numerous VPS providers. Those talk upstream to the root servers. Between the min-ttl cache at each layer and the large number of resolvers, correlation of my DNS requests is non trivial. I also ensure that client subnet EDNS is blocked.

[autoexec]

Unless you're connected to a VPN 100% of the time wouldn't your ISP already have access to see every domain you browse to?

[icebraining]

They do via the SNI header, but Firefox already includes support for encrypted SNI. So if the server supports that, all the ISP gets is the IP of the server you're connecting to. If that IP only hosts a single domain, then they can still tell, but in other cases (think sites behind Cloudflare, or using shared load balancers), they can't.

Or actually, they might still, using side-channel attacks, but it's significantly harder to accomplish, especially at scale.

[core-questions]

Hey, good point. I guess there's not much I can do about that yet, without DNSSEC or whatever.

[tptacek]

DNSSEC does nothing whatsoever to prevent your ISP from logging your requests.