[sirn]

(Disclosure: I'm Thai)

Especially in Thailand, where free speech is almost non-existent.

Few months ago there were Twitter user who goes by the name "Anonymous" ("นิรนาม" in Thai) who have been arrested for spreading fake news and being a threat to the country. The Twitter user mainly tweets about topics subjected to lèse-majesté law. He never leave any traces, which leaves question on how officials managed to track him down if Twitter claims they didn't received any requests from our government.

My small group of friend came up with one scenario where official sent a honeypot URL via Twitter DM, then trace him via DNS query logs. This is assuming the scenario where he don't click on random links and using a browser that performs DNS prefetching of sorts. Everyone thought it was unlikely at the time, partly because nobody thought ISP would actually logging all DNS queries.

Apparently, all of us were wrong, at least on the latter.

[WildGreenLeave]

Just for my understanding: this wouldn't have happened if the user in question would've used a VPN and/or TOR right?

Don't get me wrong, I really don't like this in Thailand and it's absurd that you would even need something like that. As a foreigner visiting Thailand I don't feel that comfortable with my browsing habits. Usually I trust a local provider enough to just browse and not care about what I'm looking up, Thailand is not one of those places and I always use a VPN. (Mostly routed to Singapore)

[sirn]

Yes, it probably wouldn't happened if the user uses VPN or Tor. If VPN or Tor's setup doesn't leak DNS, at least.

[postcynical]

But aren't all the URLs in the messages/notifications "shortened" to a t.co/. So he would have had to click on the link.

[sirn]

This was also why everyone believed it's unlikely. Also I don't think Twitter even has DNS prefetching turned on. However now it's revealed that logging is real, us Thais should be worried.