[jmillikin]

This was alarming since I use a TP-Link router, so I tried figuring out to what extent it's able to inspect and record regular (encrypted) traffic.

My TP-Link Archer AX50, running software version "1.0.11 Build 20210730 rel.54485(4A50)" is doing at least some sort of DPI on outgoing connections. I found a page in its settings (Advanced -> Security -> Antivirus -> History) that contains a log of connections I've made to "suspicious" domains, which include quite a few that I would consider innocuous.

After clearing that log, I loaded a few domains I'd seen in it, and verified that new entries were created. Wireshark shows that no DNS requests were made, and the DNS-over-HTTP used by Chrome didn't leak that traffic. I believe the router must be inspecting TLS headers for the ServerName field.

Didn't try to verify whether that data is being sent to a third party, but given that this thing is collecting data that it has no business looking at, it wouldn't surprise me if it's shipping it somewhere.

edit: the URL I tested with is <https://api.mangadex.org/docs.html>.

[t0mas88]

It could be doing reverse lookup on the IP you connected to? That's what a lot of network monitoring tools do.

[jmillikin]

That's not as common any more, due to the broad adoption of TLS-capable CDNs (Cloudflare, Fastly, etc) over the past ~10 years.

In this case the site I tested with had a few different subdomains backed by the same IP, which I verified from a remote VPS. Using `curl` locally, with the `--resolve` flag to bypass DNS resolution, caused the router's log to contain entries for the specific subdomains requested.

[jnwatson]

Looking at DNS traffic isn't generally considered DPI.