[rythie]

I note that the HTTP spec covers the leaking of referers:

"A user agent MUST NOT send a Referer header field in an unsecured HTTP request if the referring page was received with a secure protocol." http://tools.ietf.org/html/rfc7231#section-5.5.2

and that's how browsers implement it too.

DNS doesn't give the page you were on. Whilst some systems might have a government root CA on it, it's still quite possible to remove that - it's pratically impossible to remove ISP level monitoring.