With dnscloak iOS app installed my provider can't log my DNS traffic?

With dnscloak iOS app installed my provider can’t log my DNS traffic? Is this correct?

Overview

A flexible DNS proxy, with support for modern encrypted DNS protocols such as DNSCrypt v2 and DNS-over-HTTPS.

1 Like

your provider can always log, but with dnscrypt protocol (which dnscrypt-proxy implements, alongside DoH and DoT protocols, and I assume similar for dnscloak app), your DNS traffic will be encrypted junk, same as if they log your https direct, vpn, or tor traffics. That encrypted traffic is safe barring cracking the code (years/centuries) or maybe flip a switch trivial as/when quantum computing becomes available…

I have concerns about destination IP which still shows up in DoH (and DoT, I assume) with deep packet inspection unless you and DNS server are using TLS1.3 then eSNI can be enforced (encryptedServerNameIndication). DoH is also susceptible to things normal for https protocol packets, like header sniffing.

The main issue I have with DoT is it requires a dedicated port, 853, which can be easily filtered/blocked/censored by providers, organizations and governments, etc.

on the other hand, DoH is resolving over HTTPS meaning it is indistinguishable from all normal HTTPS traffic and all done on port 443 (hard to filter/block HTTPS if provider wants to allow internets traffic;).

good read covering the above, only much better, if not way more info:

2 Likes

Mostly correct, DoH and DoT don’t hide the destination IP and neither does ESNI. There can be multiple domains on the same IP address and with SNI you tell the server which site/TLS certificate you want and the SNI just encrypts that information.

So if there is only one website in the IP address, you visiting it isn’t hidden, but if there are many, then your ISP possibly doesn’t know which you are visiting.

I am yet to learn what is the authoritative capitalisation of ESNI.

@Mikaela excellent explanation of how encryption of the server name identification (ESIN) works.

@noFAP & @anon18111482 here is a draft to the Network Working Group describing the problems and potential solutions the IETF organization is proposing.

https://tools.ietf.org/html/draft-ietf-tls-sni-encryption-06

It may be a bit technical at times, but it proposes security against client attacks but your ISP can still see the initial server name. Co-location of what is behind the server name is still encrypted and cannot be seen.