man in mask

While DNS-over-TLS masks some Internet traffic, total anonymity is more difficult. Source: Shutterstock

DNS-over-TLS is here, but you’re still not anonymous

As of January, 50 percent of web traffic was carried via HTTPS, rather than the unencrypted traffic of traditional HTTP.

While this change is enough to put one’s mind at ease for some everyday activities and has become the accepted norm for certain things (we check for the browser’s padlock symbol when Internet banking, for example), HTTPS alone does not ensure anything like full online anonymity.

In most cases, our internet service provider (ISP) will know which websites we visit, because of domain name system (DNS) requests.

Whenever we type in a web address or click on a link, a DNS server will translate our desired destination (www.techwireasia.com) into an internet protocol (IP) address (52.206.110.247) understandable by technology.

In many instances, our devices don’t specify the use of a particular DNS server by default — all traffic is routed via our ISP, and the ISP handles all DNS translations automatically.

Whether or not an ISP has its own DNS servers or uses a third party DNS provider, your ISP will know which websites you’re visiting.

However, in order to minimize network spoofing attacks (such as those created by a man-in-the-middle attack), a new experimental feature has been proposed by the Internet Engineering Task Force (IETF).

The feature works in approximately the same way HTTPS does: by making use of transport layer security (TLS) encryption protocol to cryptographically hide DNS requests & replies.

DNS-over-TLS, as it is snappily-monikered, will dramatically enhance privacy and security, with all traffic pertaining to IP address lookups (as requested by your device and fulfilled by your ISP) rendered effectively unreadable.

An existing technology, DNS security extensions (DNSSEC) only ever offered the relative safety of ensuring the integrity of data passed between DNS server and originating device — not encryption of said data.

Google has announced it is adding DNS-over-TLS support to the Android Open Source Project (ASOP), so Android users will, in time, be able to ensure their DNS lookups are a degree safer.

It is worth noting, however, that those web users who seek complete anonymity (the so-called tinfoil hat brigade) will not be necessarily encouraged by the implementation of DNS-over-TLS, as an ISP ‘knows’ the site to look up from the beginning of the originating DNS request (during the ‘handshake’ between device and ISP), before any encryption begins.

In order to cloak online activity to a maximum degree, a reputable virtual private network (VPN) service should be used, although these come at costs both financial and in terms of connection speeds; encryption takes time.

To all intents and purposes, it is worth noting, any activity online should not be considered 100 percent secure or anonymous: hackers literally make their livings from finding ways around any security we may put in place.