No doubt your Internet Service Provides (ISPs), or network-level hackers cannot spy on https communications.
But do you know — ISPs can still see all of your DNS requests, allowing them to know what websites you visit.
Google is working on a new security feature for Android that could prevent your Internet traffic from network spoofing attacks.
Almost every Internet activity starts with a DNS query, making it a fundamental building block of the Internet. DNS works as an Internet's phone book that resolves human-readable web addresses, like thehackernews.com, against their IP addresses.
DNS queries and responses are sent in clear text (using UDP or TCP) without encryption, which makes it vulnerable to eavesdropping and compromises privacy.
ISPs by default resolve DNS queries from their servers. So when you type a website name in your browser, the query first goes to their DNS servers to find the website's IP address, which eventually exposes this information (metadata) to your ISPs.
Moreover, DNS Security Extensions — widely known as DNSSEC — only offers data integrity, not privacy.
To address this problem, Internet Engineering Task Force (IETF) last year proposed an experimental feature called — DNS over TLS (RFC 7858), which works approximately the same way https does.
Just like Transport Layer Security (TLS) encrypted protocol secures HTTPS connections cryptographically, DNS-over-TLS dramatically enhances privacy and security with end-to-end authenticated DNS lookups.
Google is reportedly adding "DNS over TLS" support to the Android Open Source Project (AOSP), currently at an experimental stage, to allow smartphone users to turn on or off "DNS over TLS" feature under Developer Options settings.
> "Presumably, if such an option is being added to Developer Options, then that means it is in testing and may arrive in a future version of Android such as version 8.1." Xda-developers said in a blog post.
However, just enabling "DNS over TLS" feature would not prevent your ISP to know what websites you visit.
Server Name Indication (SNI) — an extension of the TLS protocol — also indicates ISPs that which hostname is being contacted by the browser at the beginning of the 'handshake' process.
So to enjoy full anonymity, users are still required to use a trusted secure VPN service in combination with DNS-over-TLS protocol.