I pre-cache for speed, verifying records that have expired since I retain the expired records for sites that have intermittent DNS issues and also to throw in domains that I do not use in the off chance someone is logging where I go and when. They will see the Cloudflare top 20K domains hourly. Myself and family members have been able to access sites when others around the internet can not due to infrastructure related DNS problems. In other words, when others will say "It's always DNS" for myself and family members that is rarely the case as DNS records do not change as often as people seem to think they do.
replyOr you could use dnscrypt so ISP doesn’t see your lookups at all
replyDuring the TLS handshake, you send the domain name in clear text (Server Name Indication - SNI extension) so that the hoster can present the correct certificate for that domain.
replyNothing prevents the ISP from collecting that.
Hence Encrypted Client Hello (https://datatracker.ietf.org/doc/rfc9849/), though deployment is still thin.
replyWhen all the authoritative servers support TLS I can enable TLS outbound but very few of them do at the moment. At some point someone is decrypting, turtles all the way down. I could of course just do DoT to another instance of Unbound somewhere else but I do not need to do that as my ISP does not care about my queries. I used to keep standby DoT Unbound servers around but I have never once seen a US ISP tinker with my traffic. If they did I would put up billboards saying they what they are doing.
replyYours is not particularly problematic but I've always wondered how come advertising agencies allow highly controversial topics on their billboards in the US.
replyI know some (all?) EU advertisers deny creatives based on optics i.e. "our name and logo is on the billboard frame, we don't wanna get associated with topic X".
They like money. Controversial is not illegal. Slander is. If I purchase billboard space and spread defamation that will be problematic. The ISP could always take me to court but they would very likely lose provided I can prove I am telling the truth.
reply[dead]
replyThere is a bunch of public dnscrypt servers to which your client can randomly fan out encrypted queries.
replyThere are but I will wait until all the authoritative resolvers support TLS. If I wanted to hide my traffic from my ISP then I would just use DoT from my firewall Unbound instance to a few Unbound instances I already have around the web.
reply« I’ll keep my house door open until there is a really secure lock installed ». You either care about tampering and snooping or you don’t.
replyI understand your concerns. I personally do not share these concerns though I did when I resided in California that is for sure.
replyI know just about everyone at my ISP. I know where many of them live. We all live in the same small tight knit community. They tried really hard to get me to join their network team.