Security expert demonstrates that VPNs still matter: encrypted DNS and TLS don’t hide browsing history
For years, some experts have claimed that encrypted DNS makes VPNs obsolete and that users no longer need them to stay private online. False. Watch as cybersecurity instructor David Bombal taps into encrypted web traffic and names the exact websites you're connecting to.
Bombal released an excellent YouTube video demonstrating that, even with all traffic encrypted, using modern TLS and encrypted DNS technologies, the website addresses – or full browsing history – are still visible on the network.
“So just because your DNS is now encrypted, doesn’t mean that your ISP or another person busy tapping the network or monitoring the network can’t see which website you're going to. They can see which website you’re going to,“ Bombal said.
And the expert didn’t even mention IP addresses and reverse lookups, which are also visible to the spies on the network despite the encryption.
Bombal used Wireshark, a network tap and monitoring tool, to show network packets with clearly visible domains in clear text, such as www.cisco.com or www.nvidia.com.
“People say you don’t need a VPN if you use encrypted DNS. They can’t see the domains that you go to. And I’m going to prove to you that that’s not true,” Bombal said.
While the encrypted DNS hid the DNS queries themselves, the domains remained visible to network monitoring tools in the unencrypted Server Name Indication (SNI) field within the TLS Client Hello message, despite the use of the latest TLS version 1.3.
SNI is used to indicate to the server which website the user is attempting to access, as the same IP might host multiple websites.
Encrypted DNS protocols come in different flavors, such as DNS over TLS, DNS over HTTPS, and DNS over Quick, but they don’t affect SNI.
SNI exposed website domains nearly every time during the experimentation.
The only exceptions were some websites on Cloudflare that had ECH – encrypted Client Hello – enabled. This technology is supposed to encrypt the part of the TLS handshake where the domain is possible. However, it didn’t work every time. Bombal opened one major website on Cloudflare after another, yet the domains remained visible.
Alternatively, Bombal demonstrated network traffic using a VPN – the only thing an external observer could see was WireGuard traffic hiding both DNS queries and the SNI fields.
By default, DNS queries are sent in clear text, and encrypted DNS makes snooping and spoofing DNS traffic much more difficult. The problem is that many users rely on default ISP-provided settings and do not manually enable the secure DNS options in their browsers and elsewhere.
For privacy-conscious users, VPN remains one of the few viable options for completely hiding traffic from ISPs and others on the network.
Encrypted DNS only protects the website address lookup process and not the entire internet traffic. However, most internet traffic is already encrypted using TLS, which prevents attackers and ISPs from snooping on the actual contents being transmitted.
They can still track visited IP addresses, and IP reverse-lookup tools can reveal the services behind them.
Unlock more exclusive Cybernews content on YouTube.
