DNS-over-TLS/DNS-over-HTTPS does not protect your privacy

DoT/DoH does not completely eliminate ISP surveillance.

Recently I stumbled upon this bug report, and as a side note, the reporter wants to use DNS-over-TLS (DoT) for privacy reasons; to prevent the ISP from knowing visited website. It turns out many also believe this after a brief search for news articles on DoT or DNS-over-HTTPS (DoH). Actually, DoT/DoH does not completely eliminate ISP surveillance.

ISP still knows what IP address you are connecting to. Even with HTTPS and DoT/DoH, ISP currently can sniff the website domain you are visiting/visited including the complete URL due to a security weakness in the Server Name Indication. This weakness can be fixed by using Encrypted SNI (ESNI).

But even with all that, I repeat, ISP still knows what IP address you are connecting to. A simple reverse DNS lookup or even just by visiting the IP address can reveal what website it belongs to. While reverse DNS lookup is not as easy as ten years ago due to the current proliferation of content delivery network (CDN) like Cloudflare, yet it is still possible. For example, A dig startpage @ returned When you go to the IP through a web browser, it redirects to startpage.com. Going to gitlab.com’s IP resulted in SSL warning with gitlab.com shown as the valid hostname.

Reverse domain lookup through browser

Websites that are behind CDN can be harder to lookup. For example, dig is.gd @ returned, but going to that IP resulted in an error page. Even then, with sufficient dataset, it is still possible to infer a website from an IP.

Anyhow, DoT/DoH helps to address DNS spoofing issue by preventing the DNS query/answer from being maliciously modified. It makes it harder for the ISP from recording your browsing history because it prevents them from doing DNS logging. But they can still continue doing IP logging. Not to mention DoT/DoH resolvers also can log DNS traffic. Even DNSCrypt cannot prevent that.

A brief search on DoT/DoH topics showed many (most?) news articles perpetuate the misconception that it can prevents ISP surveillance.

How to keep your ISP’s nose out of your browser history with encrypted DNS[1]
Android takes aim at ISP surveillance with DNS privacy[2]
Android To Get ‘DNS over TLS’ Support To Hide Your Browsing Data From ISPs[3]
New Android Future “DNS over TLS” going to Stop ISPs from Knowing what websites you visit[4]
Prevent ISPs from seeing what website you’re viewing with DNS over TLS[5]
Android getting “DNS over TLS” support to stop ISPs from knowing what websites you visit[6]

TL;DR DoT/DoH doesn’t hide your destination IPs. Use Tor/VPN for that.