What’s the point of DNSCrypt or DNS-Over-TLS if your ISP can still log the IP addresses of the servers you are connecting to after DNS resolution has completed? Can’t they take these IP addresses, perform reverse lookups, and figure out what the domain name you received was?
- Secret site DNS is: site.secret.com
- Secret site public IP address is: 220.127.116.11
You make an encrypted DNS request using either DNSCrypt or DNS-Over-TLS for ‘site.secret.com’. Your ISP has no idea what name you are requesting an IP for. You receive the response, which is ‘18.104.22.168’. Your ISP has no idea what IP you received. You now connect to site.secret.com using the received IP address. Your ISP knows you connected to 22.214.171.124, but not that the name is site.secret.com. They can merely take 126.96.36.199, perform a reverse lookup, and know that you connected to site.secret.com, and log this activity.
So what’s the point of DNSCrypt or DNS-Over-TLS at all? Might as well just use a VPN to hide your activity and not bother with either of these, correct?