new | show | ask | jobs Github

maxloh 7 hours ago

Since most ISPs also maintain their own DNS resolver, they could always reverse lookup the IP address AFAIK.

▲

progbits 7 hours ago | parent | next [-]

The whole idea behind ECH is one IP hosts tons of sites (eg. CDN) so you have no idea which one it is.

Also reverse lookup has nothing to do with hosting own DNS resolver.

▲

szmarczak 6 hours ago | parent [-]

What you're describing is a SNI, not ECH. Those two serve very different purposes.

> Also reverse lookup has nothing to do with hosting own DNS resolver.

It has everything to do with that. Had you used two brain cells, you would've known that they can memorize the IP address and the domain name, and if you connect to that IP in a short period of time, most likely you visited that domain name.

▲

gzread 6 hours ago | parent [-]

SNI is unencrypted, so your ISP can see it. ECH encrypts it.

	▲	szmarczak 6 hours ago \| parent [-]
		How does this relate to my comment?

▲

szmarczak 7 hours ago | parent | prev [-]

True. ECH is useless if you're using plain DNS. DNS over TLS or HTTPS is the way to go.