Does SSL also encrypt the DNS address?

ssl domain-name-system domain

Solution 1:

No.

In order for the web browser to determine the IP address of some host, say example.com, it must look that up in the DNS, and that separate connection is not encrypted.

SSL/TLS, therefore, does not completely protect against malicious ISPs. Such an attacker can still determine which site the web browser wants to access, even if he can't read the actual data.

In addition, current TLS implementations will always send the fully qualified domain name of the server in cleartext, to support Server Name Indication. Thus a malicious ISP doesn't even need to look at your DNS queries.

Solution 2:

No, the IP address will not be encrypted.

I was going to write a simple example using the postoffice/envelope version but realised just for DNS/HTTPS this become more confusing.

You can see http://www.tcpipguide.com/free/t_IPDatagramEncapsulation.htm to get an understanding of encapsulation.

In the image below, using your example, only the Upper Layer Message would be encrypted. All other layers are un-encrypted.

Datagram Image

Solution 3:

The SSL/TLS transmits the hostname (not the URL) unencrypted during handshake. The URL(https://domainname.com/bla bla bla ...) is encrypted.

But a sniffer will always able to get IP and port information. Because without that, your packet can't be delivered.

If you want full encryption, you should consider using a VPN tunnel with proper dns setting. That will at least protect you from sniffer in your local network.

Solution 4:

A http request looks like this:

GET /index.html HTTP/1.1
Host: www.domain.com

In order to send a request browser must first resolve a domain name (in this case it must get the IP address of www.domain.com), connect to the IP address and send the request. If you're using https then the content of the request will be encrypted and it can't be sniffed. Query to the dns server will not however be encrypted, so it's possible to detect what sites you're browsing. If you're browsing http sites using a HTTP proxy or a VPN, your browser will not send any dns queries, so it won't be possible to say what sites you're browsing or sniff your traffic.

Related

.bash_profile not being read
reverse proxy that caches post requests
What kind of cable is this?
Reverse ssh tunnel: connexion refused
Is MySQL required on both the database server and the webserver? why?
Why the path "//" is working?
With 200TB of needed storage, is a SAN a good idea?
Does the sAMAccountName rename practice based on employment status makes sense?
Floppy power to PCI-E card in DL380 G5
Scaling out Dokku infrastructure
Nginx reverse proxy without SSL termination
Is there anything I can do to speed up snapshot speeds?