DNS-over-HTTPS Will Eventually Roll Out in All Major Browsers, Despite ISP Opposition (zdnet.com) 119
All major browsers -- including Chrome, Firefox, Safari, Opera, Microsoft Edge, Vivaldi, Brave -- have plans to support DNS-over-HTTPS (or DoH), a protocol that encrypts DNS traffic and helps improve a user's privacy on the web. From a report: The DoH protocol has been one of the year's hot topics. It's a protocol that, when deployed inside a browser, it allows the browser to hide DNS requests and responses inside regular-looking HTTPS traffic. Doing this makes a user's DNS traffic invisible to third-party network observers, such as ISPs. But while users love DoH and have deemed it a privacy boon, ISPs, networking operators, and cyber-security vendors hate it. A UK ISP called Mozilla an "internet villain" for its plans to roll out DoH, and a Comcast-backed lobby group has been caught preparing a misleading document about DoH that they were planning to present to US lawmakers in the hopes of preventing DoH's broader rollout. However, this may be a little too late. ZDNet has spent the week reaching out to major web browser providers to gauge their future plans regarding DoH, and all vendors plan to ship it, in one form or another.
Browser is the wrong place for this (Score:5, Informative)
DNS is a system setting. It shouldn't be a browser one
Your machine's resolver should be where you configure whether you trust your ISP or 8.8.8.8 or your own pihole more.
This is mostly a way for Google to collect more information - not to help your privacy.
Re: (Score:2)
Re:Browser is the wrong place for this (Score:4, Interesting)
...DNS and proxy config at the system level is one of the things I find most irritating about chrome....
I agree. Chrome does it all wrong. The fact that Chrome did not handle proxy-setting correctly was The Main Reason why I never got past the trial stage with it. On the other hand, I have a DNS caching resolver on my home network, and when I want to move to DNS over HTTPS, I'd configure that resolver for the task. That way everything on the home network will then be using it.
Re: (Score:2)
Re: (Score:2)
There's also not really any point to having it on your home network, it will just add overhead to regular DNS.
Now there might be value in having it be internet accessible, so that you can use it when you're not at home, but then it's exposed for anyone to use... Still better to just keep a VPN up for accessing things at home, and run regular DNS over that.
Re: (Score:1)
DNS is a system setting. It shouldn't be a browser one
I disagree. DNS and proxy config at the system level is one of the things I find most irritating about chrome.
Using system settings may be irritating to you, but NOT using system DNS settings will completely and totally break 80% of what I use Chrome for.
All of my internal networks have an internal sub-domain that is hosted completely internally.
Chrome will no longer work with any server or service located in my home because of this.
Not a little broken, but completely unable to connect to them.
Publishing my internal IPs to the public resolvers is not only a stupid requirement since it helps no one reach those IPs,
Re: (Score:2, Insightful)
Given Chrome works in corporate environments that are full of private networks and domains, I'd suggest you just lack the ability to properly configure things.
Re: (Score:3)
I run servers on my home network, with my own DNS which delegates to external DNS for external hosts. Are you saying that I should just give up on having my own network?
Default settings are for the masses (Score:2)
Nope - go ahead and run your own DNS, and configure your browser to use it if you browse local websites. Default settings are for the 99% of users that don't even know what DNS is.
Re: (Score:1)
For those who manage networks with 500+ clients using Chrome, is there a GPO to set for disabling this behavior in Chrome or will each workstation have to be touched to disable it by hand?
Re: (Score:2)
It'll have to be disabled by hand multiple times because certain updates will revert the change, change the way you need to disable it, or just "oopsie" and ignore your preference to disable it. And your 500+ clients will be getting the updates in waves, sporadically.
Re: (Score:2)
That seems very unlikely. If either of the major browsers gave you such headaches on a regular basis, would would you stick with them, or switch to their competition? Market share is important, even for free software, and corporate customers have huge influence on that.
Re: (Score:2)
That seems very unlikely. If either of the major browsers gave you such headaches on a regular basis, would would you stick with them, or switch to their competition? Market share is important, even for free software, and corporate customers have huge influence on that.
Yes. Proof is IE6; nobody liked it, but everybody used it.
The problem is that web designers don't test against much of anything else but Chrome anymore, and even if they did, Firefox is the only browser that isn't essentially-Chrome. When the options are "Use Chrome" or "Important Website Doesn't Work", there are a whole lot of people with work to do who aren't going to join the IT department in hoping the website vendor will be the first one to blink.
Chrome's lack of GPOs or other form of centralized manag
Re: (Score:2)
Chrome's lack of GPOs or other form of centralized management has been an issue for over a decade now
But I have GPO's, as seen here [imgur.com]
And this week I just stated using Chrome Enterprise with is a centralized place to control policies and get reporting [imgur.com].
In the second link, the column "Number of Policies" is actually the number of Windows Group Policy objects configured for Chrome on that machine.
Is that what you are talking about, or something else?
Re: (Score:2)
Pulling shit statistics out of one ass doesn't make a point. There is a reason why people centralize a DNS server rather than set up the default. Those that want can use Secure DNS to prevent people from spying on their DNS. This still does not protect them from divulging to their ISP's the sites they visit since they still need to request the IP.
In order to protect people from unscrupulous ISP's you need to setup a VPN through a service you can trust.
This is all bout getting into peoples privacy. It may be
Re: (Score:2)
Re: Browser is the wrong place for this (Score:3)
Re: (Score:2)
If you have an IT department, they can change the browser settings easily enough. Default settings are for Joe Sixpack who doesn't even know what DNS is. Default settings should always protect ignorant users as much as possible. Knowledgeable users can always change the settings as they see fit.
Re: Browser is the wrong place for this (Score:2)
Re: (Score:2)
No they can't change the browser setting easy enough because it's not easy to change a browser's setting. The reason DHCP was invented was to solve things like this. If it's so important for someone to setup encrypted DNS they can setup Secure DNS. DNSoH does not prevent a network provider from knowing what sites you visit. It doesn't hide the IP. Joe Sixpack will still have to request the IP from his ISP. Not hard to deduce from that where Joe Sixpack went.
Re: (Score:2)
DNSoH does not prevent a network provider from knowing what sites you visit. It doesn't hide the IP.
And since ISPs are already doing DPI they will continue to see SNI in your TLS client hello packets.
That's not secure. (Score:3)
DNS is a system setting. It shouldn't be a browser one
DNS is but the problem is that DNS is not encrypted. However, SDNS is encrypted but not widely supported and certainly isn't supported by any version of Windows. In order to change it on the system level, you would need to replace a closed source component just to get the same level of security that DNS-over-HTTPS provides.
Perhaps you should be bitching about Microsoft's lack of support for open standards.
Re: (Score:3)
If you believe this provides ANY level of security, you're fooling yourself.
Re: (Score:2)
Right - because it's not like we know for a fact that the major ISPs routinely record your traffic for their own purposes, and mostly pipe all that information to covert government surveillance organizations as well...
Not to mention that without encrypted DNS you're completely vulnerable to MitM attacks redirecting your browser to unaffiliated websites whenever they see fit. I mean, I'm sure that every time *you* do online banking you check that the certificate actually belongs to your bank, rather than ju
Re: (Score:2)
Not to mention that without encrypted DNS you're completely vulnerable to MitM attacks redirecting your browser to unaffiliated websites whenever they see fit.
Encrypting DNS changes nothing WRT security.
On the Internet there is no trustworthy mechanism to secure network identifiers. Anyone in a position to conduct a MITM attack can forge packets going to or from a network identifier and effectively "redirect to unaffiliated websites whenever they see fit".
Bookmarking secure versions of sites and or the use of latches like HSTS provide meaningful security. Securing pointers to inherently insecure identifiers is an absurd exercise in futility.
Re: (Score:2)
Re: (Score:2)
They could - but that doesn't change the fact that they *already* have that relationship with all the major ISPs.
The political climate about such surveillance has also changed - there is no terrorist bogeyman that just killed thousands of people to invoke, and there's been a lot of backlash and legal challenges against mass surveillance. Businesses are no longer as eager to partner with intelligence agencies "for the good of the nation".
And of course, you can't realistically switch your ISP to someone not
Re: (Score:2)
This is a lot less about US and a lot more about the rest of the world.
Many European countries' governments for example use DNS as their means of "government/court ordered this site blocked, so we remove it on all major ISP DNS tables". If DNS in browsers massively shifts to encrypted non-ISP DNS fed by foreign entities, nations with this relatively easy to bypass method for site blocking have to go down Chinese road of Great Firewall of [nation] to enable legally mandated site blocking. Which will be a who
Re: (Score:2)
DNS is but the problem is that DNS is not encrypted. However, SDNS is encrypted but not widely supported and certainly isn't supported by any version of Windows. In order to change it on the system level, you would need to replace a closed source component just to get the same level of security that DNS-over-HTTPS provides.
Perhaps you should be bitching about Microsoft's lack of support for open standards.
I'm just not following the logic here. If the problem is OS vendor does not support x your choices if you want x are then:
1. Install a browser update that gives x only for names resolved via browser.
2. Install a proxy service that gives x system wide for all applications including browser.
On what planet is option #1 better than option #2?
Re: (Score:2)
You can still do option #2... but it's an entirely different program and that's not what browser makers develop which is why they offer option #1.
Still not a browser issue (Score:2)
If you want to make the *system* use a secure protocol for querying DNS servers, that's fine.
But having a browser bypass your system DNS to give Google your browsing history is just insane; and almost the opposite of a secure solution.
Re: (Score:2)
DNS is not the problem. Untrustworthy ISP's are the problem. The only solution for this is a trusted VPN. DNS-over-HTTPS still identifies the site since DNS only makes human readable URL's to IP. If your ISP is to stupid to know where you are going with an IP then you don't need to worry about encrypted DNS.
This is a money grab by the worst offenders of privacy that currently exist. It's harder for people to avoid Goggle than it is to avoid an ISP. I will repeat it once again. It's impossible to avoid Goo
Re: (Score:2)
This is a bit nonsensical. Most people get their DNS settings over DHCP which means that for most users the ISP or other network provider tells them who gets to see and resolves all their domain requests.
If you are someone that configures their DNS themselves you could easily tell the browser to use the system DNS too, not like that is going away.
Re: (Score:2)
Re: (Score:2)
How does this enable Google to collect more information when I use Mozilla and set the DoH to use Cloudflare or Quad9?
Most likely by Google and Cloudflare partnering with an online ad company (probably doubleclick owned by google) to share your information.
Re: (Score:1)
Agreed, operating systems should add support for DNS over HTTPS as soon as possible.
All apps should benefit from it, not just browsers.
Re: (Score:2)
Re: (Score:2)
Yes and no. As long as their is a option to change where the browser gets its dns I'm okay with it.
Re: (Score:2)
For us systems administrators, there will always be a way of forcing the configuration within. For the majority of people, this will be a huge help since bank and Facebook transactions will no longer go through insecure channels.
ISP's had a chance at implementing proper secure and verifiable DNS, but they didn't want to. Not sure why Congress would get involved in private businesses at this point, the government should stay out of my business dealings with Google or Mozilla.
Re: (Score:2)
ISP's had a chance at implementing proper secure and verifiable DNS, but they didn't want to.
Good for them and fuck the clowns who went ahead with DNSSEC without fixing DNS first.
Re: (Score:2)
Re: (Score:2)
This is mostly a way for Google to collect more information - not to help your privacy.
Oh Google is collecting more information when Mozilla is using Cloudflare's DNS-over-https resolution services? I guess Microsoft is also in bed with Google then. The tinfoil hat is strong with this one. Repeat after me: IT'S FUCKING CHROME, anything you think they are doing to get more information from you is irrelevant since you're literally running their un-auditable binaries along with their "We can load any code we want on your system" service that comes with Chrome (also known as Google Update Service
DNS over HTTPS (Score:5, Insightful)
A way to hide DNS traffic from third parties?
Or a clever means to funnel ALL DNS traffic through the NSA?
Re: (Score:2)
A way to hide DNS traffic from third parties?
Or a clever means to funnel ALL DNS traffic through the NSA?
omgz ... the NSA modded me troll for this? wtf?
Re: (Score:2)
Yes. You're an idiot.
Now they have modded me 5 insightful to lull me into a false sense of security, then immediately insulted me to reset me to neutral.
This is some true deep state shit. /shouts Mel Gibson - Help!
Re: (Score:3)
If it was truly about protecting the user, there are ways to do this at the OS level, using standard OS level tools.
If cloudflare, Google, Firefox, Microsoft, and others wanted to REALLY help, then there could easily be an adoption of an encrypted DNS standard. These browsers could support it, default to , but if the system resolvers support it?
Use them by default.
But nope! No, it's gotta be "their infrastructure by default". People like Google, and Mozilla, and Microsoft, and Cloudflare, people that ma
Comment removed (Score:5, Informative)
Re: (Score:2)
I don't see how it would prevent them. It would mean that PiHole itself would need to implement DNS-over-HTTPS in both directions - acting as a server for the browser to query, and also acting as a client to forward those queries after filtering them.
Re: (Score:2)
Re: (Score:2)
It doesn't have to intercept them - you simply configure the browser to use your PiHole for DoH queries.
Re: (Score:2)
A way to hide DNS traffic from third parties?
Let's get real for a moment -- this will only hide browser based queries. So any queries from non-browser apps will still be fair game.
I don't mind the idea of DNS-over-HTTPS, but it needs to be a system setting, and not something in the browser.
Yaz
False. Not in mine. (Score:3)
I'll block that hostile takeover. Just like I did with ISPs. I run my own DNS.
So I say: DNS over TLS. To MY DNS server! Or die in a fire, you totalitarian dictators!
P.S.: Webification should be a crime. (Score:2)
Anyone so stupid, and so insane, that he believes the inner-platform effect is a good idea, and tries to push it, belongs in a hospital for the criminally insane. Some Batman villain type prison.
Re: (Score:3)
Re: (Score:2)
Forwarded queries can be encrypted but it still doesn't solve the problem of not trusting your ISP. The only solution is a VPN to an ISP that you can trust.
Can you please explain how I can avoid Google on my Android phone. DoH has nothing to do with encrypting DNS. That solution already exists. DoH is about marketing and disabling technology that bypasses the collection of peoples personal data.
Re: (Score:2)
Can you please explain how I can avoid Google on my Android phone.
Flash a custom ROM that doesn't have Google Play Services, e.g. LineageOS, GrapheneOS, etc.. If you can't do that on your device, you'll need to buy one that has an unlockable bootloader. Google Pixels are unlockable, except for those financed through Verizon. They become unlockable when you've paid them off. Many (all?) Motorola devices are also unlockable, though only the developer editions can be re-locked and brought back under warranty. There are some others around; most device makers have developer
Re: (Score:2)
Except that I don't think DNS forwarded queries are encrypted. So you still have the same issue that plain text queries are being sent out of your network, and not protected. All you've done is hop to your local DNS server who sends the request out instead of your local computer. DoH is meant to encrypt that traffic so your ISP or people on the network cannot see your DNS requests.
Except the same data is available via SNI/public key identity.
I personally disagree with premise over global Internet source and destination are secret information. The whole basis of the theory of D.N.S traffic being spied on having any meaning at all (given source/destination headers are required) is that some portion of websites are obscured by shared hosting providers which makes disambiguation difficult... This strikes me as an incredibly inherently weak argument that doesn't really offer anything in
Re: (Score:1)
Until your browser stops using your internal dns settings.
They you just spoof the ones they are trying to connect to.
Anyway, I compile my own browser. About every two weeks or so.
Re: (Score:2)
Will you also spoof the baked-in Google cert Goolge Chrome demands to see when connected to Google DNS over the Googlenet?
FUUUUUUUUUUUUUUUUUUUUUUCK GOOGLE
These are two separate things (Score:1)
I wish these ersatz tech writers would stop conflating these two items. Encrypting and/or otherwise securing DNS does not have to involve DNS over HTTPS - DNSSEC has been a thing far longer than DNS over HTTPS.
Re:These are two separate things (Score:4, Informative)
DNSSEC is about verifiability i.e. truth (Score:2)
DNSSEC does not hide your lookup but it does tell you if the answer is verifiable
Will they also rewrite all my other network apps ? (Score:2)
Because if we're moving the resolver capabilities to the applications themselves, they'll need to rewrite not just browsers, but every application to support name lookup. So when can I expect all my other thick clients to have this new DNS functionality ? And now that it isn't system wide, when I can expect systemd, glibc and Windows to deprecate the old system wide settings ?
Re: (Score:2)
And now that it isn't system wide, when I can expect systemd, glibc and Windows to deprecate the old system wide settings ?
Shhh.... The systemd devs will hear you.
Crap, they're probably already working on it.
Re:Will they also rewrite all my other network app (Score:4, Informative)
Shhh.... The systemd devs will hear you.
They already did. See systemd-resolved.service which already hijacks your DNS in bad ways: https://ohthehugemanatee.org/b... [ohthehugemanatee.org]
Re: (Score:2)
So that guy's grand and complicated solution is literally just stop and disable the resolveconf service in the normal way, and he found it all too hard? The biggest problem with people who complain about systemd is usually that they could have solved all their problems in 1 minute by RTFM. This is yet another example of that.
Systemd didn't invent a dns caching resolver, they just created it and Ubuntu implemented it, kind of like how we've been running bind for that purpose since the early days of the inter
Re: (Score:2)
Or you know - we could secure the one handful of applications that are responsible for probably 99% of consumer DNS lookups as a stopgap solution until the OS vendors decide to step up and take responsibility themselves.
Re: (Score:2)
*we* aren't doing this and Google doesn't consider it stop gap. Don't get me wrong, I like encrypting DNS. I like encrypting everything. But don't fool yourself into thinking this is altruistic.
Anybody else see this as a money grab? (Score:5, Informative)
Unless the browers give you a choice (and I doubt they will) these will all go to Google or Cloudflare. ALL browser traffic will be concentrated to a slim few servers by default - for the good of humanity? No - for power and greed.
I setup DoT on my Asus router (thanks Merlin) and drive traffic to Quad9. Sure, you still only have a select few DNS servers out there - but the choice is still mine and it's (at least for now) a bigger set of choices than I'll get from Chrome or Firefox (owned by Chrome) telling me who to use for my own good.
Interesting discussion and Merlin's personal thoughts here - https://www.snbforums.com/thre... [snbforums.com]
Re: (Score:2)
How will browsers that are intranet-only function if they don't provide the ability to choose? And anyway .. if they did foolishly restrict it in that manner (which I highly doubt) many people are not above editing the binary themselves.. or F that .. both Firefox and Chromium are open source so it will fork.
Re: (Score:2)
The browsers already give you a choice.
Your fears about traffic being redirected to Google are unfounded. Chrome doesn't use Google's DNS servers, it uses the ones you have configured. If they don't support DoH it doesn't use it.
Mozilla prompts the user to ask if they want to switch to Cloudflare and DoH. You can click "no".
Re: (Score:2)
Right - but you have to opt out.
How many people are going to actually DO it?
Re: (Score:2)
I agree it should be opt in.
Re: (Score:2)
Re: (Score:3)
Unless the browers give you a choice (and I doubt they will)
For Firefox there's a text entry box right there [zdnet.com] that allows you to type your own DoH server address in there. You can even uncheck the box, by default it is off but just in case it ever turns on for you, so that you can go back to whatever DNS resolution service you choose.
Re: (Score:2)
Does it get this information from a DHCP server? Just in my home I have over 30 devices that get Internet configuration from a DHCP server. This brain dead solution you offer is stupid at it's best since every network that you connect your laptop to you will be forced to make the change to protect your privacy.
Have you even though about what you are proposing. We are going backwards over 50 years.
The only reason this makes sense to anyone is so that the collection of data gets centralized. This needs a clas
Re: (Score:2)
Does it get this information from a DHCP server? Just in my home I have over 30 devices that get Internet configuration from a DHCP server. This brain dead solution you offer is stupid at it's best since every network that you connect your laptop to you will be forced to make the change to protect your privacy.
Works at the application layer not the network layer. Maybe you've misunderstood this part. This part of your comment doesn't make any kind of sense.
Have you even though about what you are proposing. We are going backwards over 50 years
No idea what this even means.
The only reason this makes sense to anyone is so that the collection of data gets centralized
DNS in of itself is a centralized service. It is a centralized store of name resolution. If centralized data collection is what upsets you, well I hope you're typing IP addresses for all the sites you are going to.
A solution to unencrypted DNS already exists SDNS
That's not a thing. Maybe you mean DNS over TLS. Both ways add encryption to a request. They both do it a differe
Re: (Score:2)
Firefox does allow you to select "other" if you know of another DoH server, but then Cloudflare is the one that comes configured into the browser just to get you started.
It seems to me that the DoH servers should supply lists of other servers along with cross-signed certificates so that you can automatically find a secure server closer to home than the default one which is likely to get overloaded or be DOS'ed by some bad actors who are now pissed that their revenue stream from spying on your personal inte
Re: (Score:2)
Unless the browers give you a choice (and I doubt they will)
Why doubt when you can check and save yourself a lot of pointless typing? Mozilla even includes it on the standard interface in the proxy dialogue and gives you the choice of the server as well as telling you what the default server would be. To trial it in Chrome you actually have to specify the server in flags.
Now say after me: It's Chrome. If Google wanted to capture your traffic, they sure as hell wouldn't have to create and implement some replacement to a core internet functionality to do so.
So, for the open source browsers, not a problem? (Score:2)
So for the open source browsers, we'll have altered versions that don't do this obnoxious stuff of letting someone do my DNS lookups for me?
If I wanted to, I could tunnel my DNS requests to some remote VM so the lookups don't come from my home. Or any of a few other things.
Enough already (Score:2)
Please keep the wall-to-wall DoH doublespeak propaganda campaign going.
Nobody is sick of hearing about how up is down and left is right. Everyone knows that centralizing DNS resolution is good for privacy and security of Internet users.
The more power is aggregated into the hands of the fewer bypassing existing infrastructure and filtering systems without asking the better off we all are.
Oh and as for all major browsers doing what Mozilla is doing. Google Chrome has a 3/4 market share and while there is ze
Pale moon doesn't (Score:2)
Overridable? (Score:2)
Re: (Score:2)
What about a corporate network you may have the same server name direct to a different ip depending on whether you are inside or outside the building?
Canary domain. Total bullshit work-around.
https://support.mozilla.org/en... [mozilla.org]
Re: (Score:2)
Verizone will still have all the DNS traffic through the IP's you access. DNSoH adds no additional privacy from your ISP. It opens the floodgates on invasion of privacy by centralizing it.
Not Safari (Score:2)
Lies, even the article says Apple haven't announced anything for DoH in Safari. It would be quite weird for them to implement it in the browser rather than the OS.
Firefox at it again (Score:1)
i do not know who to trust anymore (Score:2)
the web has become so complex so convoluted i have no idea who or what to trust
and know i do not know who to trust to even do my hostname resolve
fuck this shit, seriously, what the hell?
if i ask i will get reasonable-sounding (to me) arguments from either side
but i will have to trust someone in the end because there is no way in hell i could get all relevant information to make an informed decision... and decision on what? even if i tried to use "open hardware" everything in there is essentially a black box
Re: (Score:2)
The user is paying for the plan, data, speed, amount of data.
Why would any ISP care what a user is doing within the limits of their usage?
They could all get a complex VPN router one day too and the ISP would have to move that data for years..
What is it about reading from the DNS logs that is so interesting to an average ISP?
Re: (Score:2)
Re: (Score:2)
I won't be surprised if someone releases a lightweight server app you can run on your own computer (i.e. point your DNS to 127.0.0.1) that will resolve queries from the root DNS servers on down as required.
We're already there. Unbound.
https://nlnetlabs.nl/projects/... [nlnetlabs.nl]
Re: (Score:2)
Re: (Score:3)
Certainly nerds must realize that even if the browser resolves the IP address from some other source, the HTTP request will still contain (in plaintext) the 'host' header, which is easily read and cataloged by the ISP.
Using unbound (and optionally pi-hole along with it) allows avoidance of Google, Cloudflare, etc. by hitting the root se
Re: (Score:2)
Insert Homer Simpson video clip here: (Score:2)
On the fence (Score:2)
On the one hand, this will make it harder for ISPs to play dirty DNS tricks. On the other, it might make it harder for me to play dirty DNS tricks with the likes of Pihole, etc.
The browser is the wrong place for this, as others have said. This should be a function of the system resolver library, and you should be able to configure which HTTPS servers to use.
Idiots (Score:2)
But while users love DoH and have deemed it a privacy boon
Only idiots love DoH as implemented by Firefox, and it's anything BUT a privacy boon.
Excellent! (Score:2)
Pi-hole (Score:2)
Most decisions have multiple reasons: some good, some not good.
Presenting one: a Raspberry pi with a DNS-based adblock.
https://pi-hole.net/ [pi-hole.net]
If home routers follow its lead than Google and similar are out of money.
Can someone explain how this is supposed to do (Score:2)
How does hiding DNS requests from my ISP stop them from seeing what websites I'm visiting. When my HTML request has to go to that website to get the web page? I can see it working for aggregator services like CloudFlare and when websites for multiple domains are hosted by the same web server. But for the vast majority of sites, the ISP knows which site I'm visiting outside of DNS.