But what’s not encrypted by either is the Server Name Indicator or SNI, ie: the initial request to a webserver stating which host you’re trying to reach at that IP, before establishing the TLS connection, contains the domain you’d requested via DoH/DoT, in plaintext.
It seems many more browsers support it than last I’d looked. I’m curious to see how much of the general web has adopted support for it onnthe server side. I’ll have to look into that more, and see what it’ll take to setup for self-hosting.
But what’s not encrypted by either is the Server Name Indicator or SNI, ie: the initial request to a webserver stating which host you’re trying to reach at that IP, before establishing the TLS connection, contains the domain you’d requested via DoH/DoT, in plaintext.
https://www.cloudflare.com/learning/dns/dns-over-tls/
If I understand it correctly DoH (which I use with NextDNS) should prevent ISP from snooping.
encrypted SNI is a thing now.
True. Known as Encrypted Client Hello now, as part of TLS1.3.
It seems many more browsers support it than last I’d looked. I’m curious to see how much of the general web has adopted support for it onnthe server side. I’ll have to look into that more, and see what it’ll take to setup for self-hosting.