If I make an HTTP request to:
https://hello.domain.com
will the connection also encrypt the domain address (hello.domain.com
) ? So that sniffing the traffic still makes it impossible to guess what the requested DNS address is.
Note: I'm talking about the DNS address, not the resolved IP address.
No.
In order for the web browser to determine the IP address of some host, say
example.com
, it must look that up in the DNS, and that separate connection is not encrypted.SSL/TLS, therefore, does not completely protect against malicious ISPs. Such an attacker can still determine which site the web browser wants to access, even if he can't read the actual data.
In addition, current TLS implementations will always send the fully qualified domain name of the server in cleartext, to support Server Name Indication. Thus a malicious ISP doesn't even need to look at your DNS queries.
No, the IP address will not be encrypted.
I was going to write a simple example using the postoffice/envelope version but realised just for DNS/HTTPS this become more confusing.
You can see http://www.tcpipguide.com/free/t_IPDatagramEncapsulation.htm to get an understanding of encapsulation.
In the image below, using your example, only the Upper Layer Message would be encrypted. All other layers are un-encrypted.
The SSL/TLS transmits the hostname (not the URL) unencrypted during handshake. The URL(https://domainname.com/bla bla bla ...) is encrypted.
But a sniffer will always able to get IP and port information. Because without that, your packet can't be delivered.
If you want full encryption, you should consider using a VPN tunnel with proper dns setting. That will at least protect you from sniffer in your local network.
A http request looks like this:
In order to send a request browser must first resolve a domain name (in this case it must get the IP address of www.domain.com), connect to the IP address and send the request. If you're using https then the content of the request will be encrypted and it can't be sniffed. Query to the dns server will not however be encrypted, so it's possible to detect what sites you're browsing. If you're browsing http sites using a HTTP proxy or a VPN, your browser will not send any dns queries, so it won't be possible to say what sites you're browsing or sniff your traffic.