NOOBY Question about DNS security


not sure, if this questions fits perfectly in this category, please let me know if it doesn’t.

So DNS-SEC makes sure the answer of the DNS query is AUTHENTIC.

Some people think that it also PROTECTS against eavesdropping (by my ISP etc.)?! At the end when I got my authenticated DNSSEC answer, I still have to contact the IP (answer) … thus my ISP can still snoop and catalog my travels on the internet?!

So DNSSEC secures that the answer for a query is authenticated … but does little to hide my internet travels?!

Am I missing something?

Because of this, I do NOT use any of the fancy configurations to hide my DNS queries (e.g. DOT / DOH / splitt request etc.) … Just verify that the answer is authentic … at the end the ISP still sees where I surf.

Any thoughts?

Thanks in advance & have a great day,


Hi rnio,

Thanks for your message, and welcome to deSEC! :slight_smile:

Your assessment is correct. If you would like to hide your data transmissions more thoroughly, you need to use a different method which combines indirect routing of your packets with encryption. The most common approach is the Tor network, but it is quite slow.

DNSSEC protects against forged DNS responses, which increases security in various ways. For example, you can use it to make sure that when you think you’re talking to your bank, you’re really talking to your bank. However, people who can observe the connection can read things, and confidentiality of your traffic is only achieved by adding encryption (e.g. with TLS). You can use DNSSEC to pin a TLS key (using TLSA records), so that you don’t even have to trust a certificate authority. But it is correct that your ISP will still see, even with encryption, where your traffic is flowing.

Stay secure,