From a privacy minded perspective what’s better, DNS-over-TLS or VPN? In both cases considering total trust in the provider.
DNS over TLS provides some privacy as your ISP can’t see what web site you visit. It encrypts your web browsing but on a higher level, application level. Another downside to it is that it doesn’t change the IP address of your node. On the other hand, a VPN encrypts all your traffic on a lower level Network level and it changes your IP. So it provides more privacy than dns over TLS. In other words, a VPN does more for your privacy than DNS over TLS as long as you use a reputable VPN provider.
VPN, disable cookies, location, …
Aren’t they basically the same thing?
I think it’s misleading to say that DNS over TLS prevents your ISP from seeing what websites you visit. Suppose www.example.com resolves to the IP address 198.51.100.1. While your ISP doesn’t see your DNS traffic looking for www.example.com, your ISP can still see that you connect to 198.51.100.1, and infer that you’re visiting www.example.com.
Of course, I was thinking about a more mainstream use, using social media accounts and so on
They aren’t. DNS over TLS encrypts your DNS requests and hence web browsing only. It does that using the TLS protocol. VPN encrypts your web browsing plus any other type of network traffic that goes out of your device. VPN also changes your IP address to that of the VPN server you’re connected to which gives you an extra layer of protection. So to the outside world you don’t look like a normal home user that has a residential IP address and access the internet from home or public wi fi.
As soon as you log in to any site you are surrendering privacy.
So how is DNS over TLS better than DNScrypt?
Even with SSL enabled, most sites rely on SNI these days, so you can use SSL with the same IP multiple times. With SNI being used, the ISP once again knows which site you are visiting, since it is part of the handshake.
Well considering the developer of DNScrypt quit the other day a main advantage of DNS over TLS is that it’s actually still being developed
Until TLS1.3, SNI is sent over the network in plain text. Once tls1.3 is broadly deployed it won’t be possible for ISPs to do packet inspection to detect the server name your connecting to.
Yeah. You can see the website, but not the specific webpage.
DNScrypt is still alive. It’s just a one guy who “gave up”, now he shills for TentaVPN™ service. Not sure if he is getting paid to do it. But it looks like any other commercial VPN service to me.
Exactly the same information which you get when looking at the DNS queries.