Does SSL also encrypt the DNS address?

Mark asked:

If I make an HTTP request to:

https://hello.domain.com

will the connection also encrypt the domain address (hello.domain.com) ? So that sniffing the traffic still makes it impossible to guess what the requested DNS address is.

Note: I’m talking about the DNS address, not the resolved IP address.

My answer:


No.

In order for the web browser to determine the IP address of some host, say example.com, it must look that up in the DNS, and that separate connection is not encrypted.

SSL/TLS, therefore, does not completely protect against malicious ISPs. Such an attacker can still determine which site the web browser wants to access, even if he can’t read the actual data.

In addition, current TLS implementations will always send the fully qualified domain name of the server in cleartext, to support Server Name Indication. Thus a malicious ISP doesn’t even need to look at your DNS queries.


View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.