Imagine this scenario – at a restaurant you need to have a private phone conversation but unfortunately phone’s battery is drained. To get around this problem, borrow a friend’s phone and dial the number – to protect my privacy I walk outside.
The phone itself doesn’t store the conversation you had, but it does have a log of the recently dialed number, so if the friend from whom you borrowed the phone wanted to, they could easily see who I actually called – even if they don’t specifically know the topic of conversation.
Present days situation with HTTPS and DNS servers is almost similar. The actual conversation is protected by SSL over HTTPS, but with whom you have conversation is visible into DNS server!
In practice this means that when you connect to a website that uses HTTPS, even though your conversation is encrypted – someone able to intercept your connection is able to see what website you’re looking for and (depending on how the site is secured) even manipulate the response to get you to communicate with a different server.
By switching your DNS resolver to use Cloudflare’s DNS Resolver or Google Public DNS, you get a faster browsing experience whilst ensuring that the people who run your DNS resolver aren’t selling off that data to target you with ads. However, Cloudflare Resolver or Google Resolver supports both DNS-over-HTTPS and DNS-over-TLS, to make sure the connection between Resolver and you is encrypted, you may need to follow some additional configuration steps like enabling a DNS over HTTPS client.
Put following ( example with cloudflare ) into your unbound.conf – and all your outside dns querryes will be TLS v1.3 encrypted.
forward-zone: name: "." forward-addr: 22.214.171.124@853 forward-addr: 126.96.36.199@853 forward-addr: 2606:4700:4700::1111@853 forward-addr: 2606:4700:4700::1001@853 forward-ssl-upstream: yes
Google have implemented similar mechanism for protecting his Android Pie handsets users – more information https://www.androidpolice.com/