On Tue, 14 Apr, 2020 at 23:42:48 +0300, Reco wrote: [...]
> > 2. Having completed a DNS lookup unbeknownst to the ISP, we still have > > to make a connection to the resulting IP address through the ISP's > > gateway. The ISP can perform a reverse DNS lookup of the IP address if > > they are determined to snoop. > > And that is why it's important to use DNS over TLS. > Unless your ISP can magically decrypt TLS on the fly, the scenario > you're describing is impossible. I think you misunderstand me. I'm talking about making a connection to an IP address that you have already obtained by (encrypted) DNS. For example, your personal bind instance tells you that www.debian.org resolves to 130.89.148.77. Assuming you then connect to that IP address through your ISP, there's nothing to stop them performing a reverse DNS lookup on it.