"Knowing the domain names of the websites you visit, or servers that apps access on your behalf, is valuable intelligence. DNS traffic is especially valuable because it reflects what users are doing in real time.<p>"The names you asked for, and when you ask for them, say an awful lot about you," Huston said in his presentation to the APNIC 52 conference on Wednesday."<p>This goes on the assumption that a DNS request and HTTP request are coupled in time. They can be decoupled.<p>Ive been gathering DNS data in bulk for many years. This can be done, e.g., by making UDP/TCP DNS requests to the appropriate authoritative nameservers, making UDP/TCP requests to DNS caches run by third parties (this is what developers seems to prefer; its an inefficient, inconsiderate and braindead method, IMO), extracting the data from public scan datasets available for download, extracting from passive DNS datasets, and most recently making pipelined HTTP requests to DoH servers over a single TCP connection. Its good to have multiple sources of DNS data so one can note any differences.<p>A surveillance capitalist acting as a passive DNS data or DoH provider could be observing this data gathering but it would be difficult to connect any subsequent HTTP requests, separated in time, days, months or years later, with particular domainnames. With the way CDNs are used today, a large percentage of these domainnames can be requested from the same IP address. Obviously CDNs can have troves of data on users' browsing habits. Perhaps surveillance capitalists approach CDNs to get data about users.<p>What this article fails to mention is TLS 1.2 leaking domainnames in certificates and SNI extensions, in plaintext. Using third party DNS like Google, or even "Oblivious DNS" wont stop ISPs and others on path from seeing every domainname for every site the customer visits. TLS 1.3 with ESNI will fix this but its still experimental and Cloudflare is the only host I am aware of that supports it. Nevertheless I use it and it works well. For non-Cloudflare sites that require SNI (its quite a small of the sites submitted to HN) I use archive.org. Of course, I am trusting that archive.org isnt engaged in "surveillance capitalism". :) Another trick for Cloudfront hosted sites is one can use the [hash].cloudfront.net domainnname for SNI instead of the "real" domainname. If only mall number of customers are doing this, it makes more work for ISPs or marketers for very small reward, but its a trivial amount of work. Archive.org is the best solution I have so far.<p>For recreational web use, I have stopped using DNS altogether. I let the forward proxy store the IP address info for each host in memory. Its very fast.