So you are worried that your ISP or government spies on your DNS requests, but at the same time you installedIf you do not like that your ISP or government spy on your DNS request, you could use DNS over HTTPS.
What I do at work is their business and what I do at home is my business.So you are worried that your ISP or government spies on your DNS requests, but at the same time you installed
a websense proxy server that decrypts, scans and re-encrypts all https traffic as a man-in-the-middle??
Kind of hypocrite I think.
Because it is requested by Microtik users/buyers.Why would Mikrotik enable a feature that has almost ZERO client support in its current incarnation?
Also lets cover some things here. If I want to go to secretsite.com and I'm using DNS over HTTPS, my PC or router will send the request to the DNS over HTTPS servers. They will make the DNS queries. Now keep in mind that the actual name servers holding the DNS zone record for secretsite.com is just a regular ole DNS server. Now while your DNS request is all HTTPS to CloudFlare, CloudFlare is all unsecure to the nameservers for secretsite.com so they know where to get the IP(s). Sure they could cache results so they don't need to make root server queries all the time but if secretsite.com's zone record is updated with new IPs then these HTTPS DNS servers could have wrong information now cached until they clear it.
Now that I've done my DNS over HTTPS query I know have the IP for secretsite.com (let's say 126.96.36.199) so now I need to get to 188.8.131.52 which means I have to send it over my Internet route to my ISP. Now my ISP knows its routing traffic for me to 184.108.40.206 which means my ISP now knows where I went. You might say "Yes but they don't know what SITE name" but that's not entirely true. 1) Most of these sites aren't siting on shared hosting anymore, they are sitting on VMs with their own IPs. 2) SNI presents the actual FQDN requested because one site might have multiple domains or TLDs for it and if they are all meant to be hit via HTTPS the TLS cert needs to know which FQDN is being used to compare against.
All that things like DNSCrypt or DNS over HTTPS do is make sure that the DNS query *itself* is secured and no MiTM can happen and spoof the DNS results. So it means when I query secretsite.com I can be assured that I'll always get back the proper IP. In no way do these methods stop your ISP from knowing where to *route* the traffic. Sure they may or may not have the FQDN but they do have the IP.
Like all (encrypted) tunneling it just moves the security problem to a different place.the additional security it brings is very nice.