network – What does my ISP see if I change my DNS server?


So, I think, that when I type certain URL in my browser (for example https://google.com) I send request through ISP to ISP DNS and my provider gets response (ip of google.com) and goes by this IP and send request to this server (google.com) and gets response – html page that will be sent to me by my provider. Is it so?

No, this does not work as you described.

When you use the ISP’s DNS server you get the IP address of the target server (google.com in your example) from the ISP. The ISP’s DNS server itself provides this IP address from a cache or resolves the DNS query for you – see DNS Lookups Explained for the finer details.

Then your browser uses this IP address to access the target site itself, i.e. the ISP does not retrieve the site for you. The ISP will forward the packets from your client to the target server though, but what’s inside the packets is usually irrelevant for the ISP.

There are some exceptions from this behavior though: In some cases there might be an explicit proxy at the ISP involved, where the client (i.e. your browser) asks the proxy and the proxy will retrieve the data and send it back to the client. The proxy might also cache data to serve the client faster and also to save bandwidth. Such setup was pretty common in the early days of the internet where bandwidth was more scare, but is much less common today.

Some ISP might also snoop at the traffic with Deep Packet Inspection (DPI) and might also block or delay traffic based on this. Some might also enforce an implicit proxy to modify the traffic. This is especially true in countries where the ISP is ordered to block specific sites. It happened also in the past that ISP injected their own advertisements in the traffic. Or mobile ISP where found to “enrich” the traffic to provide information about the client (like the phone number) to the final server in order to provide more targeted advertisements. Traffic modification is mostly impossible when HTTPS is used though, but blocking traffic will even work with HTTPS.

Secondly, when I use other DNS: I think, that when I type certain URL in my browser (for example https://google.com) I send request through ISP to other DNS and my provider gets response (ip of google.com) and goes by this IP and send request to this server (google.com) and gets response – html page that will be sent to me by my provider.

Again the provider is (usually) only involved in forwarding the data between client (your browser) and server, but not in requesting the data from the server itself. The main difference between using the DNS from your ISP vs using a different DNS server is that another DNS server now resolves the query for you. This might be desired if one does not trust the ISP and fears blocking of sites or logging of what sites you access (i.e. privacy invasion). It might also be desired if the new DNS provider offers some interesting features, like blocking malicious domains.

It is still possible and not uncommon though that your DNS query does not actually end at the DNS server you want to use but will still be handled by the ISPs DNS server. A simple redirection at packets for port 53 at the ISP will do this in most cases. Enforcing the use of the ISPs DNS server is usually done if the ISP is ordered to block access to specific domains. And even without redirecting the ISP might be able to see what domains you query by using DPI since DNS is by default in clear and not encrypted. When using DNS over HTTPS (DoH) or DNS over TLS (DoT) the ISP will no longer be able to intercept these DNS requests though, nor will it be able to see the content of the DNS queries.

It`s follows third question: will I be connected to DNS if I type just IP (not domain name) of google.com in my URL bar?

If one explicitly uses the IP address no DNS lookup is needed to access the server. Note though that most servers will not work if just accessed by IP address. It is pretty common that multiple domains are served on the same IP address. Thus the server also needs the domain name to find out which certificates to provide for HTTPS and which content to serve. If one just puts the IP address in the browser, the browser does not know which domain is meant and thus cannot provide this crucial information to the server.