Good point. Sniffing traffic is orders of magnitude more expensive than simply logging DNS queries.

    tcpdump -i any -s 1500 '(tcp[((tcp[12:1] & 0xf0) >> 2)+5:1] = 0x01) and (tcp[((tcp[12:1] & 0xf0) >> 2):1] = 0x16)' -nnXSs0 -ttt

Is it though? This one liner works just fine for me on my gateway and is capturing quite a huge number of raw SNI names.

     0x0110:  c008 0016 0013 0010 000d c00d c003 000a  ................
     0x0120:  00ff 0100 0113 0000 001d 001b 0000 186c  ...............l
     0x0130:  6f67 7369 6e6b 2e64 6576 6963 6573 2e6e  ogsink.devices.n
     0x0140:  6573 742e 636f 6d00 0b00 0403 0001 0200  est.com.........

It's not complicated, but that's also going to take more time , cpu power, and memory bandwidth to do so than just recording dns packets. When you need to do that to millions or billions of connections per second the costs start to really add up.

It’s just bitmask and slicing basically, that would work just fine even on hosts with obscene amounts of traffic.

It gets more difficult when you deal with aggregated traffic in the 10s or 100s of Gbps.

But yes, it is possible.

One thing is though - TLS1.3 is getting more popular and so is session resumption. So even now quite a bit of traffic cannot be identified and it will get harder and harder.

Encrypting DNS requests is one required piece of the puzzle.

Sure, that would work for a SOHO gateway, but at ISP scale that's a ton more traffic to be sniffing.