Private dns is the tastiest part of (android) pie

Did u know that dns leaks a ton of information about your private tls (https) browsing? and that its widely used to do so? New dns protocols (DNS over HTTPS, DoH) and (DNS over TLS, DoT) can protect you from this. Earlier I showed how to do that here. Great. But what about my mobile? The one most likely to be snooped?

In Android Pie private dns is a feature, in automatic mode by default. This means the default mode of current android is to use encrypted dns to google. But, what if u want to use 1.1.1.1 from cloudflare? They don’t log or snoop your data.

well, here you go. That was easy. Your privacy and security just went way up. good job, take the rest of the morning off.

Note: since automatic is the default, a lot of things will change as this feature rolls out.


Posted

in

by

Tags:

Comments

3 Responses to “Private dns is the tastiest part of (android) pie”

  1. Chris Simcoe

    Don, you mention that “This means the default mode of current android is to use encrypted dns to google.” Does it actually come with Google DNS configured as default? or is it just DoT by default? which attempts TLS to whichever DNS service is network assigned and falls back to DNS without TLS if it.

    1. db

      I will check, great question.
      if you go to https://1.1.1.1/help, it shows whether you are using DoH, DoT, or plain old DNS. But it does not show which recursive resolver you used. I’ll do a quick capture.

    2. db

      https://android-developers.googleblog.com/2018/04/dns-over-tls-support-in-android-p.html

      has the docs on it.
      It overrides the DNS system resolver in android (so its global to all apps unless they write their own).
      It remains using the global DNS IP (e.g. as from DHCP).
      How does it get from IP to certificate name required to validate TLS?
      For 1.1.1.1 they did a ‘trick’, they managed to convince the cert-authority to register to an IP (as a string).
      For others, not so much.
      https://tools.ietf.org/html/rfc7858 is the standard. Section 3.2 suggests this is sort of unsolved. Either use a pinset or SPKI.

      The IP as a string in cert name works well for 1.1.1.1, but for v6-only (e.g. non-dual-stack networks), this is a problem. Cloudflare suggests 1dot1dot1dot1.cloudflare as a hostname for it, which is, certainly, not as nice as 1111 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *