Zum Inhalt der Seite gehen
Earlier today, Google rejected a feature request asking for the option to use DNS-over-HTTPS servers other than Google’s and Cloudflare’s in Android: https://issuetracker.google.com/issues/331250145?pli=1#comment7

According to Google’s own testing, DoH is more private, secure, and performant than DoT on Android. There is no reason whatsoever to limit it to a handful of Google-approved servers.

Just like with Manifest V3 in Chrome, this arbitrary restriction on what DNS servers can use the most modern technologies in Android is a clear example of Google abusing their position to campaign against blocking invasive trackers. One of the clearest uses for custom DNS servers is the ability to block privacy-invasive services like Google’s at the DNS level.

Further details & discussion on our forum: https://discuss.privacyguides.net/t/google-rejects-feature-request-for-arbitrary-dns-over-https-server-support/24320

#android #google #privacy #dns

Google rejects feature request for arbitrary DNS-over-HTTPS server support

https://issuetracker.google.com/issues/331250145?pli=1#comment7 Some background, since 2022 Android has used DNS-over-HTTP/3 instead of DNS-over-TLS for its Private DNS setting, but only for two predefined servers (Google and Cloudflare).
Privacy Guides Community
#android #privacy #google #DNS
Jolly Jcrabapple
can the server be changed on an alternate version of Android like GrapheneOS?
GrapheneOS
Android's Private DNS feature already has a configurable server. It was initially an implementation of DNS-over-TLS because the protocol itself is simpler and was more efficient than DNS-over-HTTPS before DNS-over-HTTP/3 existed. They bolted on DNS-over-HTTPS support to it but trying to automatically use it causes compatibility issues so there's an allowlist for specific servers where it uses it. Worth noting you should avoid the Private DNS feature if you use a VPN in ANY profile.
Dieser Beitrag wurde bearbeitet. (1 Monat her)
GrapheneOS
The only reason Android's implementation of DoH is more secure than DoT is because it's newer so they wrote the whole thing in Rust. If they rewrote the DoT implementation in Rust, it would be more secure than DoT due to being a much simpler protocol than DoH.

Android's real issue tracking uses an internal issue tracker. Public issues being closed doesn't really mean anything. The issue was closed as being obsolete which means something else is happening which obsoletes it.
GrapheneOS
The people dealing with public issue triage are mostly not developers and largely don't understand the technical details. Bear in mind that is largely there as a way for end users to submit complaints which then get filtered through multiple layers. The developers are working with an internal issue tracker. Android has far too many users who file issues there for it to be what the developers directly work with themselves, especially since most are using highly modified forks of it.
GrapheneOS
If you use Private DNS, you'll be sending your DNS requests to a different server instead of the network-provided DNS. The network can still see the IP addresses you're communicating with and nearly all the domain names for TLS connections due to SNI. Not much is actually hidden from the network via Private DNS.

A VPN takes care of this and a VPN works better if you use the VPN provided DNS. Servers can see which DNS resolvers you're using so you stand out from other users that way.
GrapheneOS
Private DNS is also currently a global rather than a per-profile setting, unlike VPN configuration. It also doesn't interact with secondary profiles with a VPN in a reasonable way. Many VPN providers including Mullvad are recommending that Android users disable Private DNS. See https://mullvad.net/en/help/dns-leaks for an example. This is also our recommendation: if you use a VPN in any profile, then don't use the Private DNS feature. Using a decent VPN will generally make more sense for privacy.

How to prevent DNS leaks

Learn how to easily check if you’re safe from DNS leaks and what to do to prevent them.
Mullvad VPN
GrapheneOS
With an equally good implementation, DoH via HTTP/1.1 or HTTP/2 is less efficient than DoT. DoH via HTTP/3 can be faster than DoT but DNS-over-QUIC exists and it's a comparable situation where DoH is higher overhead and more complex since it's the same underlying protocol (QUIC) with HTTP/2 complexity on top instead of simply using concurrent DNS requests over an encrypted connection.

Google has chosen DoH over DoT/DoQ in general and Android will likely expand DoH compatibility.
GrapheneOS
There's already a feature flag for enabling asynchronous Private DNS server resolution which includes support for DNS-over-HTTPS server discovery. The feature flag is just not enabled by default because it's experimental. That's why the issue was marked obsolete, not won't implement. It's already implemented in a better way, it's just not considered ready for public usage in production yet. We could enable it early but that's probably not a good idea.
Nat
I'm also curious about this
GrapheneOS
Google hasn't said they won't be expanding DoH compatibility. It's a misinterpretation of communication there.

DoH was added more recently so it was written in Rust while DoT is older C++ code. DoT is simpler and would be more secure as new Rust code. DoH via HTTP/3 is inherently faster but lighter DNS-via-QUIC (DoQ) exists too.

Private DNS only encrypts DNS. It's not a substitute for a VPN and hurts VPN privacy when combined together.

See https://grapheneos.social/@GrapheneOS/113880991135335561 for more details.

GrapheneOS (@GrapheneOS@grapheneos.social)

@jcrabapple@dmv.community Android's Private DNS feature already has a configurable server. It was initially an implementation of DNS-over-TLS because the protocol itself is simpler and was more efficient than DNS-over-HTTPS at the time before QUIC ex…
GrapheneOS Mastodon
Muelsyse 🛠️
This is really annoying as DNS-over-TLS is often blocked in uni/school networks and I have to either rely on VPN or RethinkDNS to have a proper secure connection.
GrapheneOS
Google hasn't said they won't be expanding DoH compatibility. It's a misinterpretation of communication there.

DoH was added more recently so it was written in Rust while DoT is older C++ code. DoT is simpler and would be more secure as new Rust code. DoH via HTTP/3 is inherently faster but lighter DNS-via-QUIC (DoQ) exists too.

Private DNS only encrypts DNS. It's not a substitute for a VPN and hurts VPN privacy when combined together.

See https://grapheneos.social/@GrapheneOS/113880991135335561 for more details.

GrapheneOS (@GrapheneOS@grapheneos.social)

@jcrabapple@dmv.community Android's Private DNS feature already has a configurable server. It was initially an implementation of DNS-over-TLS because the protocol itself is simpler and was more efficient than DNS-over-HTTPS at the time before QUIC ex…
GrapheneOS Mastodon
Muelsyse 🛠️
I primarily use encrypted DNS for the content blocking. It acts as a basic first line of defense within my family from trackers, ads and malware (emphasis on basic).

If I have VPN on, I generally turn off encrypted DNS due to the reasons you already mentioned. I don't use VPNs as often due to the massive cost to convenience, and it's not like it's critical for me to have it always-on.

With that said, I'm glad DoH compat is being expanded. It'll make using encrypted DNS easier.
Dieser Beitrag wurde bearbeitet. (1 Monat her)