Google offers Android users an easy way to secure DNS – Android Police | Hot Mobile Press

If you were disappointed to hear that Android 13 doesn’t support DNS over HTTPS, I have good news. Turns out Google didn’t want to provide it as part of a major Android update since (as noted at the time) it could actually be implemented via a separate Android mainline/APEX module, which would take the feature even further Android- hardware, and that’s exactly what happened. Faced with “fragmentation,” Google just brought DNS over HTTPS to all Android 11 devices and later, and even some Android 10 devices.

ANDROID POLICE VIDEO OF THE DAY

Google announced the feature today on its security blog, explaining the benefits (if you didn’t already know) and the mechanism for rolling out the change. In case you weren’t aware, DNS over HTTPS offers some great security benefits.

What is DNS over HTTPS?

While you may already be aware that things like HTTPS connections are a more secure way to browse the web (fortunately, that’s almost always the default experience now), there’s actually still a security flaw that comes up when you actually go to one new navigate page? site. See, when you visit a web address, you’re not associating yourself with a bunch of words. This is not real Address, just an abstraction for the true location you need to connect to – the “domain name” is tied to an IP address.


Basically, when you type androidpolice.com into your address bar, you’re looking up that name in a sort of phone book — that’s the DNS system. And it turns out that DNS queries aren’t done using a secure method by default, exposing you to things like man-in-the-middle attacks, where someone can direct you to the wrong place if you’re looking for an address ask. There are ways to patch the vulnerabilities of even this relatively insecure query, but the system still has a “bootstrapping problem” where the chain of trust is difficult to establish in any order of operations.

Asking these queries in an unencrypted manner is also a privacy issue as someone in the right position could see which websites you are visiting or possibly even interfere with access to certain websites. Remember when ISPs forwarded domains that didn’t resolve to their homepage or ads? This should prevent this and may also counter regulatory attempts to block traffic to specific sources, such as the UK government’s repeated attempts to block adult content.


Android already supported a method of using DNS over TLS to fix this problem, allowing you to send an encrypted query to a DNS server – and the means you can trust the address given in the request provided you trust the server. This has some advantages and disadvantages. Some companies like Cloudflare have argued that it’s a little less secure as it can’t fully disguise DNS queries as regular HTTPS traffic. Additionally, DNS over HTTPS offers performance improvements and has already been adopted by many DNS operators (including Cloudflare and Google). Corresponding Google’s John Wu (the developer originally behind the popular Magisk Root solution) the implementation here is even written in Rust – something both security-conscious programmers and Rust enthusiasts will love.


Now here for Android 11 and higher

As mentioned, the feature was implemented as part of Android’s DNS resolver module, and an update for it was rolled out as part of a recent Google Play system update. According to Google, compatible devices should already support it. While this module was optional according to Android 10 Mishaal Rahman from Esper.io, it became mandatory in Android 11, so all Google-certified Android 11+ devices that receive Google Play system updates should be able to use it, and some Android 10 devices that implemented the feature when it was optional, they may have too. Corresponding Rahmanit’s easy to test by running “cmd device_config get netd_native doh” in an adb shell (without the quotes. If it returns “1” you have DNS over HTTPS.

If all of this is getting to you, the very short version is that Google has been able to give what is probably the vast majority of Android devices in the wild a feature that will allow them to use the internet in an even safer and more secure way . However, the feature might not offer many benefits if your DNS server isn’t compatible with DNS over HTTPS, but you can force your Android device to connect to one by enabling the Secure Private DNS feature (search for “Private DNS” in Settings) by selecting “Private DNS Provider Name” and specifying either the Google or Cloudflare hostnames.

  • Cloudflare: cloudflare-dns.com
  • Google: dns.google

(For some reason, trying a more specific hostname like 1dot1dot1dot1.cloudflare-dns.com doesn’t work.)

Ultimately, this updated system should just work without worrying about what DNS server you might be using. At the moment the feature is finished; It is up to DNS providers to finalize support for DNS over HTTPS.

Leave a Comment