It has been 8 years since Google offered the public DNS service . Google wanted to go one step further in terms of security and privacy of queries made through their DNS servers, and therefore just announced the implementation of DNS-over-TLS . However, CloudFlare , Quad9 and other companies have been offering it for a few months now. As of Android 9 (Pie) we can make use of this new feature called " Private DNS ". We can also use DNS over HTTPS (DoH) in the Mozilla Firefox browser .
Google had implemented in their function DNS DNS-over-TLS ,
From now on , the connections to the DNS server will be equally protected than we do against a website over HTTPS . These DNS comply with RFC 7766 rules to avoid overload and, in addition, have support for TLS 1.3 , TCP Fast Open (TFO) to streamline requests and functions to make several resolutions in a single request.
This measure of security and privacy depends exclusively on Google, so we do not have to do anything to enjoy it. In addition, its use is totally passive and invisible, we will not notice any change between the usual operation.
Google is the fifth entity that decided to implement DNS-over-TLS for its public DNS servers, before they did it:
Private DNSWhy use private DNS?
TLS is the protocol that encrypts your traffic through an unreliable communication channel, such as when you browse your email in a cafeteria's wireless network . Even with TLS, there is still no way to know if your connection to the DNS server has been hijacked or if it is being tracked by a third party. This is important because a bad actor could set up an open WiFi hotspot in a public place that responds to DNS queries with forged records to hijack connections to common e-mail providers and online banks. DNSSEC solves the problem of guaranteeing authenticity by signing responses, making the manipulation detectable, but leaving the message body readable by any other person on the wire.
DNS over HTTPS / TLS resolves this. These new protocols ensure that the communication between your device and the resolution system is encrypted, as we expect from HTTPS traffic.
However, there is one last unsafe step in this chain of events: the disclosure of the SNI (server name indication) during the initial TLS negotiation between your device and a specific host name on a server. The requested host name is not encrypted, so third parties can still see the websites you visit. It makes sense that the final step to fully secure your browsing activity involves SNI encryption , which is an ongoing standard in which several organizations have come together to define and promote.
DNS Over TLS on Android 9.0
Android 9, the new version of Google's mobile operating system, already has support for this new security protocol thanks to the new " Private DNS Mode " feature included in this update. Private DNS Mode allows us to use DNS-over-TLS security on our smartphone natively, without relying on a VPN or any other configuration other than specifying the server as such.
" Settings> Networks and the Internet ". Within the network options that appear here, in the "Advanced" section, we can see an option called " Private DNS ". This is the option that interests us.
dns.googleTo use Cloudflare's private DNS , the address we must enter in this section is:
1dot1dot1dot1.cloudflare-dns.com"Settings" and then "Network & Internet". At the bottom, you should see an "Advanced" option. Open up the "Advanced" options and you should see "Private DNS" option. S
- Go to Settings -> Network & Internet -> Advanced -> Private DNS.
- Select the Private DNS provider hostname option.
- Enter dns.quad9.net and select Save.
- A stub to resolve (the DNS client on a device that talks to the DNS resolver) connects to the resolver over to TLS connection:
- Before the connection the DNS stub resolver has stored to base64 encoded SHA256 hash of cloudflare-dns.com's TLS certificate (called SPKI)
- DNS stub resolve establishes to TCP connection with cloudflare-dns.com:853
- DNS stub resolve initiates to TLS handshake
- In the TLS handshake, cloudflare-dns.com presents its TLS certificate.
- Once the TLS connection is established, the DNS stub can resolve DNS over an encrypted connection, preventing eavesdropping and tampering.
- All DNS queries sent over the TLS connection must comply with specifications of sending DNS over TCP.
Previous versions Android 9Previous versions of Android Devices that run versions prior to Android 9 do not support DNS over TLS and can not configure private DNS for all networks. You can configure DNS for each individual Wi-Fi network you use. This requires configuring all the network information manually and is only recommended for advanced users. However, there is a CloudFlare app to facilitate the task.
At the beginning of the year 2018, CloudFlare launched its own DNS service to the public, called "126.96.36.199". The CloudFlare DNS resolution is different from your ISP or other DNS alternatives such as Google Public DNS and Cisco OpenDNS, as it focuses on privacy and speed first. Your IP address is never registered or saved in the CloudFlare servers, and with several optimizations implemented, 188.8.131.52 is, according to CloudFlare, up to 28% faster than other DNS solutions. It also helps fight censorship: countries like Turkey and Venezuela are known to censor and block media, social networks and adult websites, and an alternative DNS resolution helps overcome that restriction. 184.108.40.206 can also be used in telephonesAndroid, but it's not an exactly simple process for devices with Android Oreo and lower versions . Luckily, CloudFlare has launched an application to make it easier .
The process is simple: just download the application, open it and touch the key to use CloudFlare DNS 220.127.116.11 and navigate with it. It is also quite light with 7.8 MB. And the best part? It does not require root or any other modification : just open it, touch and go. The only drawback? The application uses the Android VPN API to connect to the alternative DNS resolution . This means that if you are using 18.104.22.168, you will not be able to use a real VPN provider at the same time.