At first glance, browsing the web looks like a fairly straightforward process for the average user; you just type a URL in the address bar, hit enter and the browser loads the corresponding website. However, what goes on behind the scenes is obviously more involved. After pressing Enter, your device sends a query to a Domain Name Server (DNS) to translate the URL into a machine-readable IP address. Once your device receives the corresponding IP address, it opens the website. This communication between your computer and DNS takes place in the clear via User Data Protocol (UDP) or Transmission Control Protocol (TCP), and is visible to anyone who can see your connection. If you don’t want anyone to have access to this data, you should use DNS that supports a private DNS standard such as DNS-over-TLS (DoT) or DNS-over-HTTPS (DoH).
Many popular DNS servers, such as Google Public DNS, NextDNS, and Cloudflare, support DoT and DoH standards. However, Android currently only natively supports DoT. Google has added native support for DoT, aptly named Private DNS, in Android 9 Pie, and you can find it in the Advanced section of your phone’s Network & Internet settings. You can configure it by following the steps in this guide. But if you want to configure these settings to use DNS over HTTPS, you’ll have to wait until Google rolls out Android 13 “Tiramisu” next year.
A recently merged code change in the Android Open Source Project (AOSP) suggests that Google will add support for DoH in Android 13. Its description reads: “Activate the DoH function by default in T.” Since Google internally refers to Android 13 as T or “Tiramisu,” we expect the company to add native DoH support to Android’s “Private DNS” menu this year. next.
While DoT and DoH do essentially the same thing, DoT uses TLS (also known as SSL) to encrypt DNS traffic, which is the same protocol that HTTPS websites use to encrypt and authenticate communications. DoH, on the other hand, uses the HTTP or HTTP / 2 protocols to send requests and responses instead of directly through UDP. The two standards also use different ports, giving DoH a slight edge in terms of privacy.
Like this Cloudflare post notes, DoT uses a dedicated port for DNS traffic, and anyone with visibility into the network can see the traffic, even if the requests and responses themselves are encrypted. DoH, however, uses port 443 – the same port that all other HTTP traffic uses. This means that all DNS traffic mixes with other HTTPS traffic. This makes monitoring and blocking DoH requests much more complex, and network administrators cannot block DoH traffic without also blocking other HTTPS traffic.
Google will likely add DoH support to the Private DNS option in Android’s Network & Internet settings. At the moment, we don’t have more details on the feature. We’ll update this article as soon as we know more.
Thanks to the developer recognized by XDA luca020400 for the advice!