Private DNS in Android settings

[Neil]

What is the "Private DNS" setting supposed to be used for in Android 12?

In my Android settings I noticed a "private dns" settings set to on.
Settings -> Connections -> More connection settings -> Private DNS

I never touched this as I don't know what it does.

My related Private DNS settings are "Private DNS = On" at the top level.
And then when I diver deeper still, I see that "Private DNS = Automatic."

The three choices are
"Off",
"Automatic" and
"Private DNS provider hostname" (which is blank on my phone).

What should a default "Private DNS" setting be on a typical Android phone?
And what is this "Private DNS" all about anyways?
--
regards,
Neil

[Jörg Lorenz]

Am 01.09.23 um 15:26 schrieb Neil:

> What is the "Private DNS" setting supposed to be used for in Android 12?

The option to use another DNS-server than your provider's DNS-resolver.
This has enormous privacy implications and helps to fight against any
sort of censorship.

--
Alea iacta est

[sitaramc]

Private DNS is Android's implementation of either DNS over TLS, or DNS
over HTTPS (probably the former).

Not sure where it goes if you set it to on but don't specify a provider;
probably some google provider. But if it doesn't work set it to
dns.quad9.net (easiest to remember; there are others I can't remember so
well).

[Jörg Lorenz]

Am 02.09.23 um 02:49 schrieb sitaramc:

> Private DNS is Android's implementation of either DNS over TLS, or DNS
> over HTTPS (probably the former).
>
> Not sure where it goes if you set it to on but don't specify a provider;
> probably some google provider. But if it doesn't work set it to
> dns.quad9.net (easiest to remember; there are others I can't remember so
> well).

Here it is DNS over HTTPS on my Pixel 7. The server I set manually is

dns.digitale-gesellschaft.ch

HTH, Jörg

--
Alea iacta est

[John Attrill III]

On Sat, 2 Sep 2023 06:19:15 +0530, sitaramc wrote:

>> What should a default "Private DNS" setting be on a typical Android phone?
>> And what is this "Private DNS" all about anyways?
>
> Private DNS is Android's implementation of either DNS over TLS, or DNS
> over HTTPS (probably the former).
>
> Not sure where it goes if you set it to on but don't specify a provider;
> probably some google provider. But if it doesn't work set it to
> dns.quad9.net (easiest to remember; there are others I can't remember so
> well).

I'm happy this topic came up as it's useful to improve Android DNS privacy.

I had never heard of Android Private DNS until this thread so I searched.
https://duckduckgo.com/?hps=1&q=android+private+dns

That search found this basic summary of how Android Private DNS works.
https://www.howtogeek.com/795644/how-to-enable-secure-private-dns-on-android/

HowToGeek summarized the problem set in essentially three sentences.
1. Android DNS domain-to-IP lookups were usually not encrypted
2. Android 9+ added DNS over TLS encryption for domain-to-IP lookups
3. Android Private DNS encrypts those lookups (but VPN loops around it)

That search found this test to check if Android private DNS is working.
https://tenta.com/test/

HowToGeek recommends choosing either a Google or Cloudflare Private DNS.
https://developers.google.com/speed/public-dns/docs/using#android
8.8.8.8 or 8.8.4.4
https://blog.cloudflare.com/enable-private-dns-with-1-1-1-1-on-android-9-pie/
1.1.1.1 or 1.0.0.1

But that search above also found this list of Private DNS resolvers.
https://dnsprivacy.org/public_resolvers/#dns-over-tls-dot
Quad9 'secure' 9.9.9.9 or Quad9 'insecure' 9.9.9.10
Cloudflare 1.1.1.1 or 1.0.0.1
Google 8.8.8.8 or 8.8.4.4
CleanBrowsing https://cleanbrowsing.org/help/docs/dnsovertls/
Security Filter 185.228.168.9:853 or 185.228.169.9:853
Family Filter 185.228.168.168:853 or 185.228.169.168:853
Adult Filter 85.228.168.10:853 or 185.228.169.11:853
Adguard https://adguard.com/en/blog/adguard-dns-announcement/
Default Filter 94.140.14.14 or 94.140.15.15
Family Filter 94.140.14.15 or 94.140.15.16
No Filter 94.140.14.140 or 94.140.14.141
Control D https://controld.com/free-dns
No Filter 76.76.2.0 or 76.76.10.0
Malware Filter 76.76.2.1 or 76.76.10.1
Ad/Tracking Filter 76.76.2.2 or 76.76.10.2
Malware/Ad/Social Filter 76.76.2.3 or 76.76.10.3
Adult/Drug Filter 76.76.2.4 or 76.76.10.4
Uncensored Domains Filter 76.76.2.5 or 76.76.10.5
[aljazeera.com]
[bbc.co.uk]
[bbc.com]
[bloomberg.com]
[cbc.ca]
[dailymail.co.uk]
[duckduckgo.com]
[dumskaya.net]
[dw.com]
[huffpost.com]
[kyky.org]
[mask-h2.icloud.com]
[mask.icloud.com]
[medium.com]
[meduza.io]
[nytimes.com]
[obozrevatel.com]
[pravda.com.ua]
[protonmail.com]
[radiosvoboda.org]
[reuters.com]
[sci-hub.se]
[spiegel.de]
[svoboda.org]
[theguardian.com]
[time.com]
[tutanota.com]
[ukr.net]
[use-application-dns.net]
[verify.controld.com]
[washingtonpost.com]
[wikimedia.org]
[wikipedia.org]
[ycombinator.com]

Note that HowToGeek recommended against choosing your ISP's DNS server.
https://www.howtogeek.com/664608/why-you-shouldnt-be-using-your-isps-default-dns-server/

[Frankie]

On 1/9/2023, Neil wrote:

> What should a default "Private DNS" setting be on a typical Android phone?

If you set it to Automatic, Android will automatically switch to Google's
Private DNS (if it's available).

Otherwise set your Android Private DNS to one of these private DNS domains.

Cloudflare Private DNS: 1dot1dot1dot1.cloudflare-dns.com or one.one.one.one
Google Private DNS: dns.google
Quad9 Private DNS: dns.quad9.net
Cleanbrowsing Private DNS: security-filter-dns.cleanbrowsing.org
Open DNS Private DNS: 208.67.222.222 or dns.opendns.com
NextDNS Private DNS: 45.90.28.0 or dns.nextdns.io
Comodo Secure Private DNS: 8.26.56.26 (I can't find the private DNS domain)
OpenNIC Private DNS: 192.95.54.3 (I can't find the private DNS domain name)

https://www.zdnet.com/article/how-to-turn-on-private-dns-mode-on-android-and-why-you-should/

Keep in mind that Android 12 also added an Adaptive Connectivity feature.
https://nerdschalk.com/how-to-use-private-dns-and-adaptive-connectivity-on-android-12/

[Jörg Lorenz]

Am 02.09.23 um 15:49 schrieb John Attrill III:

> HowToGeek recommends choosing either a Google or Cloudflare Private DNS.
> https://developers.google.com/speed/public-dns/docs/using#android
> 8.8.8.8 or 8.8.4.4
> https://blog.cloudflare.com/enable-private-dns-with-1-1-1-1-on-android-9-pie/ 1.1.1.1 or 1.0.0.1

Then you really do not need Private DNS. *LOL*

--
Alea iacta est

[Jörg Lorenz]

Am 02.09.23 um 15:49 schrieb John Attrill III:

Only independent European DNS-resovers are trustworthy.
This one is the most powerful and the most trustworthiest of them all:

https://unicast.uncensoreddns.org/dns-query

It is located in Denmark.

*Never ever trust anglosaxon servers* in the case privacy is a reaons to
use Private DNS!

BTW: I use this server also for Thunderbird and more importantly for
Firefox.

--
Alea iacta est

[Jörg Lorenz]

Am 02.09.23 um 16:10 schrieb Frankie:

> Cloudflare Private DNS: 1dot1dot1dot1.cloudflare-dns.com or one.one.one.one
> Google Private DNS: dns.google
> Quad9 Private DNS: dns.quad9.net
> Cleanbrowsing Private DNS: security-filter-dns.cleanbrowsing.org
> Open DNS Private DNS: 208.67.222.222 or dns.opendns.com
> NextDNS Private DNS: 45.90.28.0 or dns.nextdns.io
> Comodo Secure Private DNS: 8.26.56.26 (I can't find the private DNS domain)
> OpenNIC Private DNS: 192.95.54.3 (I can't find the private DNS domain name)

Bullshit. They are not trustworty at all.
The worst is the censorship-server OpenDNS which is btw also very slow.

They all have a direct NSA-relay. *SCNR*

--
Alea iacta est