Having badgered website owners to implement HTTPS privacy, it looks as if Google now wants to do something similar for DNS (Domain Name System) queries.
The evidence is a small submit to the AOSP development site that mentions adding Android support for DNS-over-TLS, an emerging industry standard for encrypting DNS queries, originally submitted for Internet Engineering Task Force (IETF) discussion in 2015.
DNS, of course, is the system through which an easily readable internet domain (such as
example.org) is resolved to the underlying IP address that computers care about (
220.127.116.11 in this case). It happens every time you email somebody or type a URL into a web browser, and it usually happens so swiftly nobody notices it.
Unfortunately, DNS queries are sent out onto the internet in the clear, which means that they can be tracked and altered by Man-in-the-Middle (MitM) attacks, and that every website visit you make can be logged by your ISP or VPN provider and, through them, by advertisers and governments.
In the UK, ISPs are legally required to keep 12 months of records of which websites customers have visited under the Investigatory Powers Act (IPA), which came into force in November 2016 so this lack of privacy is more than theoretical.
Over the years, there have been no shortage of ideas about how DNS requests could be secured, including DNSCurve, Confidential DNS, DNS-over-DLTS (DNSoD), DNSCrypt and, more recently, DNS-over-TLS (none of which should be confused with DNSSEC, a separate DNS security initiative aimed at making sure you get a DNS response you can trust).
The obvious problem with these is that there are too many of them, which is why the IETF decided to back DNS-over-TLS in order to get things moving.
The attraction of DNS-over-TLS is that it is very similar in its workings to HTTPS, the secure web browsing protocol, in that it uses the same TCP Transport Layer Security (TLS) protocol, albeit on port 853 rather than 443. Like HTTPS, all that is needed to make it work is that both you and the DNS server you’re talking to support it.
Of course, it’s possible to defeat ISP surveillance by using a VPN (Virtual Private Network) to create an encrypted network “tunnel” that your ISP can’t peer into. These do offer a secure connection but with limitations. First, the VPN provider can still see the DNS queries (and may pass them on, if asked to) so you’re simply moving your trust from the ISP to the VPN provider and, second, DNS data can still “leak” for a variety of technical reasons.
Even if your DNS lookups are protected by DNS-over-TLS the domains you’re connecting to can still leak thanks to Server Name Identification (SNI), a technology used by servers hosting multiple HTTPS websites. SNI sends the domain name during the TLS ‘handshake’ that allows an HTTPS connection to be established, during which the domain name is sent in the clear. Unless a VPN is being used, ISPs can see this.
The good news is that the IETF is working on a way of encrypting this too but the issue underlines how closing a door can open a smaller one that eventually needs closing too.
Right now, the only servers that support DNS-over-TLS are test systems – even Google’s DNS service doesn’t support it yet. Until support improves, full implementation in smartphones could be some way off.
But the mere fact it is in Android at all is a powerful signal to the industry that DNS privacy now has a powerful backer. The company’s stated ambition is an entirely-encrypted web and DNS has become a glaring hole in that coverage.
Tunnelling your DNS requests through DNS-over-TLS will hide your lookups from both your ISP and your VPN provider, but not your DNS provider.
One of the most popular third-party DNS providers is Google, via its public IPv4 servers at
18.104.22.168. If you connect to them using DNS-over-TLS you are sharing the information you’re keeping from your ISP with Google.
It took years for HTTPS to reach its current level of popularity, partly because companies moaned about the overhead it imposed (a myth that quickly exploded when companies knuckled down to doing it). For a while it looked as if DNS-over-TLS could turn into a similar slog but Google’s backing in Android has surely changed the calculation.
5 comments on “Android takes aim at ISP surveillance with DNS privacy”
More changes are absolutely needed on android for privacy around dns queries..
Fact is that on android, connecting over wifi can be configured to use a specific dns (client side) to override server default config.
But while on mobile data, there are no options to change dns and you have to stick with isp/mobile carrier pushed configs.
And that config can’t be changed without root or vpn
Not to mention that many mobile carriers dns aren’t rfc compliant and querying for a non existant domain will send back an ip anyways.. ip to a server that tracks and send out ads (usually)
Don’t know either if such behaviour is legal in europe.. but companies are doing it anyway.
It would seem to me that your ISP or VPN provider would still have some idea what you’re accessing based on the IP address your packets are going to. If your innocent but private site just happens to sit on the same server as the evil pirate spy terrorist site the government is keeping an eye on, well, without the DNS info, they’ll just assume you could be going to the bad one.
A single IP address can host thousands of websites.
THANK YOU, yes. Virtual hosts (Apache, not hypervisor) allow for different content based on FQDN alone. There’s a reason billions of humans can access trillions of sites on just under 4.3 Trillion IPs. IP address does NOT equal intent, content, nor guilt. It’s just an endpoint. Enough with the deep-state police state nonsense.
SNI hostnames are submitted clear text in SSL handshake.