Android getting “DNS over TLS” support to stop ISPs from knowing what websites you visit

Android getting “DNS over TLS” support to stop ISPs from knowing what websites you visit

A DNS (Domain Name Server) is what translates a website address from a URL that you enter to an IP address which your computer actually connects to. For example, when you type “www.xda-developers.com” into your browser, your computer queries a DNS which looks up and returns the IP address “209.58.128.90” to the client. This process is hidden from the user, but every website you visit (so long as it has a human-readable URL) will go through this same process. The problem for those security conscious out there is that these requests are done in plain text through UDP or TCP protocols which are readable by anyone that can see your connection, including your ISP. This is where DNS over TLS comes in.

DNS over TLS is a protocol where DNS queries will be encrypted to the same level as HTTPS and thus a DNS can’t actually log or see the websites you visit. This uses TLS, or Transport Layer Security, to achieve this encryption. This does require the DNS you are using to have DNS over TLS support, though, but it’s a start. Users can switch to Google’s DNS if they wish to benefit from DNS over TLS.

It appears that “DNS over TLS” support is being added to Android, according to several commits added to the Android Open Source Project (AOSP). The addition in the Android repository shows that a new setting will be added under Developer Options allowing users to turn on or off DNS over TLS. Presumably, if such an option is being added to Developer Options, then that means it is in testing and may arrive in a future version of Android such as version 8.1.

About half of all website traffic is now encrypted, and adding DNS over TLS will work to further improve user privacy. Keep in mind that most DNS does not support this encryption, and changing the mobile DNS on your phone requires either root access or the use of a VPN app.

Addendum: Do note that TLS over DNS will not lead to full privacy with the flip of a toggle. If a different DNS service provider you decide to connect to does opt to enable DNS over TLS, they’ll get your DNS traffic instead of your ISP. DNS requests will be encrypted, but the DNS over TLS server still gets to see your DNS traffic, though that alone might be a step above using your ISP’s servers without TLS over DNS. At least this way, your ISP won’t be able to attach your queries to the IP you’ve been assigned, and thus your name.

The handshake between servers via Server Name Indication (SNI) that allows for a connection to be established can still be seen by your ISP (and they can log it under your name). In order to fully hide yourself, then, you will need a VPN to route the DNS queries, which can otherwise be seen by your ISP, to a DNS over TLS server. As long as you trust your VPN provider, you should now be more hidden than ever on Android. So while this feature isn’t straightforwardly allowing you to be fully anonymous by virtue of having a DNS over TLS toggle, it does enable you to hide DNS requests from ISPs, and to hide requests and traffic if you are willing to put in some extra work.