Mikaela
/
mikaela.github.io
mirror of https://github.com/mikaela/mikaela.github.io/
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

2019-07-11-android-private-dns-in-practice: small fixes

This commit is contained in:
Aminda Suomalainen 2019-07-11 15:05:21 +03:00
parent ba5d2a56ac
commit edb781d189
No known key found for this signature in database
GPG Key ID: 0C207F07B2F32B67
1 changed files with 22 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

35
blog/_posts/2019-07-11-android-private-dns-in-practice.md
View File

@ -14,11 +14,12 @@ tags: [english, Android, DNS-over-TLS, DNS, security, privacy]
Notes/disclaimers: Notes/disclaimers:
* Phone: Nokia 1 (TA-1047) running Android 9 (Go Edition) * Phone: Nokia 1 (TA-1047) running Android 9 (Go Edition)
* I think I got the update on 9th of July * I think I got the update on 9th of July
* Language: Finnish (and as I am typing in English * Language: Finnish (and as I am typing in English I may accidentally
invent my own words)
* In all tests mobile data was disabled to not cause confusing results. * In all tests mobile data was disabled to not cause confusing results.
* As Private DNS is technically DNS over TLS I am calling it as DoT. * As Private DNS is technically DNS over TLS, I am calling it as DoT.
* Enabled from Settings, Network & Internet, Advanced settings, Private DNS * In Android 9 it's enabled from Settings, Network & Internet, Advanced settings, Private DNS
* I am using [dns.quad9.net](https://quad9.net/) as hostname. * I am using [dns.quad9.net](https://quad9.net/) as hostname.
* Automatic mode connects to the DNS server port 853 without validating * Automatic mode connects to the DNS server port 853 without validating
certificate, "Hostname of private DNS provider" (which I call as the certificate, "Hostname of private DNS provider" (which I call as the
manual mode) also validates the certificate and disallows downgrading. manual mode) also validates the certificate and disallows downgrading.
@ -34,18 +35,18 @@ Notes/disclaimers:
* * * * * * * * * *
Test: automatic mode without DoT capable server from DHCP; the setting Test: *automatic mode without DoT capable server from DHCP*; the setting
says "automatic". says "automatic".
* * * * * * * * * *
Test: DoT with port 853 blocked; Android reports that the WLAN network has Test: *DoT with port 853 blocked*; Android reports that the WLAN network has
no internet connectivity until I disable private DNS and toggle WLAN. I no internet connectivity until I disable private DNS and toggle WLAN. I
tested this in Helsinki metro. tested this in Helsinki metro.
* * * * * * * * * *
Test: automatic mode with DoT capable server from DHCP; Android says that Test: *automatic mode with DoT capable server from DHCP*; Android says that
DoT is "enabled". For this test I configured a WLAN AP to use [Quad9](https://quad9.net/) DoT is "enabled". For this test I configured a WLAN AP to use [Quad9](https://quad9.net/)
DNS servers `149.112.112.112` and `9.9.9.9`. DNS servers `149.112.112.112` and `9.9.9.9`.
@ -69,7 +70,7 @@ my index:
* * * * * * * * * *
Bonus test: DoT + DoH via the [Intra app](https://getintra.org/#!/) Bonus test: *DoT + DoH via the [Intra app](https://getintra.org/)*
configured to use server `https://149.112.112.112/dns-query` in Helsinki configured to use server `https://149.112.112.112/dns-query` in Helsinki
metro; Android claims that the network has no connectivity and shows the x metro; Android claims that the network has no connectivity and shows the x
on the WLAN symbol in the statusbar, but everything works regardless. on the WLAN symbol in the statusbar, but everything works regardless.
@ -79,7 +80,7 @@ would have been unable to resolve that name due to DoT being blocked.
* * * * * * * * * *
Test: DoT + Captive Portal; I get the captive portal prompt asking me to Test: *DoT + Captive Portal*; I get the captive portal prompt asking me to
login to the network as usual, so I guess Android handles captive portal login to the network as usual, so I guess Android handles captive portal
separately from DoT which is a good thing in my opinion as otherwise that separately from DoT which is a good thing in my opinion as otherwise that
feature would likely be too confusing or difficult for many people to use. feature would likely be too confusing or difficult for many people to use.
@ -114,10 +115,13 @@ The options [judging by DNSPrivacy.org](https://dnsprivacy.org/wiki/display/DP/D
to Cisco/OpenDNS without realizing that the DoT requirement dropped them out to Cisco/OpenDNS without realizing that the DoT requirement dropped them out
already) that I haven't yet encountered already) that I haven't yet encountered
* [FAQ](https://quad9.net/faq/) * [FAQ](https://quad9.net/faq/)
* supports DNS over HTTPS (for Firefox which at the time of typing requires * supports DNS over HTTPS (I need it for Firefox which at the time of typing requires
DoH for ESNI support) DoH for ESNI support)
* has a node in Finland * has a node in Finland (see TREX under regional providers)
* I have heard that they plan a network map (Adguard on the bottom has it) * I have heard that they plan a network map (Adguard on the bottom has it)
and I hope to see it soon, because I would have no idea they have a node
in Finland without knowing about TREX and having performed DNS leak test
(see TREX under regional providers for more details on both).
* Cloudflare * Cloudflare
* for-profit company * for-profit company
* too big for my taste and possibly getting even bigger if Firefox starts * too big for my taste and possibly getting even bigger if Firefox starts
@ -159,10 +163,15 @@ Then there are regional providers like:
my circles my circles
* [CZ.NIC Otevřené DNSSEC Validující Resolvery](https://www.nic.cz/odvr/) for Czech users * [CZ.NIC Otevřené DNSSEC Validující Resolvery](https://www.nic.cz/odvr/) for Czech users
* has DNSSEC, DoT & DoH * has DNSSEC, DoT & DoH
* probably wouldn't make much sense to use from Finland * probably wouldn't make much sense to use from Finland (or anywhere
else far from Czech Republic, I imagine all the neighbouring countries would also have their
own equivalent regardless of CZ.NIC being so big name (you have heard of e.g. [Turris Omnia](https://en.wikipedia.org/wiki/Turris_Omnia)?))
* (thus I promote centralization, but) a regional not-anycasted DNS server * (thus I promote centralization, but) a regional not-anycasted DNS server
may be impractical while traveling as your DNS would always go through may be impractical while traveling as your DNS would always go through
home and possibly be slower than it could be home and possibly be slower than it could be. As a counter argument it
wouldn't hurt that much or be difficult to change, but would you
remember to do it while traveling (I guess I would) and would your
family members remember that?
And the golden option of hosting your own DNS. (It's actually easy with And the golden option of hosting your own DNS. (It's actually easy with
Unbound, I haven't tried DoH/DoT hosting though!) Unbound, I haven't tried DoH/DoT hosting though!)