Does Windows have a native private DNS setting like Android does?
Does Windows have a native private DNS setting like Android does?
You can specify your choice of DNS server(s) in the IPv4/IPv6 settings mentioned above, and your choice might even include DNS servers that
filter out phish and malware sites, and block spam sources, but they are still using plain DNS requests that anyone can intercept. Windows can support DoH, but it is not enabled by default. You have to enable DoH
using a policy, or a registry edit
In order, I have the following DNS servers defined for IPv4:
- 1.1.1.1 (Cloudflare)
- 208.67.222.222 (OpenDNS)
- 8.8.8.8 (Google)
- 10.0.0.1 (my router's DNS which merely passes to the upstream DNS)
On 3/3/2024 6:08 AM, VanguardLH wrote:
In order, I have the following DNS servers defined for IPv4:
- 1.1.1.1 (Cloudflare)
- 208.67.222.222 (OpenDNS)
- 8.8.8.8 (Google)
- 10.0.0.1 (my router's DNS which merely passes to the upstream DNS)
Can someone explain why the Private DNS is set to a fqdn in Android
but it's apparently set as an IP address on Windows in the registry?
On Sun, 3 Mar 2024 13:59:24 -0500, Larry Wolff wrote:
On 3/3/2024 6:08 AM, VanguardLH wrote:
In order, I have the following DNS servers defined for IPv4:
- 1.1.1.1 (Cloudflare)
- 208.67.222.222 (OpenDNS)
- 8.8.8.8 (Google)
- 10.0.0.1 (my router's DNS which merely passes to the upstream DNS)
Can someone explain why the Private DNS is set to a fqdn in Android
but it's apparently set as an IP address on Windows in the registry?
I had never heard of Private DNS until recently so all below can be wrong.
Here's what I think I know (which isn't much, I admit).
1. You set the Android Private DNS to p2.freedns.controld.com
2. Somehow Android inherently knows what IP address that is
tracert p2.freedns.controld.com
Tracing route to p2.freedns.controld.com [76.76.2.11]
3. Somehow Android inherently knows the port & protocol (DNS over TLS)
telnet p2.freedns.controld.com 53
4. Somehow Android sets up an encrypted DoT connection over that port
5. And then when an Android app asks to connect to a fqdn,
that DoT encrypted connection returns the IP address to that app
(unless that PrivateDNS fqdn decides to filter out the IP as an ad)
Here's what I'm going to guess happens when an app inside
of Android makes a query to an advertisement web site.
1. The app makes the call to the advertisement site fqdn.
2. The DNS query on port 53 goes through the Private DNS fqdn.
3. That goes to p2.freedns.controld.com 76.76.2.11:53
4. Which, since it's an advertisement, returns null (I guess).
Is that guess as to how it works even close to how it works?
Andy Burns wrote:
VanguardLH wrote:
You can specify your choice of DNS server(s) in the IPv4/IPv6 settings
mentioned above, and your choice might even include DNS servers that
filter out phish and malware sites, and block spam sources, but they are >>> still using plain DNS requests that anyone can intercept. Windows can
support DoH, but it is not enabled by default. You have to enable DoH
using a policy, or a registry edit
Win10 requires a registry setting, Win11 doesn't
No it doesn't, it is just Windows 10 still uses legacy interface via the Control Panel:
Control Panel > Network and Internet > Network Connections
Right-click on connection > select Properties
Select Internet Protocol Version 4 and|or Version 6
Right-click > select Properties
Select option Use the following DNS server addresses:
Fill in the IPs of the servers
Andy Burns wrote:
VanguardLH wrote:
You can specify your choice of DNS server(s) in the IPv4/IPv6 settings
mentioned above, and your choice might even include DNS servers that
filter out phish and malware sites, and block spam sources, but they are >>> still using plain DNS requests that anyone can intercept. Windows can
support DoH, but it is not enabled by default. You have to enable DoH
using a policy, or a registry edit
Win10 requires a registry setting, Win11 doesn't
No it doesn't, it is just Windows 10 still uses legacy interface via the Control Panel:
Control Panel > Network and Internet > Network Connections
Right-click on connection > select Properties
Select Internet Protocol Version 4 and|or Version 6
Right-click > select Properties
Select option Use the following DNS server addresses:
Fill in the IPs of the servers
"Jonathan N. Little" <lws4art@gmail.com> wrote:
Andy Burns wrote:
VanguardLH wrote:
You can specify your choice of DNS server(s) in the IPv4/IPv6 settings >>>> mentioned above, and your choice might even include DNS servers that
filter out phish and malware sites, and block spam sources, but they are >>>> still using plain DNS requests that anyone can intercept. Windows can >>>> support DoH, but it is not enabled by default. You have to enable DoH >>>> using a policy, or a registry edit
Win10 requires a registry setting, Win11 doesn't
No it doesn't, it is just Windows 10 still uses legacy interface via the
Control Panel:
Control Panel > Network and Internet > Network Connections
Right-click on connection > select Properties
Select Internet Protocol Version 4 and|or Version 6
Right-click > select Properties
Select option Use the following DNS server addresses:
Fill in the IPs of the servers
That is for defining which DNS servers to use, not to enable/disable DoH
(DNS over HTTPS) when connecting to those servers (so you also have to
pick DNS servers that support DoH).
In Win10, and rather than edit the registry, and because DoH only
matters to me when using a web browser on my desktop PC, I only bother
with using DoH in Firefox which supports it whether the OS does or not.
VanguardLH wrote:
You can specify your choice of DNS server(s) in the IPv4/IPv6 settings
mentioned above, and your choice might even include DNS servers that
filter out phish and malware sites, and block spam sources, but they are
still using plain DNS requests that anyone can intercept. Windows can
support DoH, but it is not enabled by default. You have to enable DoH
using a policy, or a registry edit
Win10 requires a registry setting, Win11 doesn't
<http://andyburns.uk/misc/Win11-DNSoverHTTPS1.png> <http://andyburns.uk/misc/Win11-DNSoverHTTPS2.png>
VanguardLH <V@nguard.LH> wrote:
"Jonathan N. Little" <lws4art@gmail.com> wrote:
Andy Burns wrote:
VanguardLH wrote:
You can specify your choice of DNS server(s) in the IPv4/IPv6 settings >>>>> mentioned above, and your choice might even include DNS servers that >>>>> filter out phish and malware sites, and block spam sources, but they are >>>>> still using plain DNS requests that anyone can intercept. Windows can >>>>> support DoH, but it is not enabled by default. You have to enable DoH >>>>> using a policy, or a registry edit
Win10 requires a registry setting, Win11 doesn't
No it doesn't, it is just Windows 10 still uses legacy interface via the >>> Control Panel:
Control Panel > Network and Internet > Network Connections
Right-click on connection > select Properties
Select Internet Protocol Version 4 and|or Version 6
Right-click > select Properties
Select option Use the following DNS server addresses:
Fill in the IPs of the servers
That is for defining which DNS servers to use, not to enable/disable DoH
(DNS over HTTPS) when connecting to those servers (so you also have to
pick DNS servers that support DoH).
In Win10, and rather than edit the registry, and because DoH only
matters to me when using a web browser on my desktop PC, I only bother
with using DoH in Firefox which supports it whether the OS does or not.
In addition, per:
https://blog.netwrix.com/2022/10/11/dns-over-https/
The traditional Control Panel applet (ncpa.cpl) you and I mentioned does
not show the DoH enable option. The article mentions the registry edit
which is what gets altered by the other method. The other method
mentioned is to use Settings -> Network & Internet -> Status -> click Properties on a NIC, and supposedly there is a "Preferred DNS
encryption" option where you can pick "Encrypted only (DNS over HTTPS)".
Not there in my Windows 10 Home x64 22H2 build 19045.4123. Perhaps the author neglected to mention he is using the Pro edition instead of the
the Home edition of Windows 10, or conflated Win11 settings with Win10 settings. For my Windows 10 Home, it's a registry edit to enable DoH.
The traditional Control Panel applet (ncpa.cpl) you and I mentioned does
not show the DoH enable option. The article mentions the registry edit
which is what gets altered by the other method. The other method
mentioned is to use Settings -> Network & Internet -> Status -> click Properties on a NIC, and supposedly there is a "Preferred DNS
encryption" option where you can pick "Encrypted only (DNS over HTTPS)".
Not there in my Windows 10 Home x64 22H2 build 19045.4123. Perhaps the author neglected to mention he is using the Pro edition instead of the
the Home edition of Windows 10, or conflated Win11 settings with Win10 settings. For my Windows 10 Home, it's a registry edit to enable DoH.
In addition, per:
https://blog.netwrix.com/2022/10/11/dns-over-https/
Andy Burns wrote:
<http://andyburns.uk/misc/Win11-DNSoverHTTPS1.png>
<http://andyburns.uk/misc/Win11-DNSoverHTTPS2.png>
Is the GUI setting for DoH exposed in Win11 Home, or only in Win11 Pro?
Andy Burns wrote:
Win10 requires a registry setting, Win11 doesn't
No it doesn't, it is just Windows 10 still uses legacy interface via the Control Panel:
Control Panel > Network and Internet > Network Connections
Right-click on connection > select Properties
Select Internet Protocol Version 4 and|or Version 6
Right-click > select Properties
Select option Use the following DNS server addresses:
Fill in the IPs of the servers
So it's not that simple to answer the questions asked, which are now:
Anyone here know why Android uses a FQDN while Windows uses an IP?
Patrick wrote:
[snip]
So it's not that simple to answer the questions asked, which are now:
Anyone here know why Android uses a FQDN while Windows uses an IP?
As you suggested, the IP address may change, so the FQDN allows for
this, at the cost of the time delay for an additional DNS lookup.
On Sun, 3 Mar 2024 22:02:03 -0600, VanguardLH wrote:
VanguardLH <V@nguard.LH> wrote:
"Jonathan N. Little" <lws4art@gmail.com> wrote:
Andy Burns wrote:
VanguardLH wrote:
You can specify your choice of DNS server(s) in the IPv4/IPv6 settings >>>>>> mentioned above, and your choice might even include DNS servers that >>>>>> filter out phish and malware sites, and block spam sources, but they are >>>>>> still using plain DNS requests that anyone can intercept. Windows can >>>>>> support DoH, but it is not enabled by default. You have to enable DoH >>>>>> using a policy, or a registry edit
Win10 requires a registry setting, Win11 doesn't
No it doesn't, it is just Windows 10 still uses legacy interface via the >>>> Control Panel:
Control Panel > Network and Internet > Network Connections
Right-click on connection > select Properties
Select Internet Protocol Version 4 and|or Version 6
Right-click > select Properties
Select option Use the following DNS server addresses:
Fill in the IPs of the servers
That is for defining which DNS servers to use, not to enable/disable DoH >>> (DNS over HTTPS) when connecting to those servers (so you also have to
pick DNS servers that support DoH).
In Win10, and rather than edit the registry, and because DoH only
matters to me when using a web browser on my desktop PC, I only bother
with using DoH in Firefox which supports it whether the OS does or not.
In addition, per:
https://blog.netwrix.com/2022/10/11/dns-over-https/
The traditional Control Panel applet (ncpa.cpl) you and I mentioned does
not show the DoH enable option. The article mentions the registry edit
which is what gets altered by the other method. The other method
mentioned is to use Settings -> Network & Internet -> Status -> click
Properties on a NIC, and supposedly there is a "Preferred DNS
encryption" option where you can pick "Encrypted only (DNS over HTTPS)".
Not there in my Windows 10 Home x64 22H2 build 19045.4123. Perhaps the
author neglected to mention he is using the Pro edition instead of the
the Home edition of Windows 10, or conflated Win11 settings with Win10
settings. For my Windows 10 Home, it's a registry edit to enable DoH.
That's what I was trying to tell them when I had asked
"But how do you tell Windows 10 to use DNS over TLS on port 853?"
Everybody thinks DNS over HTTP (or DNS over TLS) is the same as DNS.
It's not.
Jonathan N. Little wrote:
Andy Burns wrote:
Win10 requires a registry setting, Win11 doesn't
No it doesn't, it is just Windows 10 still uses legacy interface via the
Control Panel:
Control Panel > Network and Internet > Network Connections
Right-click on connection > select Properties
Select Internet Protocol Version 4 and|or Version 6
Right-click > select Properties
Select option Use the following DNS server addresses:
Fill in the IPs of the servers
I don't have a Win10 installation to check, but isn't that simply
setting a *different* DNS server to your LAN's default? Where are you telling it to use *encrypted* DNS?
VanguardLH wrote:
In addition, per:
https://blog.netwrix.com/2022/10/11/dns-over-https/
How To Enable DNS over HTTPS in Windows 10
a. First, it says DoH is using port 443 (not port 53 which DNS uses).
b. Then it says you need Build 19628 or higher (mine is 19045.4046).
But this still doesn't solve the problem even if it does work.
I want to set the Windows the same way as Android.
To make it more confusing, Android uses DNS over TLS, not DNS over
HTTP.
So it's not that simple to answer the questions asked, which are now:
Anyone here know why Android uses a FQDN while Windows uses an IP?
Anyone here know if specifying a DoT server works with Windows DoH?
As you recall, I figured an IP address was needed to find a DNS server. Apparently Google did some magic in the Android OS, and probably
untoward magic, like they still use the default DNS server to submit a
host to it to get back an IP address to then find the DoT server. Could
also be they use a hosts file to do a local lookup from hostname to IP address, and might be why there is a specific list of DoT servers.
Also, it could be a matter of providing auto-private DNS selection.
That means the OS can still use regular DNS should DoT not work.
To make it more confusing, Android uses DNS over TLS, not DNS over HTTP.
So it's not that simple to answer the questions asked, which are now:
Anyone here know why Android uses a FQDN while Windows uses an IP?
As you suggested, the IP address may change, so the FQDN allows for
this, at the cost of the time delay for an additional DNS lookup.
It may allow the DNS over HTTP provider to direct you to a
geographically close server ... anycast is used to do the same thing for access to root DNS servers over UDP
How To Enable DNS over HTTPS in Windows 10
a. First, it says DoH is using port 443 (not port 53 which DNS uses).
Not when HTTPS is used. The port is for the transport, not the traffic within. HTTP uses port 80. HTTPS uses port 443. DNS *without* an encryption transport uses port 53.
https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml
b. Then it says you need Build 19628 or higher (mine is 19045.4046).
Mine is 19045.4123. That's for Win 10 22H2. Build 19628 was an Insider
fast ring build for 20H2; see:
https://blogs.windows.com/windows-insider/2020/05/13/announcing-windows-10-insider-preview-build-19628/
https://betawiki.net/wiki/Windows_10_build_19628
So, the author is mentioning non-released versions of Win10. Often the Insider builds have features that are not present in the released
versions. The 2nd article (betawiki) also mentions the same registry
key to edit, so even in the author's Insider build there was no exposed config settings, and users had to do a registry edit. That's why I
suspect the author is conflating settings available in Server or Win11 builds.
But this still doesn't solve the problem even if it does work.
I want to set the Windows the same way as Android.
Please be careful when burying humor in staid construction. Some folks
may think you really expect Windows and Android to be that similar.
To make it more confusing, Android uses DNS over TLS, not DNS over
HTTP.
DNS over TLS is easier to setup than DNS over HTTPS, but DNS over HTTPS
is more secure. DoT uses port 853, so anyone interrogating your network traffic will know you are issuing DoT lookups. The payload is
encrypted, not the target IP address, so anyone doing packet inspection
can see you have DoT on port 853, and to which DNS server. They just
cannot see what was the hostname the client sent the DNS server, and
what IP address the DNS server sent back to the client.
With DoH, that's the same port 443 that HTTPS uses for, say, your web browser. Someone seeing traffic on port 443 doesn't know it's being
uses also for DNS traffic. However, again, they can use packet
inspection to see to where you send your HTTPS traffic, so they can see
to which hosts you connnect whether a web server or DNS server. The
source and destination are not encrypted, just the payload.
So it's not that simple to answer the questions asked, which are now:
Anyone here know why Android uses a FQDN while Windows uses an IP?
Anyone here know if specifying a DoT server works with Windows DoH?
As you recall, I figured an IP address was needed to find a DNS server. Apparently Google did some magic in the Android OS, and probably
untoward magic, like they still use the default DNS server to submit a
host to it to get back an IP address to then find the DoT server. Could
also be they use a hosts file to do a local lookup from hostname to IP address, and might be why there is a specific list of DoT servers.
Also, it could be a matter of providing auto-private DNS selection.
That means the OS can still use regular DNS should DoT not work. In
Windows, using group policy (all policies are registry entries), you can elect one of the following for DoH:
Prohibit DoH: No DoH name resolution will be performed.
Allow DoH: Perform DoH queries if the configured DNS servers support
it. If they don't support it, try classic name
resolution.
Require DoH: Allow only DoH name resolution. If there are no DoH
capable DNS servers configured, name resolution will fail.
In the registry edit, you set the value to 2, so maybe that matches on
the 2nd policy setting above (Allow DoH). That provides a fallback to non-encrypted DNS traffic.
Google loves to track, so they might still use regular DNS to resolve a hostname for another DNS server, or Google doesn't really get that a DNS server, encrypted or not, should be found using only an IP address.
Then I rebooted. And then I looked for the special GUI to show up.
It never showed up.
I'm on a normal Windows 10 release. Unfortunately, even after making the registry change and rebooting, nothing changed (AFAICT) in the Windows GUI.
I guess that means I need to put the IP address of the encrypted DNS server into the forms in they same place we used to put the non-encrypted servers.
This brings back the issue that I want to use the same encrypted DNS
servers on Windows that I use on Android but the input format is different.
Of course I can run a ping/tracert to find out the current IP address
of the DoT/DoH FQDN, but is that really the way that it's supposed to
be done for Windows?
I ran a tracert so I know what the IP address is of the FQDN.adblock.doh.mullvad.net. 1270 IN CNAME adblock.dns.mullvad.net. adblock.dns.mullvad.net. 1270 IN A 194.242.2.3
But that IP address can change over time and I'm just guessing.
Some Android examples that I'd like to replicate on Windows are
easy to figure out since you can guess at what their IP address is.
one.one.one.one
1dot1dot1dot1.cloudflare-dns.com
dns.google
But many (most actually) of the ad blocking DNS servers aren't
in the articles for Windows so you have to guess at the IP address.
adblock.doh.mullvad.net
dns.adguard.con(typo fixed)
p2.freedns.controld.comp2.freedns.controld.com. 300 IN A 76.76.2.11
dns.Cleanbrowsing.comAddress: 143.244.220.150 <--nslookup example
dns.quad9.netdns.quad9.net. 807 IN A 9.9.9.9
doh.mullvad.netdoh.mullvad.net. 3600 IN CNAME dns.mullvad.net. dns.mullvad.net. 3600 IN A 194.242.2.2
adblock.doh.mullvad.netadblock.doh.mullvad.net. 1270 IN CNAME adblock.dns.mullvad.net. adblock.dns.mullvad.net. 1270 IN A 194.242.2.3
dns.adguard.comdns.adguard.com. 3600 IN A 94.140.15.15
dns.adguard.com. 3600 IN A 94.140.14.14
p2.freedns.controld.comp2.freedns.controld.com. 300 IN A 76.76.2.11
dns.Cleanbrowsing.comAddress: 143.244.220.150 <--nslookup example
dns.quad9.netdns.quad9.net. 807 IN A 9.9.9.9
dns.quad9.net. 807 IN A 149.112.112.112
doh.mullvad.netdoh.mullvad.net. 3600 IN CNAME dns.mullvad.net. dns.mullvad.net. 3600 IN A 194.242.2.2
You never have to guess when you can just do a quick lookup. I use dig on Windows/Linux, but nslookup also works in a pinch. The dig utility shows cnames
and multiple A records, while nslookup has a cleaner/simpler output.
If your network toolbox gets rusted shut and you find that you only have access
to ping or traceroute, I guess they can also do the job, sort of.
Then I rebooted. And then I looked for the special GUI to show up.
It never showed up.
I don't remember anything saying after there registry edit and reboot
that you would get a new config wizard, or the old ones got modified.
You do the reg hack, reboot, and then config the DNS settings to point
at DoH-capable DNS servers; else, you'll still be using unencrypted DNS.
I'm on a normal Windows 10 release. Unfortunately, even after making the
registry change and rebooting, nothing changed (AFAICT) in the Windows GUI.
Many, if not most, reg hacks have no effect on config or wizard screens. Nothing changes except underlying behavior.
I guess that means I need to put the IP address of the encrypted DNS server >> into the forms in they same place we used to put the non-encrypted servers.
Yep.
This brings back the issue that I want to use the same encrypted DNS
servers on Windows that I use on Android but the input format is different.
Yep. Different operating systems, different management for each. That Google requires a hostname (maybe since an article I cited showed an
Android setup that entered IP addresses, so it could rely on which brand
and model of smartphone you have) makes me suspicious that Google's DNS
is still involved, like to get the IP addresses for the hostnames
specified for private DNS. The only way to be sure is to monitor
network traffic from your phone to a wi-fi capable router that has some enterprise-level logging of network traffic for you to analyze to where
the phone is connecting.
Of course I can run a ping/tracert to find out the current IP address
of the DoT/DoH FQDN, but is that really the way that it's supposed to
be done for Windows?
That's one way, but you'd still have to know to which DNS servers you
want to connect. I usually search online for free/public DNS servers,
find the features of each, and then go to the DNS providers to get
*their* details on where to connect.
Yep. Different operating systems, different management for each. That Google requires a hostname (maybe since an article I cited showed an
Android setup that entered IP addresses, so it could rely on which brand
and model of smartphone you have) makes me suspicious that Google's DNS
is still involved, like to get the IP addresses for the hostnames
specified for private DNS. The only way to be sure is to monitor
network traffic from your phone to a wi-fi capable router that has some enterprise-level logging of network traffic for you to analyze to where
the phone is connecting.
The strange and confusing thing is all the web sites show us a menu for the encrypted DNS that simply does not exist in my Windows no matter how I try. https://winaero.com/how-to-enable-dns-over-https-in-windows-10/
VanguardLH <V@nguard.lh> wrote:
[...]
Yep. Different operating systems, different management for each. That
Google requires a hostname (maybe since an article I cited showed an
Android setup that entered IP addresses, so it could rely on which brand
and model of smartphone you have) makes me suspicious that Google's DNS
is still involved, like to get the IP addresses for the hostnames
specified for private DNS. The only way to be sure is to monitor
network traffic from your phone to a wi-fi capable router that has some
enterprise-level logging of network traffic for you to analyze to where
the phone is connecting.
As I wrote earlier [1] and gave the reason why, but you did not
respond to:
There's nothing to be "suspicious" about and it's not "Google's DNS is still involved", but *your* (defined) DNS server.
[...]
[1] Message-ID: <us4t09.e4k.1@ID-201911.user.individual.net>
Frank Slootweg <this@ddress.is.invalid> wrote:
VanguardLH <V@nguard.lh> wrote:
[...]
Yep. Different operating systems, different management for each. That
Google requires a hostname (maybe since an article I cited showed an
Android setup that entered IP addresses, so it could rely on which brand >> and model of smartphone you have) makes me suspicious that Google's DNS
is still involved, like to get the IP addresses for the hostnames
specified for private DNS. The only way to be sure is to monitor
network traffic from your phone to a wi-fi capable router that has some
enterprise-level logging of network traffic for you to analyze to where
the phone is connecting.
As I wrote earlier [1] and gave the reason why, but you did not
respond to:
There's nothing to be "suspicious" about and it's not "Google's DNS is still involved", but *your* (defined) DNS server.
[...]
[1] Message-ID: <us4t09.e4k.1@ID-201911.user.individual.net>
Connection is by IP address. Humans like names. Computers demand
numbers. Somehow those hostnames specified for DoH servers have to get converted to IP addresses to then have your client connect to the DoH
server. The purpose of DNS has not changed. You don't use hostnames to connect to hosts. So, somehow the Android phone does convert the
hostnames you enter for private DNS servers to IP addresses. No matter
what you say, I will NEVER believe that DNS servers have become defunct, because now hosts can connect to each other using just hostnames.
On an Android phone, what are the default DNS servers? Are they
assigned by the cellular carrier's DHCP server, or are they preset to
point at Google's DNS servers?
VanguardLH <V@nguard.lh> wrote:
Connection is by IP address. Humans like names. Computers demand
numbers. Somehow those hostnames specified for DoH servers have to get
converted to IP addresses to then have your client connect to the DoH
server. The purpose of DNS has not changed. You don't use hostnames to
connect to hosts. So, somehow the Android phone does convert the
hostnames you enter for private DNS servers to IP addresses. No matter
what you say, I will NEVER believe that DNS servers have become defunct,
because now hosts can connect to each other using just hostnames.
Sigh! :-(
Please spare me/us pompous lectures and insinuations like this! If you
had bothered to read - and understand - my earlier post, it would be blatantly clear that your lecture/insinuation is uncalled for.
On an Android phone, what are the default DNS servers? Are they
assigned by the cellular carrier's DHCP server, or are they preset to
point at Google's DNS servers?
If on mobille data, your cellular carrier's DNS server will be used
(unless you/they changed it for some reason). If on Wi-Fi, your ISP's
DNS server will be used (unless you/they changed it for some reason).
There's no reason for Google's DNS servers to get involved.
Patrick <patrick@oleary.com> wrote:
Does Windows have a native private DNS setting like Android does?
Run ncpa.cpl.
Right-click on your network connection, and select Properties.
Select "Internet Protocol Version 4", and click Properties.
In the General tab, you can define 2 DNS servers (primary & secondary).
Click on Advanced, DNS tab, and you can define several for fallback.
In order, I have the following DNS servers defined for IPv4:
- 1.1.1.1 (Cloudflare)
- 208.67.222.222 (OpenDNS)
- 8.8.8.8 (Google)
- 10.0.0.1 (my router's DNS which merely passes to the upstream DNS)
My router gets its WAN-side IP address from my ISP's DHCP server which
also tells my router my ISP's DNS server, so pointing to my router
merely has, if used, my ISP's DNS server get used. However, there is
some caching in my router, so DNS lookups are a bit quicker on cached >entries.
Back in the Ethernet Properties dialog, select "Internet Protocol
Version 6", and click Properties.
In order, I have the following DNS servers defined for IPv6: >2606:4700:4700::1111 (Cloudflare)
2620:119:35::35 (OpenDNS)
2001:4860:4860:8888 (Google)
My router doesn't support IPv6 for its internal pass-through DNS server.
In most setups, the router and intranet hosts are configured for
automatic DNS config which means they get the DNS server from the
upstream DHCP server. For the intranet hosts, that's your router's DNS >server. For the router, that's your ISP's DNS server. You can choose
to use other DNS servers. While better in the past few years, my ISP
had the nasty habit of DNS failures about twice per year on average
which would last 1 to 3 days. That was unacceptable, and when I looked
into me deciding which DNS servers to use.
Windows had has the ability to let users select which DNS server(s) they
want to use since Windows 3.1 (c.1992).
Without rooting, Android allowed users to specify their choice of DNS
server since Android 9 (c.2018).
I don't know why the Chromium folks or Google thought "private" was a
proper name for a setting to let users define which DNS server to use.
DNS requests are hardly private. They are sent unencrypted. Anyone, >including your ISP or cell carrier can see for what domains the DNS
lookup was requested. Firefox added DoH (DNS Over HTTPS) to encrypt the
DNS requests to prevent spying on where you wanted to go (except, of
course, by the DNS provider themself).
https://en.wikipedia.org/wiki/DNS_over_HTTPS
So does Microsoft Edge-C (I don't know about the old Edge, and
definitely not Internet Explorer). Instead of DoH, Microsoft hides it
under the name "Secure DNS", because that is also the same setting name
used by Google in Chrome.
You can specify your choice of DNS server(s) in the IPv4/IPv6 settings >mentioned above, and your choice might even include DNS servers that
filter out phish and malware sites, and block spam sources, but they are >still using plain DNS requests that anyone can intercept. Windows can >support DoH, but it is not enabled by default. You have to enable DoH
using a policy, or a registry edit (since all policies are registry
entries). See:
https://blog.netwrix.com/2022/10/11/dns-over-https/
Frank Slootweg <this@ddress.is.invalid> wrote:
VanguardLH <V@nguard.lh> wrote:
Connection is by IP address. Humans like names. Computers demand
numbers. Somehow those hostnames specified for DoH servers have to get
converted to IP addresses to then have your client connect to the DoH
server. The purpose of DNS has not changed. You don't use hostnames to >> connect to hosts. So, somehow the Android phone does convert the
hostnames you enter for private DNS servers to IP addresses. No matter
what you say, I will NEVER believe that DNS servers have become defunct, >> because now hosts can connect to each other using just hostnames.
Sigh! :-(
Please spare me/us pompous lectures and insinuations like this! If you
had bothered to read - and understand - my earlier post, it would be blatantly clear that your lecture/insinuation is uncalled for.
I ask for clarification, and you resort to reciting your "I think the
default DNS server is still known/configured, because ..." response.
"I think" is not "I know". I can make guesses, too. So, neither of us
know for sure. Spare us the "I think" response as a definitive answer.
It's stupid that Android has to fallback to the default server (obtained
by the upstream DHCP server) to get the IP addresses for the DoH servers specified in the private DNS setting. Yeah, use a DNS server to lookup
a DNS server.
Windows has you specify the IP address of whatever DNS
server you want to us. Isn't Linux the same way? Even Apple has you
specify an IP address for the DNS server. But, noooo, Google has to do
it differently.
Can I see what my phone is using for a DNS server? I've dug through the Android settings, but haven't found where the DNS server it was assigned
is specified. Some online articles mention long-tapping the current
wi-fi connection to choose Modify network which lets you change the DNS servers. That's for wi-fi connections, not for cellular data
connections. DNS settings are missing for me, so must be for Android versions later than 8 on my phone, or for customized Android versions on phones other than my old LG V20. Could be my Android version is too
old, or LG dumbed down its feature set. Guess I need a DNS app to show
me my phone's current DNS setup.
VanguardLH <V@nguard.lh> wrote:
"I think" is not "I know". I can make guesses, too. So, neither of us
know for sure. Spare us the "I think" response as a definitive answer.
I see you 'conveniently snipped the part after "because". Why? Because
you couldn't fault my explanation?
Windows has you specify the IP address of whatever DNS server you
want to us. Isn't Linux the same way? Even Apple has you specify
an IP address for the DNS server. But, noooo, Google has to do it
differently.
Oh sorry, I forgot it was Bash Google For Any Odd Reason week.
You recently told 'someone that different OSs work differently, but
now you expect Android an Windows to work the same!?
Anyway, it has been noted, why a FQDN for the Private DNS provider is
more flexible (and more user-friendly).
Yes [to see DNS the phone is currently using] , you probably need a
app to see which DNS server is used/ configured. I have a 'Phone Information' app which gives more network details, but for this it
only gives the Gateway, not the DNS server(s).
it has been noted, why a FQDN for the Private DNS provider is
more flexible (and more user-friendly).
On 5 Mar 2024 20:06:59 GMT, Frank Slootweg wrote:
it has been noted, why a FQDN for the Private DNS provider is
more flexible (and more user-friendly).
I agree a FQDN is definitely more user friendly so that makes sense.
How Android gets the IP address is unknown to me, but what is known to me makes it seem probable that Android gets the IP address for the Private DNS FQDN the same way it gets the IP address when you're not using Private DNS.
On Android, when I long press on the settings for any given Wi-Fi
connection, it tells me what DNS server is being normally queried.
<https://i.postimg.cc/NGrqHTpC/wi-fi-dns.jpg>
Of course, if Private DNS is set, I suspect those two Wi-Fi DNS servers are ignored, which I guess we could test if I knew how to use these two sites.
https://1.1.1.1/help
http://test.nextdns.io/
While it's obvious what DNS server is normally used (if Private DNS isn't set) for Wi-Fi, I don't know where the DNS server is set for cellular data.
Frank Slootweg <this@ddress.is.invalid> wrote:
VanguardLH <V@nguard.lh> wrote:
"I think" is not "I know". I can make guesses, too. So, neither of us
know for sure. Spare us the "I think" response as a definitive answer.
I see you 'conveniently snipped the part after "because". Why? Because you couldn't fault my explanation?
The "because" is based on the presumption both you and I made and agreed upon. Since the default DNS is obtained by the upstream DHCP server, it doesn't have to be remembered. The client gets the DNS server from the
DHCP server again.
I understand the Auto mode: if DoH server cannot be found or reached, fallback to default DNS server (which is got from the DHCP server). The
DHCP server doesn't just assign your device an IP address. It also
specifies a DNS server.
https://techhub.hpe.com/eginfolib/networking/docs/switches/5130ei/5200-3942_l3-ip-svcs_cg/content/483572290.htm[Repeat deleted.]
Windows has you specify the IP address of whatever DNS server you
want to us. Isn't Linux the same way? Even Apple has you specify
an IP address for the DNS server. But, noooo, Google has to do it
differently.
Oh sorry, I forgot it was Bash Google For Any Odd Reason week.
You recently told 'someone that different OSs work differently, but
now you expect Android an Windows to work the same!?
Not what *I* said.
Patrick: This brings back the issue that I want to use the same
encrypted DNS servers on Windows that I use on Android but the
input format is different.
Me: Yep. Different operating systems, different management for
each.
Anyway, it has been noted, why a FQDN for the Private DNS provider is
more flexible (and more user-friendly).
Only because humans like names while computers want numbers. I don't
see entering a FQDN for a DNS server to be more flexible. It mandates another DNS server must be employed to get the IP address of the
specified DNS server.
Yes [to see DNS the phone is currently using] , you probably need a
app to see which DNS server is used/ configured. I have a 'Phone Information' app which gives more network details, but for this it
only gives the Gateway, not the DNS server(s).
An app is also how I figured was needed to see the current network
config on the phone. I'll have to dig about the Play Store to see which
apps report the network config, and avoid those that try to change it,
like the DNS Changer apps.
VanguardLH <V@nguard.lh> wrote:
Frank Slootweg <this@ddress.is.invalid> wrote:
VanguardLH <V@nguard.lh> wrote:
"I think" is not "I know". I can make guesses, too. So, neither of us >> know for sure. Spare us the "I think" response as a definitive answer.
I see you 'conveniently snipped the part after "because". Why? Because you couldn't fault my explanation?
The "because" is based on the presumption both you and I made and agreed upon. Since the default DNS is obtained by the upstream DHCP server, it doesn't have to be remembered. The client gets the DNS server from the DHCP server again.
I understand the Auto mode: if DoH server cannot be found or reached, fallback to default DNS server (which is got from the DHCP server). The DHCP server doesn't just assign your device an IP address. It also specifies a DNS server.
That assumes that DHCP is used, which is indeed (very) common, but not neccessarily the case, as one can configure 'Static' in Android's IP settings.
In the Static case Android has to know/remember the DNS server
address.
[Newsflash:]
'Patrick' has posted a screenshot of his Wi-Fi connection, which shows
'DNS 2' set to 8.8.4.4, which is dns.google
So it seems that you were right that Android uses Google's DNS
servers, albeit for DNS 2, not DNS 1 (which in Patrick's case is set to 192.168.1.1 (which is also his Gateway), i.e. his ISP's DNS server).
That assumes that DHCP is used, which is indeed (very) common, but not neccessarily the case, as one can configure 'Static' in Android's IP settings.
In the Static case Android has to know/remember the DNS server
address.
But nevermind, it's not important (except for the gratuitous Google bashing).
On Android, when I long press on the settings for any given Wi-Fi
connection, it tells me what DNS server is being normally queried.
<https://i.postimg.cc/NGrqHTpC/wi-fi-dns.jpg>
Sadly that long press does not work on my (Samsung A51 Android 13)
phone. Do you long press the connection which is actually connected at
the moment or or of the other 'Available networks'?
Anyway, unless you or something have changed something, it seems
VanguardLH is right, because your screenshot shows 'DNS 2' as 8.8.4.4,
which is indeed dns.google.
Different operating systems, different management
Interesting would be to see how many freeloaders would pay for Google
Maps, Google Voice, Gmail, Google Drive, Google Chrome, and all the
other free services Google provides. Google is a business, not your
parents to leech off. They need to make money, too
While fiddling with my phone, I happened to see that if you set 'IP settings' to 'Static' (instead of 'DHCP'), it *does* show the DNS
settings and DNS 1 defaults to 8.8.8.8 and DNS 2 defaults to 8.8.4.4,
i.e. both dns.google.
On 6 Mar 2024 13:03:33 GMT, Frank Slootweg wrote:
On Android, when I long press on the settings for any given Wi-Fi
connection, it tells me what DNS server is being normally queried.
<https://i.postimg.cc/NGrqHTpC/wi-fi-dns.jpg>
Sadly that long press does not work on my (Samsung A51 Android 13)
phone. Do you long press the connection which is actually connected at
the moment or or of the other 'Available networks'?
Anyway, unless you or something have changed something, it seems VanguardLH is right, because your screenshot shows 'DNS 2' as 8.8.4.4, which is indeed dns.google.
Actually, the 8.8.4.4 is grayed out.
As far as I can tell, it's not being used.
I think it's a suggestion that the Android 13 operating system gives you.
But maybe not. I don't know. I changed 8.8.8.8 to 192.168.1.1 long ago.
I have a static connection set up for each Android phone in the house.
When you set up a static connection, 8.8.8.8 & 8.8.4.4 are suggested.
I replaced the 8.8.8.8 with 192.168.1.1 but I didn't bother changing that second slot because if the router isn't working, neither will the Wi-Fi.
The presumption is that is the DNS server which is looking up the Private
DNS hostname to get the IP address when you're on a Wi-Fi connection.
I have to assume when we're on cellular data, that the DNS lookup is
whatever the carrier has it set to. I don't know how to find that data.
Frank Slootweg <this@ddress.is.invalid> wrote:
That assumes that DHCP is used, which is indeed (very) common, but not neccessarily the case, as one can configure 'Static' in Android's IP settings.
In the Static case Android has to know/remember the DNS server
address.
Interesting. I didn't know you could modify the base network settings without rooting the phone. When the private DNS setting showed up,
users could change which DNS server they used. Before that setting
appeared, there was yet another setting that let users specify a DNS
server other than the one assigned by DHCP?
VanguardLH <V@nguard.lh> wrote:
Interesting. I didn't know you could modify the base network settings
without rooting the phone. When the private DNS setting showed up,
users could change which DNS server they used. Before that setting
appeared, there was yet another setting that let users specify a DNS
server other than the one assigned by DHCP?
Yes, the latter is a per connection setting, i.e. one for each of the 'networks' you have configured, the 'Private DNS' setting is a
system-wide setting.
BUT, (sofar) we can only set the DNS servers for a connection if that connection has its 'IP settings' set to 'Static'. If it's set to 'DHCP'
I/we have not yet found a method to set the DNS servers. (I thought
that Patrick had found a way on his phone, but it turned out that his screenshot was also for 'Static', not for 'DHCP'.)
Frank Slootweg <this@ddress.is.invalid> wrote:
VanguardLH <V@nguard.lh> wrote:
Interesting. I didn't know you could modify the base network settings
without rooting the phone. When the private DNS setting showed up,
users could change which DNS server they used. Before that setting
appeared, there was yet another setting that let users specify a DNS
server other than the one assigned by DHCP?
Yes, the latter is a per connection setting, i.e. one for each of the 'networks' you have configured, the 'Private DNS' setting is a
system-wide setting.
BUT, (sofar) we can only set the DNS servers for a connection if that connection has its 'IP settings' set to 'Static'. If it's set to 'DHCP' I/we have not yet found a method to set the DNS servers. (I thought
that Patrick had found a way on his phone, but it turned out that his screenshot was also for 'Static', not for 'DHCP'.)
Without the upstream DHCP to get your IP address, you would need a
static IP address. I know some users can get a static IP address from
static IP address. I know some users can get a static IP address from
their ISP. Some get it free, some have to pay for it. With my ISP, I
have to pay more for a business-class account to get a static IP
address. However, I never looked into getting a static IP address from
my carrier for cellular data (unless we're talking about static IP on
the phone to your own wifi access point, like at home).
I getting jealous of you guys, and phone envy, too. I'm still back on
my c.2016 LG V20 phone with Android 8.0 the latest I can get on it. I
won't play around with rooting it until I get another phone that has all those features I keep hearing about, like DNS settings and private DNS.
'We' didn't spell this out, but both Patrick and I are indeed talking
about Wi-Fi connections to our *router*. In the router, you can
specify a static *local* IP address, i.e. 192.168.X.Y or some such.
I getting jealous of you guys, and phone envy, too. I'm still back on
my c.2016 LG V20 phone with Android 8.0 the latest I can get on it. I
won't play around with rooting it until I get another phone that has all
those features I keep hearing about, like DNS settings and private DNS.
Well, my phones were Android 4.1.1 and 5.1.1. Only when the last one
became too slow (for (changing) car navigation), I bought a new one,
which came with Android 10 and is now on Android 13. I'll probably not
buy another/newer one unless I have too.
So like you, I'm not part of the "Let's buy another phone every other
year or so!" crowd.
IIRC, you drive an old car. So do I, well over 20 years old.
Frank Slootweg <this@ddress.is.invalid> wrote:
'We' didn't spell this out, but both Patrick and I are indeed talking
about Wi-Fi connections to our *router*. In the router, you can
specify a static *local* IP address, i.e. 192.168.X.Y or some such.
Ah, I get it. Yep, you can have your router's DHCP server assign
dynamic IP address to your intranet hosts, or assign a static IP
(reserved) address to a host usually based on the host's MAC address.
I replaced the 8.8.8.8 with 192.168.1.1 but I didn't bother changing that
second slot because if the router isn't working, neither will the Wi-Fi.
But theoretically it could be that you ISP's DNS servers aren't
working, but Google's are, so leaving 'DNS 2' point to a Google DNS
server is better than also setting it to one of your ISP's DNS servers.
about Wi-Fi connections to our *router*. In the router, you can
specify a static *local* IP address, i.e. 192.168.X.Y or some such.
Ah, I get it. Yep, you can have your router's DHCP server assign
dynamic IP address to your intranet hosts, or assign a static IP
(reserved) address to a host usually based on the host's MAC address.
Keep an eye out for Android's Random MAC Address feature. You might wonder why
your DHCP address reservation is being ignored. It's not being ignored by the router, it's just that phone never presents the same MAC address when requesting
an IP.
Frank Slootweg <this@ddress.is.invalid> wrote:
That assumes that DHCP is used, which is indeed (very) common, but not
neccessarily the case, as one can configure 'Static' in Android's IP
settings.
In the Static case Android has to know/remember the DNS server
address.
Interesting. I didn't know you could modify the base network settings without rooting the phone. When the private DNS setting showed up,
users could change which DNS server they used. Before that setting
appeared, there was yet another setting that let users specify a DNS
server other than the one assigned by DHCP?
But nevermind, it's not important (except for the gratuitous Google
bashing).
I've never felt the need for uber-privacy,
| Sysop: | Keyop |
|---|---|
| Location: | Huddersfield, West Yorkshire, UK |
| Users: | 297 |
| Nodes: | 16 (2 / 14) |
| Uptime: | 08:38:53 |
| Calls: | 6,666 |
| Files: | 12,213 |
| Messages: | 5,336,200 |
