Forum: >>> Magnum BBS <<<

Private DNS in Android settings

From Neil@21:1/5 to All on Fri Sep 1 09:26:32 2023

What is the "Private DNS" setting supposed to be used for in Android 12?

In my Android settings I noticed a "private dns" settings set to on.
Settings -> Connections -> More connection settings -> Private DNS

I never touched this as I don't know what it does.

My related Private DNS settings are "Private DNS = On" at the top level.
And then when I diver deeper still, I see that "Private DNS = Automatic."

The three choices are
"Off",
"Automatic" and
"Private DNS provider hostname" (which is blank on my phone).

What should a default "Private DNS" setting be on a typical Android phone?
And what is this "Private DNS" all about anyways?
--
regards,
Neil

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

From =?UTF-8?Q?J=c3=b6rg_Lorenz?=@21:1/5 to All on Fri Sep 1 19:13:17 2023

Am 01.09.23 um 15:26 schrieb Neil:

What is the "Private DNS" setting supposed to be used for in Android 12?

The option to use another DNS-server than your provider's DNS-resolver.
This has enormous privacy implications and helps to fight against any
sort of censorship.

--
Alea iacta est

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

From sitaramc@21:1/5 to Neil on Sat Sep 2 06:19:15 2023

On 01/09/23 18:56, Neil wrote:

What is the "Private DNS" setting supposed to be used for in Android 12?

In my Android settings I noticed a "private dns" settings set to on.
Settings -> Connections -> More connection settings -> Private DNS

I never touched this as I don't know what it does.

My related Private DNS settings are "Private DNS = On" at the top level.
And then when I diver deeper still, I see that "Private DNS = Automatic."

The three choices are "Off", "Automatic" and "Private DNS provider
hostname" (which is blank on my phone).

What should a default "Private DNS" setting be on a typical Android phone? And what is this "Private DNS" all about anyways?

Private DNS is Android's implementation of either DNS over TLS, or DNS
over HTTPS (probably the former).

Not sure where it goes if you set it to on but don't specify a provider; probably some google provider. But if it doesn't work set it to
dns.quad9.net (easiest to remember; there are others I can't remember so
well).

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

From =?UTF-8?Q?J=c3=b6rg_Lorenz?=@21:1/5 to All on Sat Sep 2 05:39:44 2023

Am 02.09.23 um 02:49 schrieb sitaramc:

Private DNS is Android's implementation of either DNS over TLS, or DNS
over HTTPS (probably the former).

Not sure where it goes if you set it to on but don't specify a provider; probably some google provider. But if it doesn't work set it to dns.quad9.net (easiest to remember; there are others I can't remember so well).

Here it is DNS over HTTPS on my Pixel 7. The server I set manually is

dns.digitale-gesellschaft.ch

HTH, Jörg

--
Alea iacta est

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

From John Attrill III@21:1/5 to sitaramc on Sat Sep 2 15:49:11 2023

On Sat, 2 Sep 2023 06:19:15 +0530, sitaramc wrote:

What should a default "Private DNS" setting be on a typical Android phone? >> And what is this "Private DNS" all about anyways?

Private DNS is Android's implementation of either DNS over TLS, or DNS
over HTTPS (probably the former).

Not sure where it goes if you set it to on but don't specify a provider; probably some google provider. But if it doesn't work set it to dns.quad9.net (easiest to remember; there are others I can't remember so well).

I'm happy this topic came up as it's useful to improve Android DNS privacy.

I had never heard of Android Private DNS until this thread so I searched. https://duckduckgo.com/?hps=1&q=android+private+dns

That search found this basic summary of how Android Private DNS works. https://www.howtogeek.com/795644/how-to-enable-secure-private-dns-on-android/

HowToGeek summarized the problem set in essentially three sentences.
1. Android DNS domain-to-IP lookups were usually not encrypted
2. Android 9+ added DNS over TLS encryption for domain-to-IP lookups
3. Android Private DNS encrypts those lookups (but VPN loops around it)

That search found this test to check if Android private DNS is working. https://tenta.com/test/

HowToGeek recommends choosing either a Google or Cloudflare Private DNS. https://developers.google.com/speed/public-dns/docs/using#android
8.8.8.8 or 8.8.4.4 https://blog.cloudflare.com/enable-private-dns-with-1-1-1-1-on-android-9-pie/
1.1.1.1 or 1.0.0.1

But that search above also found this list of Private DNS resolvers. https://dnsprivacy.org/public_resolvers/#dns-over-tls-dot
Quad9 'secure' 9.9.9.9 or Quad9 'insecure' 9.9.9.10
Cloudflare 1.1.1.1 or 1.0.0.1
Google 8.8.8.8 or 8.8.4.4
CleanBrowsing https://cleanbrowsing.org/help/docs/dnsovertls/
Security Filter 185.228.168.9:853 or 185.228.169.9:853
Family Filter 185.228.168.168:853 or 185.228.169.168:853
Adult Filter 85.228.168.10:853 or 185.228.169.11:853
Adguard https://adguard.com/en/blog/adguard-dns-announcement/
Default Filter 94.140.14.14 or 94.140.15.15
Family Filter 94.140.14.15 or 94.140.15.16
No Filter 94.140.14.140 or 94.140.14.141
Control D https://controld.com/free-dns
No Filter 76.76.2.0 or 76.76.10.0
Malware Filter 76.76.2.1 or 76.76.10.1
Ad/Tracking Filter 76.76.2.2 or 76.76.10.2
Malware/Ad/Social Filter 76.76.2.3 or 76.76.10.3
Adult/Drug Filter 76.76.2.4 or 76.76.10.4
Uncensored Domains Filter 76.76.2.5 or 76.76.10.5
[aljazeera.com]
[bbc.co.uk]
[bbc.com]
[bloomberg.com]
[cbc.ca]
[dailymail.co.uk]
[duckduckgo.com]
[dumskaya.net]
[dw.com]
[huffpost.com]
[kyky.org]
[mask-h2.icloud.com]
[mask.icloud.com]
[medium.com]
[meduza.io]
[nytimes.com]
[obozrevatel.com]
[pravda.com.ua]
[protonmail.com]
[radiosvoboda.org]
[reuters.com]
[sci-hub.se]
[spiegel.de]
[svoboda.org]
[theguardian.com]
[time.com]
[tutanota.com]
[ukr.net]
[use-application-dns.net]
[verify.controld.com]
[washingtonpost.com]
[wikimedia.org]
[wikipedia.org]
[ycombinator.com]

Note that HowToGeek recommended against choosing your ISP's DNS server. https://www.howtogeek.com/664608/why-you-shouldnt-be-using-your-isps-default-dns-server/

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

From Frankie@21:1/5 to Neil on Sat Sep 2 17:10:32 2023

On 1/9/2023, Neil wrote:

What should a default "Private DNS" setting be on a typical Android phone?

If you set it to Automatic, Android will automatically switch to Google's Private DNS (if it's available).

Otherwise set your Android Private DNS to one of these private DNS domains.

Cloudflare Private DNS: 1dot1dot1dot1.cloudflare-dns.com or one.one.one.one Google Private DNS: dns.google
Quad9 Private DNS: dns.quad9.net
Cleanbrowsing Private DNS: security-filter-dns.cleanbrowsing.org
Open DNS Private DNS: 208.67.222.222 or dns.opendns.com
NextDNS Private DNS: 45.90.28.0 or dns.nextdns.io
Comodo Secure Private DNS: 8.26.56.26 (I can't find the private DNS domain) OpenNIC Private DNS: 192.95.54.3 (I can't find the private DNS domain name)

https://www.zdnet.com/article/how-to-turn-on-private-dns-mode-on-android-and-why-you-should/

Keep in mind that Android 12 also added an Adaptive Connectivity feature. https://nerdschalk.com/how-to-use-private-dns-and-adaptive-connectivity-on-android-12/

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

From =?UTF-8?Q?J=C3=B6rg_Lorenz?=@21:1/5 to All on Sat Sep 2 16:20:02 2023

Am 02.09.23 um 15:49 schrieb John Attrill III:

HowToGeek recommends choosing either a Google or Cloudflare Private DNS. https://developers.google.com/speed/public-dns/docs/using#android
8.8.8.8 or 8.8.4.4 https://blog.cloudflare.com/enable-private-dns-with-1-1-1-1-on-android-9-pie/ 1.1.1.1 or 1.0.0.1

Then you really do not need Private DNS. *LOL*

--
Alea iacta est

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

From =?UTF-8?Q?J=C3=B6rg_Lorenz?=@21:1/5 to All on Sat Sep 2 16:29:21 2023

Am 02.09.23 um 15:49 schrieb John Attrill III:

I'm happy this topic came up as it's useful to improve Android DNS privacy.

I had never heard of Android Private DNS until this thread so I searched. https://duckduckgo.com/?hps=1&q=android+private+dns

That search found this basic summary of how Android Private DNS works. https://www.howtogeek.com/795644/how-to-enable-secure-private-dns-on-android/

HowToGeek summarized the problem set in essentially three sentences.
1. Android DNS domain-to-IP lookups were usually not encrypted
2. Android 9+ added DNS over TLS encryption for domain-to-IP lookups
3. Android Private DNS encrypts those lookups (but VPN loops around it)

That search found this test to check if Android private DNS is working. https://tenta.com/test/

HowToGeek recommends choosing either a Google or Cloudflare Private DNS. https://developers.google.com/speed/public-dns/docs/using#android
8.8.8.8 or 8.8.4.4 https://blog.cloudflare.com/enable-private-dns-with-1-1-1-1-on-android-9-pie/
1.1.1.1 or 1.0.0.1

But that search above also found this list of Private DNS resolvers. https://dnsprivacy.org/public_resolvers/#dns-over-tls-dot
Quad9 'secure' 9.9.9.9 or Quad9 'insecure' 9.9.9.10
Cloudflare 1.1.1.1 or 1.0.0.1
Google 8.8.8.8 or 8.8.4.4
CleanBrowsing https://cleanbrowsing.org/help/docs/dnsovertls/
Security Filter 185.228.168.9:853 or 185.228.169.9:853
Family Filter 185.228.168.168:853 or 185.228.169.168:853
Adult Filter 85.228.168.10:853 or 185.228.169.11:853
Adguard https://adguard.com/en/blog/adguard-dns-announcement/
Default Filter 94.140.14.14 or 94.140.15.15
Family Filter 94.140.14.15 or 94.140.15.16
No Filter 94.140.14.140 or 94.140.14.141
Control D https://controld.com/free-dns
No Filter 76.76.2.0 or 76.76.10.0
Malware Filter 76.76.2.1 or 76.76.10.1
Ad/Tracking Filter 76.76.2.2 or 76.76.10.2
Malware/Ad/Social Filter 76.76.2.3 or 76.76.10.3
Adult/Drug Filter 76.76.2.4 or 76.76.10.4
Uncensored Domains Filter 76.76.2.5 or 76.76.10.5
[aljazeera.com]
[bbc.co.uk]
[bbc.com]
[bloomberg.com]
[cbc.ca]
[dailymail.co.uk]
[duckduckgo.com]
[dumskaya.net]
[dw.com]
[huffpost.com]
[kyky.org]
[mask-h2.icloud.com]
[mask.icloud.com]
[medium.com]
[meduza.io]
[nytimes.com]
[obozrevatel.com]
[pravda.com.ua]
[protonmail.com]
[radiosvoboda.org]
[reuters.com]
[sci-hub.se]
[spiegel.de]
[svoboda.org]
[theguardian.com]
[time.com]
[tutanota.com]
[ukr.net]
[use-application-dns.net]
[verify.controld.com]
[washingtonpost.com]
[wikimedia.org]
[wikipedia.org]
[ycombinator.com]

Note that HowToGeek recommended against choosing your ISP's DNS server. https://www.howtogeek.com/664608/why-you-shouldnt-be-using-your-isps-default-dns-server/

Only independent European DNS-resovers are trustworthy.
This one is the most powerful and the most trustworthiest of them all:

https://unicast.uncensoreddns.org/dns-query

It is located in Denmark.

*Never ever trust anglosaxon servers* in the case privacy is a reaons to
use Private DNS!

BTW: I use this server also for Thunderbird and more importantly for
Firefox.

--
Alea iacta est

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

From =?UTF-8?Q?J=c3=b6rg_Lorenz?=@21:1/5 to All on Sat Sep 2 23:24:01 2023

Am 02.09.23 um 16:10 schrieb Frankie:

Cloudflare Private DNS: 1dot1dot1dot1.cloudflare-dns.com or one.one.one.one Google Private DNS: dns.google
Quad9 Private DNS: dns.quad9.net
Cleanbrowsing Private DNS: security-filter-dns.cleanbrowsing.org
Open DNS Private DNS: 208.67.222.222 or dns.opendns.com
NextDNS Private DNS: 45.90.28.0 or dns.nextdns.io
Comodo Secure Private DNS: 8.26.56.26 (I can't find the private DNS domain) OpenNIC Private DNS: 192.95.54.3 (I can't find the private DNS domain name)

Bullshit. They are not trustworty at all.
The worst is the censorship-server OpenDNS which is btw also very slow.

They all have a direct NSA-relay. *SCNR*

--
Alea iacta est

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Who's Online

System Info

Sysop:	Keyop
Location:	Huddersfield, West Yorkshire, UK
Users:	297
Nodes:	16 (2 / 14)
Uptime:	03:39:53
Calls:	6,666
Files:	12,213
Messages:	5,335,790

Private DNS in Android settings

Who's Online

System Info