search

julian-klode / dns66

DNS-based Host Blocker (and lightweight ad blocker) for Android
https://jak-linux.org/projects/dns66/
GNU General Public License v3.0
2.11k stars 200 forks source link

Encrypted DNS Connection? #11

Open ghost opened 7 years ago

ghost commented 7 years ago

Since this app uses a VPN connection does this mean the DNS requests are encrypted?

julian-klode commented 7 years ago

No, unfortunately not. The VPN encryption is just used on the local device so we can intercept the DNS traffic and hijack queries for blocked hosts (the VPN layer responds directly with "No such domain" for blocked hosts).

For encrypted DNS services there is a protocol called DNSCrypt, it would be a lovely feature to have at some point. I'm not sure if there's any usable java library, though.

pizzadude commented 7 years ago

For encrypted DNS services there is a protocol called DNSCrypt, it would be a lovely feature to have at some point.

I use this for DNSCrypt on my android devices, though it requires root. I did not make the app.

https://play.google.com/store/apps/details?id=com.okirat.dnsmanager

licaon-kter commented 7 years ago

Regarding DNSCrypt-proxy you could have a subprocess that runs the daemon and you just route all DNS queries of UDP 53 to it :)

Here is an implementation that piggybacks on Unbound (to manage cache and DNSSEC): https://github.com/smarek/android-unbound-dns/issues/18

In the APK there's a package.zip with plain bash scripts, you can get an idea of how this can be done.

/PS: Yes, I'll hurry up and set a repo with my fork of Unbound to make things open and clear :)

LivInTheLookingGlass commented 7 years ago

I would be very interested in this.

zero77 commented 6 years ago

Adguard For Android seem to have implemented DNS Crypt

github.com/AdguardTeam/AdguardForAndroid/issues/1134 github.com/AdguardTeam/AdguardForAndroid/issues/1053

julian-klode commented 6 years ago

Note that I'd rather go with DNS over TLS now. It's an easy protocol, but it needs quite a lot of reworking in DNS66.

julian-klode commented 6 years ago

JFTR: #102 mentioned these dnscrypt resolvers https://github.com/jedisct1/dnscrypt-proxy/blob/master/dnscrypt-resolvers.csv

westurner commented 5 years ago

Android 9 has native DNS over TLS support.

For Android 4.0+, there's DNS over HTTPS support in Intra (Apache 2.0 License) https://github.com/Jigsaw-Code/Intra

https://github.com/Jigsaw-Code/Intra/tree/master/Android/app/src/main/java/app/intra

https://github.com/Jigsaw-Code/Intra/blob/master/Android/app/src/main/java/app/intra/DnsResolverUdpToHttps.java

julian-klode commented 5 years ago

FWIW, DNS over TLS is a nogo in practice basically, at least on CloudFlare and 9.9.9.9, as both close connections very shortly after your query, thus forcing an insane amount of roundtrips to open another connection for your next request, meaning it takes about 4 times the time of a normal DNS request.

alexrashed commented 4 years ago

I would love to see this feature. With Cloudflare and Google (both the DNS and Chrome) jumping on the encrypted DNS train, in my opinion it won't take long for most of the DNS traffic to be encrypted (finally, as it's also pretty sensitive). I also think the performance isn't that much of a problem anymore. F.e. I am using the DoH of the Foundation for Applied Privacy regularly (as a daily driver on some devices - with Android 9 there's even native support). Firefox is thinking about switching to DoH for millions of people.

alexanderadam commented 4 years ago

Maybe things like DoTClient, jDnsProxy, Turbodns, Intra-DNS or DNS Proxy could serve as an inspiration (or even be used).

Or maybe at least the changes in other blockers (1, 2).

There's also the MIT licensed DnsLibs, that the Adguard folks are using (it's sadly not Java, though).

githubashutoshsoni commented 4 years ago

So, DOH is also implemented in this app?

julian-klode commented 4 years ago

No, there is neither DoH nor DNS-over-TLS.

kcris commented 3 years ago

FWIW, DNS over TLS is a nogo in practice basically, at least on CloudFlare and 9.9.9.9, as both close connections very shortly after your query, thus forcing an insane amount of roundtrips to open another connection for your next request, meaning it takes about 4 times the time of a normal DNS request.

hi, doh/dot is slower, yes, (imperceptible, to be honest)

but dns privacy is a main concern, possibly even more important than ad-blocking itself and even more so since some dot/doh public dns resolvers also offer... ad-blocking

e.g. https://github.com/DNSCrypt/dnscrypt-resolvers/blob/master/v3/public-resolvers.md

we can pair one of those with Android 9+'s Private DNS option and we get the best of both worlds: adblocking and encrypted transport (to our dns provider)

so, in my opinion, the client-side-ad-blocking that is offered by dns66 only makes sense when such dot/doh privacy/encryption is not lost

alexanderadam commented 3 years ago

Also on that:

it takes about 4 times the time of a normal DNS request.

But this isn't the main speed factor on web requests, isn't it? Even if a page calls ten different domains a single image (or JS, XHR or whatever) of this page will most likely take longer to load than those DNS roundtrips. Especially since the roundtrips are only relevenant as long the domains aren't in the cache yet. Or am I missing something here? :thinking:

geekley commented 1 year ago

This would be a great feature for older Android devices that don't natively support either DoH or DoT (even if one doesn't want ad-blocking, or is already using DNS ad-blocking like adguard-dns, but also wants DNS privacy).