Open ghost opened 7 years ago
No, unfortunately not. The VPN encryption is just used on the local device so we can intercept the DNS traffic and hijack queries for blocked hosts (the VPN layer responds directly with "No such domain" for blocked hosts).
For encrypted DNS services there is a protocol called DNSCrypt, it would be a lovely feature to have at some point. I'm not sure if there's any usable java library, though.
For encrypted DNS services there is a protocol called DNSCrypt, it would be a lovely feature to have at some point.
I use this for DNSCrypt on my android devices, though it requires root. I did not make the app.
https://play.google.com/store/apps/details?id=com.okirat.dnsmanager
Regarding DNSCrypt-proxy you could have a subprocess that runs the daemon and you just route all DNS queries of UDP 53 to it :)
Here is an implementation that piggybacks on Unbound (to manage cache and DNSSEC): https://github.com/smarek/android-unbound-dns/issues/18
In the APK there's a package.zip with plain bash scripts, you can get an idea of how this can be done.
/PS: Yes, I'll hurry up and set a repo with my fork of Unbound to make things open and clear :)
I would be very interested in this.
Adguard For Android seem to have implemented DNS Crypt
github.com/AdguardTeam/AdguardForAndroid/issues/1134 github.com/AdguardTeam/AdguardForAndroid/issues/1053
Note that I'd rather go with DNS over TLS now. It's an easy protocol, but it needs quite a lot of reworking in DNS66.
JFTR: #102 mentioned these dnscrypt resolvers https://github.com/jedisct1/dnscrypt-proxy/blob/master/dnscrypt-resolvers.csv
Android 9 has native DNS over TLS support.
For Android 4.0+, there's DNS over HTTPS support in Intra (Apache 2.0 License) https://github.com/Jigsaw-Code/Intra
https://github.com/Jigsaw-Code/Intra/tree/master/Android/app/src/main/java/app/intra
FWIW, DNS over TLS is a nogo in practice basically, at least on CloudFlare and 9.9.9.9, as both close connections very shortly after your query, thus forcing an insane amount of roundtrips to open another connection for your next request, meaning it takes about 4 times the time of a normal DNS request.
I would love to see this feature. With Cloudflare and Google (both the DNS and Chrome) jumping on the encrypted DNS train, in my opinion it won't take long for most of the DNS traffic to be encrypted (finally, as it's also pretty sensitive). I also think the performance isn't that much of a problem anymore. F.e. I am using the DoH of the Foundation for Applied Privacy regularly (as a daily driver on some devices - with Android 9 there's even native support). Firefox is thinking about switching to DoH for millions of people.
So, DOH is also implemented in this app?
No, there is neither DoH nor DNS-over-TLS.
FWIW, DNS over TLS is a nogo in practice basically, at least on CloudFlare and 9.9.9.9, as both close connections very shortly after your query, thus forcing an insane amount of roundtrips to open another connection for your next request, meaning it takes about 4 times the time of a normal DNS request.
hi, doh/dot is slower, yes, (imperceptible, to be honest)
but dns privacy is a main concern, possibly even more important than ad-blocking itself and even more so since some dot/doh public dns resolvers also offer... ad-blocking
e.g. https://github.com/DNSCrypt/dnscrypt-resolvers/blob/master/v3/public-resolvers.md
we can pair one of those with Android 9+'s Private DNS
option and we get the best of both worlds:
adblocking and encrypted transport (to our dns provider)
so, in my opinion, the client-side-ad-blocking that is offered by dns66 only makes sense when such dot/doh privacy/encryption is not lost
Also on that:
it takes about 4 times the time of a normal DNS request.
But this isn't the main speed factor on web requests, isn't it? Even if a page calls ten different domains a single image (or JS, XHR or whatever) of this page will most likely take longer to load than those DNS roundtrips. Especially since the roundtrips are only relevenant as long the domains aren't in the cache yet. Or am I missing something here? :thinking:
This would be a great feature for older Android devices that don't natively support either DoH or DoT (even if one doesn't want ad-blocking, or is already using DNS ad-blocking like adguard-dns, but also wants DNS privacy).
Since this app uses a VPN connection does this mean the DNS requests are encrypted?