dns66 icon indicating copy to clipboard operation
dns66 copied to clipboard

Published 20 hours ago verified publisher icon julian-klode

Encrypted DNS Connection?

Open ghost opened this issue 9 years ago • 16 comments

Since this app uses a VPN connection does this mean the DNS requests are encrypted?

ghost avatar Oct 22 '16 12:10 ghost

No, unfortunately not. The VPN encryption is just used on the local device so we can intercept the DNS traffic and hijack queries for blocked hosts (the VPN layer responds directly with "No such domain" for blocked hosts).

For encrypted DNS services there is a protocol called DNSCrypt, it would be a lovely feature to have at some point. I'm not sure if there's any usable java library, though.

julian-klode avatar Oct 22 '16 12:10 julian-klode

For encrypted DNS services there is a protocol called DNSCrypt, it would be a lovely feature to have at some point.

I use this for DNSCrypt on my android devices, though it requires root. I did not make the app.

https://play.google.com/store/apps/details?id=com.okirat.dnsmanager

pizzadude avatar Oct 25 '16 18:10 pizzadude

Regarding DNSCrypt-proxy you could have a subprocess that runs the daemon and you just route all DNS queries of UDP 53 to it :)

Here is an implementation that piggybacks on Unbound (to manage cache and DNSSEC): https://github.com/smarek/android-unbound-dns/issues/18

In the APK there's a package.zip with plain bash scripts, you can get an idea of how this can be done.

/PS: Yes, I'll hurry up and set a repo with my fork of Unbound to make things open and clear :)

licaon-kter avatar Mar 07 '17 18:03 licaon-kter

I would be very interested in this.

LivInTheLookingGlass avatar Apr 03 '17 20:04 LivInTheLookingGlass

Adguard For Android seem to have implemented DNS Crypt

github.com/AdguardTeam/AdguardForAndroid/issues/1134 github.com/AdguardTeam/AdguardForAndroid/issues/1053

zero77 avatar Nov 01 '17 13:11 zero77

Note that I'd rather go with DNS over TLS now. It's an easy protocol, but it needs quite a lot of reworking in DNS66.

julian-klode avatar May 11 '18 21:05 julian-klode

JFTR: #102 mentioned these dnscrypt resolvers https://github.com/jedisct1/dnscrypt-proxy/blob/master/dnscrypt-resolvers.csv

julian-klode avatar May 11 '18 21:05 julian-klode

Android 9 has native DNS over TLS support.

For Android 4.0+, there's DNS over HTTPS support in Intra (Apache 2.0 License) https://github.com/Jigsaw-Code/Intra

https://github.com/Jigsaw-Code/Intra/tree/master/Android/app/src/main/java/app/intra

https://github.com/Jigsaw-Code/Intra/blob/master/Android/app/src/main/java/app/intra/DnsResolverUdpToHttps.java

westurner avatar Oct 06 '18 03:10 westurner

FWIW, DNS over TLS is a nogo in practice basically, at least on CloudFlare and 9.9.9.9, as both close connections very shortly after your query, thus forcing an insane amount of roundtrips to open another connection for your next request, meaning it takes about 4 times the time of a normal DNS request.

julian-klode avatar Jan 10 '19 07:01 julian-klode

I would love to see this feature. With Cloudflare and Google (both the DNS and Chrome) jumping on the encrypted DNS train, in my opinion it won't take long for most of the DNS traffic to be encrypted (finally, as it's also pretty sensitive). I also think the performance isn't that much of a problem anymore. F.e. I am using the DoH of the Foundation for Applied Privacy regularly (as a daily driver on some devices - with Android 9 there's even native support). Firefox is thinking about switching to DoH for millions of people.

alexrashed avatar Nov 21 '19 21:11 alexrashed

Maybe things like DoTClient, jDnsProxy, Turbodns, Intra-DNS or DNS Proxy could serve as an inspiration (or even be used).

Or maybe at least the changes in other blockers (1, 2).

There's also the MIT licensed DnsLibs, that the Adguard folks are using (it's sadly not Java, though).

alexanderadam avatar Jul 07 '20 13:07 alexanderadam

So, DOH is also implemented in this app?

githubashutoshsoni avatar Jul 27 '20 16:07 githubashutoshsoni

No, there is neither DoH nor DNS-over-TLS.

julian-klode avatar Jul 27 '20 17:07 julian-klode

FWIW, DNS over TLS is a nogo in practice basically, at least on CloudFlare and 9.9.9.9, as both close connections very shortly after your query, thus forcing an insane amount of roundtrips to open another connection for your next request, meaning it takes about 4 times the time of a normal DNS request.

hi, doh/dot is slower, yes, (imperceptible, to be honest)

but dns privacy is a main concern, possibly even more important than ad-blocking itself and even more so since some dot/doh public dns resolvers also offer... ad-blocking

e.g. https://github.com/DNSCrypt/dnscrypt-resolvers/blob/master/v3/public-resolvers.md

we can pair one of those with Android 9+'s Private DNS option and we get the best of both worlds: adblocking and encrypted transport (to our dns provider)

so, in my opinion, the client-side-ad-blocking that is offered by dns66 only makes sense when such dot/doh privacy/encryption is not lost

kcris avatar Dec 30 '20 02:12 kcris

Also on that:

it takes about 4 times the time of a normal DNS request.

But this isn't the main speed factor on web requests, isn't it? Even if a page calls ten different domains a single image (or JS, XHR or whatever) of this page will most likely take longer to load than those DNS roundtrips. Especially since the roundtrips are only relevenant as long the domains aren't in the cache yet. Or am I missing something here? :thinking:

alexanderadam avatar Dec 30 '20 08:12 alexanderadam

This would be a great feature for older Android devices that don't natively support either DoH or DoT (even if one doesn't want ad-blocking, or is already using DNS ad-blocking like adguard-dns, but also wants DNS privacy).

geekley avatar Sep 11 '23 04:09 geekley