Cloudflare Private DNS for Android

Hello there ! This is my first ever Question on Cloudflare community section. and I hope to find my answer here.

I bought a new device built on Android 10 and there is an option “Private DNS”. I changed my private DNS to Cloudflare which is “1dot1dot1dot1.cloudflare-dns.com”.

So my Question is :

Does it help my ISP stop tracking what am I searching / browsing on my device. Does it completely hide my browsing information ? Is it safe for me to search anything and open blocked website on my device ?

Thank you. Waiting for best reply !

Private DNS is encrypted so they cannot see which domains we’re requested. But they will know the IP it resolves to. Anything else relies on the pages youre visiting and If they use ‘state of the art’ encryption.

If your ISP blocks requests on DNS level, yes.

TL;DR: If you want to do something illegal, Private DNS will not protect you.

DNS over HTTP (DOH) and DNS over TLS (DOT) prevent your ISP seeing your DNS requests, and from being able to alter the responses. That is it. It does not stop them knowing what servers you subsequently connect to, and a sufficiently resourced and determined ISP will know what you are doing. (So will NSA, GCHQ, etc)

For example: when you visited this community, your device used Private DNS to convert “community.cloudflare.com” into 104.17.64.4 and 104.17.65.4. Your ISP did not know that happened. Without Private DNS they would be able to see that you looked up community.cloudflare.com and they could see and alter the result. With Private DNS they cannot see or alter the result.

They will be able to see that your device made a connection to a server at 104.17.65.4 on port 443. They will be able to know or infer what website is hosted at that address through two means. The most basic is to look at the HTTPS request. The hostname is not yet encrypted, so they can easily extract it. If Encrypted SNI is widely adopted, then that avenue for surveillance will be closed, but we are not there yet. They may also know what website is actually hosted at a particular IP address via using things like reverse lookup.

They will not be able to see what was in the address bar, but depending on what you are doing there are ways to fingerprint a particular page on a particular website. Various people have published papers on fingerprinting what people are watching on Netflix using traffic analysis, even though the payload is encrypted. The same applies to effectively every website you visit. The payload size, what other resources you loaded immediately after the first request, etc. all add up to help identify what you are doing. So is it safe to search anything? The best answer is maybe. Will you be able to access blocked sites, again it is a maybe.

Remember that Pervasive Monitoring Is an Attack, and the technologies of the web are coming together to make such surveillance more and more difficult, and to afford all of us more and more privacy on the Internet.

(But please try and use these technologies for good, and not for hiding anything illegal. That just makes it more and more likely that people have an argument to ban privacy enhancing technologies.)

2 Likes