In a recent blog post, Google have said that Android devices from Android 11 onwards now support DNS-over-HTTP/3 (DNS-over-QUIC).
Previously, Android (Android 9 onwards) only supported DNS-over-TLS, and not DNS-over HTTPS.
Will Android use DNS-over-HTTP/3 (DNS-over-QUIC) if the Android “Private DNS” setting is still set to these DoT settings:
DOT (Block malware)
DOT (Block malware and adult content)
Or does the Android “Private DNS” setting need to be set to these DoH settings in order to use DNS-over-HTTP/3 (DNS-over-QUIC)?
DOH (Block malware)
DOH (Block malware and adult content)
OK, this is what I found.
You have to use the DNS-over-TLS address for the Android “Private DNS” address. If you try to use the DNS-over-HTTPS address, it won’t accept it as the ‘Save’ button is greyed out.
However, I don’t know whether the Android DNS resolver is using DNS-over-HTTP/3 (DNS-over-QUIC), or just using plain DNS-over-TLS.
Cloudflare have a test page where it’s possible to check whether DNS-over-HTTP/3 (DNS-over-QUIC) is being used (after refreshing). However, this is just testing the web browser, rather than the DNS resolver.
Android so far has only supported DNS over TLS so HTTPS endpoints will not work.
My google play system update is still on 1 June so I can’t test it and Cloudflare, google, quad9 don’t have DNS over QUIC endpoints. If you have already received this update, You can test it by using adguard’s DNS over QUIC endpoints. quic://dns.adguard.com
Apparently two DNS providers (Google and Cloudflare) are hard-coded to use DNS-over-HTTPS. Entering Google or Cloudflare’s servers as the Private DNS provider hostname will make Android automatically add the https:// and /dns-query parts to the URL.
This is unfortunate because it means other servers like the malware-blocking version of Cloudflare’s DNS will continue to use DNS-over-TLS.
The malware-blocking version of Cloudflare’s DNS service is the one all my devices are set to, so it sounds like they will remain using DNS-over-TLS for now.
Are you sure about this? AFAIK, Android only supports DoT. iOS supports both using
I received 1 July android system update today and tried
quic://dns.adguard.com but it won’t let me use this as a URL.
It’ll only accept
dns.adguard.com and that just ends up using DoT rather than DoQ.
This doesn’t seem to be HTTP/3 still, look at this.
(actually not sure anymore there might be a reason for it to return that google’s dns is supported but Cloudflare is not look under replies)
I’m not sure anyone has confirmed that these connections are HTTP/3 at all. It would be nice to know.
DNS over HTTP/3 is not DNS over QUIC.
DNS over HTTP/3 is based on DNS over HTTPS (DoH), but supports the HTTP/3 protocol (I’m actually curious if common DNS resolvers can recognise and use HTTP/3 properly).
DNS over QUIC (DoQ) is based directly on the QUIC protocol and uses the same port 853 as DNS over TLS (DoT) by default, but with UDP.