DNS Settings for DNS-over-HTTP/3 (DNS-over-QUIC) on Android

In a recent blog post, Google have said that Android devices from Android 11 onwards now support DNS-over-HTTP/3 (DNS-over-QUIC).

Previously, Android (Android 9 onwards) only supported DNS-over-TLS, and not DNS-over HTTPS.

Will Android use DNS-over-HTTP/3 (DNS-over-QUIC) if the Android “Private DNS” setting is still set to these DoT settings:

DOT (Normal)
1dot1dot1dot1.cloudflare-dns.com

DOT (Block malware)
security.cloudflare-dns.com

DOT (Block malware and adult content)
family.cloudflare-dns.com

Or does the Android “Private DNS” setting need to be set to these DoH settings in order to use DNS-over-HTTP/3 (DNS-over-QUIC)?

DOH (Normal)
https://cloudflare-dns.com/dns-query

DOH (Block malware)
https://security.cloudflare-dns.com/dns-query

DOH (Block malware and adult content)
https://family.cloudflare-dns.com/dns-query
2 Likes

OK, this is what I found.

You have to use the DNS-over-TLS address for the Android “Private DNS” address. If you try to use the DNS-over-HTTPS address, it won’t accept it as the ‘Save’ button is greyed out.

However, I don’t know whether the Android DNS resolver is using DNS-over-HTTP/3 (DNS-over-QUIC), or just using plain DNS-over-TLS.

Cloudflare have a test page where it’s possible to check whether DNS-over-HTTP/3 (DNS-over-QUIC) is being used (after refreshing). However, this is just testing the web browser, rather than the DNS resolver.

2 Likes

Android so far has only supported DNS over TLS so HTTPS endpoints will not work.

My google play system update is still on 1 June so I can’t test it and Cloudflare, google, quad9 don’t have DNS over QUIC endpoints. If you have already received this update, You can test it by using adguard’s DNS over QUIC endpoints. quic://dns.adguard.com

Apparently two DNS providers (Google and Cloudflare) are hard-coded to use DNS-over-HTTPS. Entering Google or Cloudflare’s servers as the Private DNS provider hostname will make Android automatically add the https:// and /dns-query parts to the URL.
This is unfortunate because it means other servers like the malware-blocking version of Cloudflare’s DNS will continue to use DNS-over-TLS.

OK, thanks.

The malware-blocking version of Cloudflare’s DNS service is the one all my devices are set to, so it sounds like they will remain using DNS-over-TLS for now.

Are you sure about this? AFAIK, Android only supports DoT. iOS supports both using .mobileprovision profiles.

I received 1 July android system update today and tried quic://dns.adguard.com but it won’t let me use this as a URL. :expressionless:

It’ll only accept dns.adguard.com and that just ends up using DoT rather than DoQ. :pensive:

Correction, https://mobile.twitter.com/MishaalRahman/status/1549488111045967872

DNS over HTTP/3 is not DNS over QUIC.

DNS over HTTP/3 is based on DNS over HTTPS (DoH), but supports the HTTP/3 protocol (I’m actually curious if common DNS resolvers can recognise and use HTTP/3 properly).

DNS over QUIC (DoQ) is based directly on the QUIC protocol and uses the same port 853 as DNS over TLS (DoT) by default, but with UDP.

2 Likes

on a free cloudflare accout is it possible DNS over QUIC (DoQ)

Does anyone have a pcap with keylog for DoH3 traffic ?