DNS Settings for DNS-over-HTTP/3 (DNS-over-QUIC) on Android

Amarosa · July 21, 2022, 1:51am

In a recent blog post, Google have said that Android devices from Android 11 onwards now support DNS-over-HTTP/3 (DNS-over-QUIC).

Previously, Android (Android 9 onwards) only supported DNS-over-TLS, and not DNS-over HTTPS.

Will Android use DNS-over-HTTP/3 (DNS-over-QUIC) if the Android “Private DNS” setting is still set to these DoT settings:

DOT (Normal)
1dot1dot1dot1.cloudflare-dns.com

DOT (Block malware)
security.cloudflare-dns.com

DOT (Block malware and adult content)
family.cloudflare-dns.com

Or does the Android “Private DNS” setting need to be set to these DoH settings in order to use DNS-over-HTTP/3 (DNS-over-QUIC)?

DOH (Normal)
https://cloudflare-dns.com/dns-query

DOH (Block malware)
https://security.cloudflare-dns.com/dns-query

DOH (Block malware and adult content)
https://family.cloudflare-dns.com/dns-query

Amarosa · July 21, 2022, 11:26am

OK, this is what I found.

You have to use the DNS-over-TLS address for the Android “Private DNS” address. If you try to use the DNS-over-HTTPS address, it won’t accept it as the ‘Save’ button is greyed out.

However, I don’t know whether the Android DNS resolver is using DNS-over-HTTP/3 (DNS-over-QUIC), or just using plain DNS-over-TLS.

Cloudflare have a test page where it’s possible to check whether DNS-over-HTTP/3 (DNS-over-QUIC) is being used (after refreshing). However, this is just testing the web browser, rather than the DNS resolver.

ishanjain28 · July 21, 2022, 6:09pm

Android so far has only supported DNS over TLS so HTTPS endpoints will not work.

My google play system update is still on 1 June so I can’t test it and Cloudflare, google, quad9 don’t have DNS over QUIC endpoints. If you have already received this update, You can test it by using adguard’s DNS over QUIC endpoints. quic://dns.adguard.com

Tarball · July 21, 2022, 8:42pm

Apparently two DNS providers (Google and Cloudflare) are hard-coded to use DNS-over-HTTPS. Entering Google or Cloudflare’s servers as the Private DNS provider hostname will make Android automatically add the https:// and /dns-query parts to the URL.
This is unfortunate because it means other servers like the malware-blocking version of Cloudflare’s DNS will continue to use DNS-over-TLS.

Amarosa · July 21, 2022, 10:46pm

OK, thanks.

The malware-blocking version of Cloudflare’s DNS service is the one all my devices are set to, so it sounds like they will remain using DNS-over-TLS for now.

ishanjain28 · August 11, 2022, 10:53am

Are you sure about this? AFAIK, Android only supports DoT. iOS supports both using .mobileprovision profiles.

I received 1 July android system update today and tried quic://dns.adguard.com but it won’t let me use this as a URL.

It’ll only accept dns.adguard.com and that just ends up using DoT rather than DoQ.

ishanjain28 · August 11, 2022, 12:29pm

Correction, https://mobile.twitter.com/MishaalRahman/status/1549488111045967872

LucasMZ · October 23, 2022, 5:18am

This doesn’t seem to be HTTP/3 still, look at this.

(actually not sure anymore there might be a reason for it to return that google’s dns is supported but Cloudflare is not look under replies)

I’m not sure anyone has confirmed that these connections are HTTP/3 at all. It would be nice to know.

wordlesswind · December 6, 2022, 11:34am

DNS over HTTP/3 is not DNS over QUIC.

DNS over HTTP/3 is based on DNS over HTTPS (DoH), but supports the HTTP/3 protocol (I’m actually curious if common DNS resolvers can recognise and use HTTP/3 properly).

DNS over QUIC (DoQ) is based directly on the QUIC protocol and uses the same port 853 as DNS over TLS (DoT) by default, but with UDP.