Solved: DoH & DoT not working with Private DNS on Android

Many refer to this situation as an android bug but it is not, indeed it is a more than expected behavior as it allows operating systems that no longer support updates but continue to have applications that instead support updates to keep up with the security.
Everything has changed since chrome version 85 starts supporting DOH

I figured out where the problem is and also how to fix it.
I leave below a small non-technical explanation so that it is understandable for everyone.

In Android going to β€œsystem settings β†’ connections β†’ other connection settings β†’ secure dns” (may be different depending on the model)
we have the ability to tell the system to somehow override any dns setting above it by redirecting it to the server described in the secure dns field.

Having said that, it is clear that the dns acquired by the phone through the dhcp of your access point will be somehow bypassed by the android system itself.

The same thing, therefore the exact same behavior, happens with some applications such as browsers (and maybe some other apps too, but on browsers for sure).

Let’s see an example with chrome for android:
If we open chrome on android and go to β€œSettings β†’ Privacy and Security β†’ Use Secure DNS”,
we will again notice the same setting as in the system, and this allows us to do the same thing as the previous one, that is, it gives the possibility to the browser to somehow bypass any dns setting above it by redirecting it to the server described in the secure dns field.

The only difference between the OS and browser secure dns setting is that the system supports DOT while the browser currently only supports DOH.

In fact, if you do some tests you will have the following results:
tests 3, 4, 5 give evidence of my theory.

Test 1: All secure dns settings off β†’ we will switch from the main connection dns.

System secure DNS: OFF β†’ No hostname was set
Secure DNS chrome: OFF β†’ no dns IP was set
Result:
https://1.1.1.1/help#eyJpc0NmIjoiTm8iLCJpc0RvdCI6Ik5vIiwiaXNEb2giOiJObyIsInJlc29sdmVySXAtMS4xLjEuMSI6IlllcyIsInJlc29sdmVySXAtMS4wLjAuMSI6IlllcyIsInJlc29sdmVySXAtMjYwNjo0NzAwOjQ3MDA6OjExMTEiOiJObyIsInJlc29sdmVySXAtMjYwNjo0NzAwOjQ3MDA6OjEwMDEiOiJObyIsImRhdGFjZW50ZXJMb2NhdGlvbiI6IkNERyIsImlzV2FycCI6Ik5vIiwiaXNwTmFtZSI6IkZyZWUgU0FTIiwiaXNwQXNuIjoiMjk0NDcifQ==

Test 2: Only system secure dns enabled β†’ we will switch from one.one.one.one dns that supports DOT

System secure DNS: ON β†’ one.one.one.one was set
Secure DNS chrome: OFF β†’ no dns IP was set
Result:
https://1.1.1.1/help#eyJpc0NmIjoiWWVzIiwiaXNEb3QiOiJZZXMiLCJpc0RvaCI6Ik5vIiwicmVzb2x2ZXJJcC0xLjEuMS4xIjoiWWVzIiwicmVzb2x2ZXJJcC0xLjAuMC4xIjoiWWVzIiwicmVzb2x2ZXJJcC0yNjA2OjQ3MDA6NDcwMDo6MTExMSI6Ik5vIiwicmVzb2x2ZXJJcC0yNjA2OjQ3MDA6NDcwMDo6MTAwMSI6Ik5vIiwiZGF0YWNlbnRlckxvY2F0aW9uIjoiQ0RHIiwiaXNXYXJwIjoiTm8iLCJpc3BOYW1lIjoiQ2xvdWRmbGFyZSIsImlzcEFzbiI6IjEzMzM1In0=

Test 3: only safe dns of active chrome β†’ we will pass from 1.1.1.1 (cannot set one.one.one.one on browser settings)

System secure DNS: OFF β†’ No hostname was set
Secure DNS chrome: ON β†’ 1.1.1.1 was set
Result:
https://1.1.1.1/help#eyJpc0NmIjoiWWVzIiwiaXNEb3QiOiJObyIsImlzRG9oIjoiWWVzIiwicmVzb2x2ZXJJcC0xLjEuMS4xIjoiWWVzIiwicmVzb2x2ZXJJcC0xLjAuMC4xIjoiWWVzIiwicmVzb2x2ZXJJcC0yNjA2OjQ3MDA6NDcwMDo6MTExMSI6Ik5vIiwicmVzb2x2ZXJJcC0yNjA2OjQ3MDA6NDcwMDo6MTAwMSI6Ik5vIiwiZGF0YWNlbnRlckxvY2F0aW9uIjoiQ0RHIiwiaXNXYXJwIjoiTm8iLCJpc3BOYW1lIjoiQ2xvdWRmbGFyZSIsImlzcEFzbiI6IjEzMzM1In0=

Test 4: both secure dns options are active β†’ in this case chrome uses its own secure dns instead of the system one

System secure DNS: ON β†’ one.one.one.one was set
Secure DNS chrome: ON β†’ CloudFlare (1.1.1.1) was set
Result:
https://1.1.1.1/help#eyJpc0NmIjoiWWVzIiwiaXNEb3QiOiJObyIsImlzRG9oIjoiWWVzIiwicmVzb2x2ZXJJcC0xLjEuMS4xIjoiWWVzIiwicmVzb2x2ZXJJcC0xLjAuMC4xIjoiWWVzIiwicmVzb2x2ZXJJcC0yNjA2OjQ3MDA6NDcwMDo6MTExMSI6Ik5vIiwicmVzb2x2ZXJJcC0yNjA2OjQ3MDA6NDcwMDo6MTAwMSI6Ik5vIiwiZGF0YWNlbnRlckxvY2F0aW9uIjoiQ0RHIiwiaXNXYXJwIjoiTm8iLCJpc3BOYW1lIjoiQ2xvdWRmbGFyZSIsImlzcEFzbiI6IjEzMzM1In0=

Test 5: both secure dns options are active β†’ here too we see clearly that chrome dominates the system settings

System secure DNS: ON β†’ one.one.one.one was set
Secure DNS chrome: ON β†’ Google (Public DNS) was set
Result:
https://1.1.1.1/help#eyJpc0NmIjoiTm8iLCJpc0RvdCI6Ik5vIiwiaXNEb2giOiJObyIsInJlc29sdmVySXAtMS4xLjEuMSI6IlllcyIsInJlc29sdmVySXAtMS4wLjAuMSI6IlllcyIsInJlc29sdmVySXAtMjYwNjo0NzAwOjQ3MDA6OjExMTEiOiJObyIsInJlc29sdmVySXAtMjYwNjo0NzAwOjQ3MDA6OjEwMDEiOiJObyIsImRhdGFjZW50ZXJMb2NhdGlvbiI6IkNERyIsImlzV2FycCI6Ik5vIiwiaXNwTmFtZSI6Ikdvb2dsZSIsImlzcEFzbiI6IjE1MTY5In0=

Sorry for the somewhat long explanation, but I have tried to keep the language as high level as possible.
And then if you have to do something then do it well! :wink:

2 Likes