Question DNS over HTTPS - Google Pixel 7 Pro

Hi,
I've read on multiple pages that A13 supposedly supports DNS over HTTPS but there's no such option under the private DNS settings. It keeps using DNS over TLS.
Anyone knows how to properly enable it so self originating traffic uses DoH?

Not trying to advertise anything specific, but this:
DoH with Quad9 DNS Servers | Quad9
DoH is a secure DNS protocol that is getting a lot of traction lately. Mozilla announced support for it in their Firefox browser and Google recently announced support for developers and Alphabet through Jigsaw released the Intra app for Android.
www.quad9.net
has a link to this:
A safer route to a more open internet
Intra is an Android app that gives you safer, more open Internet access. Intra protects you from DNS manipulation, a type of cyber attack used to block access to news sites, social media platforms, and messaging apps.
getintra.org
Maybe one or both could get you what you're looking for. I don't particularly know if there is a native way since the first article is from 2018.

roirraW edor ehT said:
Not trying to advertise anything specific, but this:
DoH with Quad9 DNS Servers | Quad9
DoH is a secure DNS protocol that is getting a lot of traction lately. Mozilla announced support for it in their Firefox browser and Google recently announced support for developers and Alphabet through Jigsaw released the Intra app for Android.
www.quad9.net
has a link to this:
A safer route to a more open internet
Intra is an Android app that gives you safer, more open Internet access. Intra protects you from DNS manipulation, a type of cyber attack used to block access to news sites, social media platforms, and messaging apps.
getintra.org
Maybe one or both could get you what you're looking for. I don't particularly know if there is a native way since the first article is from 2018.
Click to expand...
Click to collapse
Thanks but I'm looking for a native way and it keeps sticking to DoT.

Dracozirion said:
Hi,
I've read on multiple pages that A13 supposedly supports DNS over HTTPS but there's no such option under the private DNS settings. It keeps using DNS over TLS.
Anyone knows how to properly enable it so self originating traffic uses DoH?
Click to expand...
Click to collapse
From what I remember reading you have to use either dns.google or cloudflare-dns.com to get the advantage of DoH. Google hasn't opened it to other sources like adguard.net or nextdns iirc

Mrcactuseater said:
From what I remember reading you have to use either dns.google or cloudflare-dns.com to get the advantage of DoH. Google hasn't opened it to other sources like adguard.net or nextdns iirc
Click to expand...
Click to collapse
That seems to have done it for some reason. Netdaemon uses HTTP3 (QUIC) now, didn't seem to work with 1dot1dot1dot1.cloudflare-dns.com.
Gonna monitor this, thanks!
Edit: there's still an active session for DoT (TCP port 853) but the tx/Rx counters increase only for the QUIC session. Probably failback or so.

I have a question about all these new DNS protocols: how does the phone initially resolve the fqdn 1dot1dot1dot1.cloudflare-dns.com or DNS.google? I guess connectivity to a classical DNS server is required for that first query or are they hardcoded in hosts file?

@Dracozirion for what it's worth if you're rooted, Magisk has a setting for "DNS over HTTPS", but I assume you're not rooted since you're looking for a native function - but also informational in case another user visits this thread for the similar purpose of achieving it any way they can.
I haven't used this setting.

Mrcactuseater said:
From what I remember reading you have to use either dns.google or cloudflare-dns.com to get the advantage of DoH. Google hasn't opened it to other sources like adguard.net or nextdns iirc
Click to expand...
Click to collapse
Thanks. Now I have DoH via Cloudflare.

roirraW edor ehT said:
@Dracozirion for what it's worth if you're rooted, Magisk has a setting for "DNS over HTTPS", but I assume you're not rooted since you're looking for a native function - but also informational in case another user visits this thread for the similar purpose of achieving it any way they can.
I haven't used this setting.
Click to expand...
Click to collapse
I did root but that's only for DNS requests coming from the Magisk app itself.

Dracozirion said:
I did root but that's only for DNS requests coming from the Magisk app itself.
Click to expand...
Click to collapse
Ah, I see. Thanks!

Related

Making the Mobile Web Safer with HTTPS Everywhere

EFF is bringing the security and privacy of HTTPS Everywhere to an important new frontier: your Android phone. As of today, you can install HTTPS Everywhere on Firefox for Android (until now, it could only protect desktop browsers). With HTTPS Everywhere installed, Firefox for Android encrypts thousands of connections from your browser that would otherwise be insecure. This gives Firefox a huge security advantage over every other mobile browser available today.
This is exciting news, because HTTPS encryption allows smartphone users to safely download apps, browse the web, exchange emails and instant messages, sync data between devices, and countless other everyday tasks. As we carry around our phones and tablets, we often connect to unfamilar WiFi networks, putting our personal data at risk of being monitored, collected, and tampered with by anyone else on the same network, as well as Internet Service Providers, network operators, and government agencies. In fact, we discovered last week that NSA and GCHQ have been invisibly tracking and profiling users based on data leakage from smartphone apps.
HTTPS Everywhere guards agains these attacks in your browser by switching insecure HTTP connections to secure HTTPS connections whenever possible using thousands of URL rewrite rules. Whereas data sent to a server over HTTP can easily be read and modified by third parties, HTTPS uses strong encryption to guarantee data confidentiality and integrity.
Click to expand...
Click to collapse
https://www.eff.org/deeplinks/2014/01/making-the-mobile-web-safer-with-https-everywhere
Figured I'd share this with you guys. HTTPS Everywhere has been a great desktop Firefox addon, I'm really happy to see them finally get a mobile Firefox version out. Probably the best way this would protect people are when using public wifi, but of course the site you visit would have to offer some form of HTTPS/SSL for the addon to work. It basically just helps you get the most out of sites that do offer it (some sites, like Youtube for instance default to HTTP).
Hmmm.. interesting.... But does Https Everywhere still have the problem that because of it, pages in general load a lot slower?
I haven't noticed any slow down personally. All this does really is help sites that support HTTPS/SSL to some extent, but for whatever reason do not default to it when I user visits the page. And obviously they make sure the site doesn't get broken before adding it in their extension's site list.
There's a whole FAQ here too that might explain it better than I ever could. All I know is if Tor browsers use it along with Noscript, it's a good security add on. Way better than nothing.
https://www.eff.org/https-everywhere/faq
But the add on should also make use of their SSL Observatory, which is a measure in place to protect users:
The EFF SSL Observatory is a project to investigate the certificates used to secure all of the sites encrypted with HTTPS on the Web. We have downloaded datasets of all of the publicly-visible SSL certificates on the IPv4 Internet, in order to search for vulnerabilities, document the practices of Certificate Authorities, and aid researchers interested the web's encryption infrastructure.
Click to expand...
Click to collapse
https://www.eff.org/observatory

[APP][2.3.3+][PROXY][NO ROOT] Orxy -- Android Tor Proxy

Lots of people are having trouble getting Orbot working on newer devices. To solve this I made Orxy: a compatible alternative free anonymous Tor proxy.
Orxy is an Orbot alternative that supports devices running the latest Android. Orxy protects network traffic using The Onion Router (Tor) network. Tor encrypts the data and sends it through random points across the world to hide where the connection started. For example, while using Orxy, a website you visit might think you're looking at it from another country. Use it the same way as Orbot: configure your apps to use the local proxy server settings. Instruction details on the play store page.
It has optional add-ons to get full Tor proxying without root, and to hide the Tor traffic in another a layer of encryption. Neither are required to use the app.
If Orbot is not working, I hope it helps get people their Tor back.
Available on Google Play
Legalese: It is produced independently from the TorĀ® anonymity software and carries no guarantee from The Tor Project about quality, suitability or anything else. Do not use without knowing the inherent risks and limitations of Tor. Use at your own risk.
Thanks....
It's Cool
Glad you like it, thanks for the support.
Promo for XDA readers:
https://rideem.io/from/orxify/for/xda gives out a code per day to get the orxify add-on free.

Phone privacy and security, is it possible to be completely private and secure?

I have always known that companies like google and facebook for example collect our data, web searches etc and sell this information for profit. Today, this has become an even bigger issue with what we see in the media with the nsa and other government organizations tapping into our devices and monitoring our usage. At the end of the day, most of us, myself included really dont have anything to hide, so it may not be a real issue. I have often thought that if anyone poked around in my pc or phone they would simply get bored as they are just full of geeky engineering files lol. The real thing for me is simply that it's an invasion of privacy and just not right. With that said, I find myself wanting to go the extra mile to make my pc and my phone completely private from outside sources taking my information, watching my web searches and seeing my data. My question is, is it possible to be 100% secure and private, and if not, how close can we get, and how? I have heard that VPN's can achieve this. Is this true? and if so are there any free secure VPN's for our android devices and or pc's that are really good? Do VPN's slow down our devices? Also, Is there a way when we delete android files to permanently delete them? I noticed when I flashed my rom, after doing the complete wipe that is still contains files from before the wipe.
(I know this isn't a pc forum, I only included the pc because it's relevant.)
Thank you all in advance.
There are no data retention laws in the United States. Meaning, if a data center does not want to hold any logs to their users' activity, they're not required by law to do so. Multiple countries are similar, which is why I recommend using Private Internet Access for your VPN. They have a client for PC and Android and they're really great. I've been using them for many years and have had no issues. And, if you're really wanting to remain "anonymous", you can pay for your VPN subscription using gift cards from popular outlets like Walmart, Starbucks, etc. And for search engines, I'd recommend DuckDuckGo, which doesn't log anything you search. For PC, I'd recommend disabling your IPv6 protocol in your router settings and getting uBlock Origin, HTTPS Everywhere, and PrivacyBadger. They're wonderful add-ons for Firefox or Chrome. uBlock Origin and PrivacyBadger can block WebRTC leaks which would leak your IP address and can be used to identify you. If you want more information, feel free to reply to my post and I'll help you out as much as I can.
Hoxic said:
There are no data retention laws in the United States. Meaning, if a data center does not want to hold any logs to their users' activity, they're not required by law to do so. Multiple countries are similar, which is why I recommend using Private Internet Access for your VPN. They have a client for PC and Android and they're really great. I've been using them for many years and have had no issues. And, if you're really wanting to remain "anonymous", you can pay for your VPN subscription using gift cards from popular outlets like Walmart, Starbucks, etc. And for search engines, I'd recommend DuckDuckGo, which doesn't log anything you search. For PC, I'd recommend disabling your IPv6 protocol in your router settings and getting uBlock Origin, HTTPS Everywhere, and PrivacyBadger. They're wonderful add-ons for Firefox or Chrome. uBlock Origin and PrivacyBadger can block WebRTC leaks which would leak your IP address and can be used to identify you. If you want more information, feel free to reply to my post and I'll help you out as much as I can.
Click to expand...
Click to collapse
Hoxic,
Thank you for all of the information. With the private internet access VPN on my PC and android, will that slow down anything like web surfing, uploads or downloads? I am limited to using Verizon's high speed DSL connection as they refer to it, (I refer to it as slowest speed connection lol) in my neighborhood and this is the only provider for me so it's already pretty slow compared to Fios and other broadband connections. I would hate to slow it down any more.
You mention to pay for these services using gift cards and such. Well as I mentioned, I do not have anything that I am actually worried about anyone seeing, this is simply my way of trying to protect my privacy so I wouldn't go that far but I am curious about that statement. Do you mean that using a VPN truly isn't private or is this just to remove any paper trail linking me to the use of a VPN provider? I have been using DuckDuckGo for several years already just to stop google from taking and selling my info. Weather it truly works or not I dont know but its a great search engine anyway so I figured why not use it.
Your advice to disabling IPv6 protocol in my router settings: I do not see anywhere in my router settings to do this so I googled it, and it looks like there's a way o do this in windows. Is that different that what you're advising? Also I read a windows blog on this and windows 10 says IPv6 is a mandatory part of Windows that they do not advise on disabling. Can you give me some more detail on this, and how to disable it, assuming the windows warning is bull.
Thanks for all of your help.

Private DNS for Android (and other systems)

Private DNS has been around for a little bit on newer devices. However, finding a service that provides both the Private DNS side (TLS) and ad-blocking, filtration of bad domains, etc., has been another whole mess.
I've launched a donation-backed Private DNS service which provides an internet-side option. Think pi-hole style blocking without needing a VPN or only working from your LAN.
What's this entail?
1. Running Android Pie (or anything with the feature ported to it)
2. Using a custom Private DNS Server address that I will provide.
What happens?
1. Your DNS requests are routed via DNS-over-TLS to my CDN virtual machines.
2. Your DNS requests are then locally processed through several internal systems including the infamous Pi-Hole.
3. Final data requests from the local resolver are forwarded via DNS-over-HTTPS to root DNS servers such as 1.1.1.1 and others that are found to support HTTPS protocol.
4. No personal data is stored. Only data with respect to filtration is stored such as blocked versus permitted domains, hit/misses, and caching statistics to continue to develop a more fluid system.
What do I do?
Put "DNS.DEREKGORDON.COM in your Private DNS settings for Android.
Use IP address 35.243.170.151 for other applications to include your home network router, ChromeOS, etc.
Like it? CONSIDER DONATING. This system is kicking out almost one million responses a day for users.
More information is at http://www.derekgordon.com/dns/.
Always provide THANKS no matter what folks. It's the nice thing to do....
So we are looking at a encrypted dns with ad blocking? I would be into trying that.
I'm using dns.agduard.com at the moment on my Huawei P20 pro running Android pie.
Have a number of people using it without issue now....
Check it out here:
https://www.derekgordon.com/dns
crypted said:
Have a number of people using it without issue now....
Check it out here:
https://www.derekgordon.com/dns
Click to expand...
Click to collapse
I'm gonna check it out
Cool. Give it a go. My only concern now rests with the attack prevention stuff I've added. It rate limits and bans those who are hitting the server or servers if expanded quite hard. Basically it's to ward off attackers. Anyway no bad reports from it but it's the only factor I'm not totally sure of.
Gonna give it a shot and give you my results in 24hrs.
Cool. I have zero issues on our family's Pixel 2s and 3s. No one said much bad except someone who had login issues on an Xbox when they used the system for their network's DNS. I solved that for them.
Note I'm not filtering Google ads domain as a few people complained since they click the first couple links on Google. I haven't felt intruded upon by ads with this change since making it a couple weeks back.
hi,
sometime i can use this dns, sometime cannot.
my mi 8 using baskalos rom stated coudlnt connect.
issit because of my isp?
Very strange. No one has reported that issue. Is it the same result on WiFi vs mobile data? Want to give me your IP to search logs?
I've used the server in four countries on various WiFi and mobile netwiens without issue on Pixel 3.
How did you get the Private DNS in android Pie to recognize your dns server? I've got my own pi-hole server, yet when I put in my FQDN, I lose internet access on my phone.
First, I don't use Pi-Hole only. I made a custom Debian image and deployed it into the world of CDN. Pi-Hole's opensource software was incorporated as one of my mechanisms for blacklists.
To your point on connection, you need two things: 1) a TLS server to establish the connection and 2) signed certificates for the domain you are using installed on your server. Android will connect via TLS and will verify that your certificate is valid against its root certificates on the device.
Happy note - my server is providing over 250,000 queries daily now and over 90% connect via TLS so that indicates lots of happy Android users.
I'm check yours out and see how well it compares to the VPN connection I currently use to my pihole.
Been loving your Private DNS so far. Great job on it. Question though, do you have a form or something for people to submit domains that are blocked and shouldn't be?
Hey. Feel free to tell me these domains. There is such high usage and hardly any feedback so I haven't even thought about it. I could make a Google Form later.
Actually, I had a spare moment at lunch. Try this: https://forms.gle/oGtAFKAc7yJPmmEZ6
crypted said:
Actually, I had a spare moment at lunch. Try this: https://forms.gle/oGtAFKAc7yJPmmEZ6
Click to expand...
Click to collapse
Was gonna request https://go.redirectingat.com be unblocked since many many sites use it to link to products on sites like Walmart and Amazon. Can't use that form though since you require a screenshot URL, and I can't screenshot a redirection site.
You figured out a good workaround to make your request. Processing now, give it a minute and should be good.
All of your requests are cleared if you didn't notice yet. Happy browsing.
Not really sure how to publicize this and it probably isn't worth trying to do... But for those who do use this, and there are plenty of folks, I have been working on some changes.
1. These will not work with Android as I don't have the extra cash to blow on more SSL certificates. But, they will work for home networking purposes:
US.EAST.DNS.DEREKGORDON.COM
US.WEST.DNS.DEREKGORDON.COM
DE.FRUNKFURT.DNS.DEREKGORDON.COM
BR.SAO.DNS.DEREKGORDON.COM
2. DNS.DEREK.GORDON.COM is now a pool of a number of VM instances that are connected to Google's CDN. It will grow as necessary. This helps spread out some of the intensity that has been hitting the TLS daemon.
3. Servers will automatically reboot between once a week to every other week depending on load and latency. Sometimes the intense flood of queries really makes things sluggish. Reboot takes just a few seconds and I'm working for it to time it during off-peak hours so hardly anyone will notice.
Hi, I have my own pihole installed on aws server. Could you please share tutorial how could i make it work with private dns in android pie. Thanks.

Manage Ads without Root Access

A great option for taming the massive onslaught of advertisements constantly invading your phone has been an app available on XDA called AdAway.
Unfortunately, it requires root access, which is not yet available on the Galaxy A71 5G (SM-A716U with Snapdragon 765G).
However, the next best option for managing ads at the device level is using a feature built into Android 9 and up which allows you to set a custom DNS server. And this does not require root access or otherwise hacking your phone. You are just changing a setting.
Many private DNS services exist which provide a variety of additional benefits. Some not only block Ad sites, but also block known malicious sites, and block sites that are not appropriate for children.
This page lists several options for DNS services depending on what you want to block.
https://cyanish.com/how-to-block-ads-and-malicious-domains-in-android-easily/
I find that AdGuard and Nixnet seem to be the most effective at blocking ad sites. OpenDNS and Quad9 are better at blocking malicious or inappropriate sites. I set my home router to use OpenDNS for this reason.
Note that some DNS services may be based in other countries. You may want to do some additional research to help decide which one is most appropriate for you.
Once you have decided which DNS service to try, on your Android phone, go to:
Settings > Connections > More Connections Settings > Private DNS
And enter the host name of the DNS service you want to try.
You may need to reboot your device to see the full change. If you don't get results you are happy with, try a different service and reboot. You can change back to the standard DNS settings at any time.
I use DNS66 and it seems to work well but I haven't tried the others listed above. How do they compare?
I use OpenDNS on my home router since they allow you more control over the types of sites they block.
I tried Quad9. I did not see much ad blocking when using it. But that's not surprising since it is a consortium of companies like IBM, etc. It probably does a nice job blocking malicious sites.
AdGuard worked great at blocking ads. It is a Russian site, and that isn't necessarily a bad thing. But it helps make the point to do your research because whatever service you choose will know the sites you visit (unless you are using the encrypted DNS services specifically for that reason).
Some of the others are probably a better choice if you live in Europe, but in North America there are probably sites that perform better.
I went with Nixnet and have bee happy with it so far.
Ive done well without root using the Paid Adguard version. it worked well on my Huawei mate 10 Pro, and am now using it on the A71 5g AT&T variant.
There is a new version of AdAway on Fdroid

Categories

Resources