Android 13 “Tiramisu” is adding native support for another private DNS standard
On the surface, browsing the web looks like quite a simple process to the average user; you just type a URL in the address bar, hit enter, and the browser loads the corresponding website. However, what happens behind-the-scenes is obviously more involved. After you press enter, your device sends a query to a Domain Name Server (DNS) to translate the URL to a machine-readable IP address. Once your device receives the corresponding IP address, it opens the website. This communication between your computer and the DNS is done in plaintext through User Data Protocol (UDP) or Transmission Control Protocol (TCP), and it is visible to anyone that can see your connection. If you don’t want anyone to have access to this data, you need to use a DNS that supports a private DNS standard like DNS-over-TLS (DoT) or DNS-over-HTTPS (DoH).
Many popular DNS servers, like Google Public DNS, NextDNS, and Cloudflare, support both DoT and DoH standards. However, Android currently only natively supports DoT. Google added native support for DoT, aptly named Private DNS, in Android 9 Pie, and you can find it in the Advanced section of your phone’s Network & Internet settings. You can configure it by following the steps outlined in this guide. But if you want to configure these settings to use DNS over HTTPS, you’ll have to wait till Google rolls out Android 13 “Tiramisu” next year.
A recently merged code change in the Android Open Source Project (AOSP) suggests that Google will add DoH support in Android 13. Its description states: “Default enable DoH feature in T.” Since Google internally refers to Android 13 as T or “Tiramisu,” we expect the company to add native DoH support in the “Private DNS” menu in Android next year.
While DoT and DoH essentially do the same thing, DoT uses TLS (also known as SSL) to encrypt DNS traffic, which is the same protocol that HTTPS websites use to encrypt and authenticate communications. DoH, on the other hand, uses HTTP or HTTP/2 protocols to send queries and responses instead of directly over UDP. Both standards also use different ports, which gives DoH a slight advantage from a privacy perspective.
As this Cloudflare post notes, DoT uses a dedicated port for DNS traffic, and anyone with network visibility can see the traffic, even though the requests and responses themselves are encrypted. DoH, however, uses port 443 — the same port that all other HTTP traffic uses. That means all DNS traffic blends in with other HTTPS traffic. This makes monitoring and blocking DoH queries a whole lot more complex, and network administrators can’t block DoH traffic without blocking other HTTPS traffic as well.
Google will likely add DoH support to the Private DNS option in Android’s Network & Internet settings. At the moment, we don’t have any further details about the feature. We’ll update this post as soon as we learn more.
Thanks to XDA Recognized Developer luca020400 for the tip!