DNS over HTTPS (DoH) or DNS over TLS (DoT) support

asked 2019-03-24 23:19:58 +0300

Mikaela gravatar image

My Jolla 1 running SailfishOS is my only actively connected device which doesn't encrypt DNS in any way, and I hope it can start doing that too as there are so many options for that on other platforms.

On desktop there are dnscrypt-proxy and stubby, Android 9 supports DNS over TLS natively as Private DNS, I don't know about native support iOS, but there is Cloudflare's app for it and like on Android, I imagine providers only to keep making their own apps (Quad9 has a beta program). Older Androids also have Intra app (which could be said to be by Google).

Firefox also supports DoH (on desktop and Android at least) while requiring user to enable Trusted Recursive Recursor in about:config.

Some lists on providers:

RFCs:

edit retag flag offensive close delete

Comments

3

Don't get me wrong, encryption for DNS is a nice feature, but if you are using something like Cloudflare, Qaud9 or Google you could have just continued to use unencrypted DNS and your data is probably safer. Anyways, you get my thumb up for the request.

inta ( 2019-03-25 00:24:59 +0300 )edit

@inta do you think Cloudfare is collecting IP addresses? Their privacy policy states the do not collect sensible data (IPs).

magullo ( 2019-03-25 09:33:33 +0300 )edit

Don't know if this is an answer, but I use Keweon - https://forum.xda-developers.com/android/software-hacking/keweon-privacy-online-security-t3681139 On Sailfish, you need to remove resolv.conf symlink from /etc, make a real resolv.conf file with Keweon dns nameservers, change attr to +i to prevent connman from overwriting, and put Keweon pem cert in /etc/pki/... and run 'update ca-cert'. Works great.. I have a pem if you want

Levone1 ( 2019-03-25 11:57:02 +0300 )edit
1

I do not trust any company's free offering. If you do not pay money you probably pay with your data. The DNS provider can see every name you resolve.

inta ( 2019-03-25 18:23:11 +0300 )edit

@inta, I guess you don't mean that unencrypted DNS is safer (because it isn't, no authentication etc.), but rather you may consider its more anonymous/private if you trust your ISP.

bomo ( 2019-03-25 20:59:21 +0300 )edit