• Development

  • Is DNS-over-HTTPS/3 system/OS-wide implementation coming?

Google has stated that Android began supporting DNS-over-HTTPS/3 through Google Play system update about 8 months ago - https://security.googleblog.com/2022/07/dns-over-http3-in-android.html . That article wasn't very specific, but I hoped we could select DNS-over-HTTPS/3 instead of DNS-over-TLS in Network Settings by now.

I know DNS-over-HTTPS/2 can be enabled in Vanadium, but that is not system-wide and is only HTTPS/2, not HTTPS/3, which is UDP-based and is much quicker for switching between WiFi and Mobile Data, especially when WireGuard VPN (or other UDP-based VPN protocol) is utilized. Google and YouTube now extensively utilize QUIC and HTTPS/3 protocol.

I forgot to mention that all major DNS players, such as Google, Cloudflare, NextDNS, and AdGuard, fully support DNS-over-HTTPS/3.

For that matter, DNS-over-QUICK (DoQ) is a new standard protocol that looks to be even faster and more reliable than DoH. Currently I think only Adguard utilizes it, but it might be good to look into as well.

DNS-over-QUIC is a short-lived initiative by AdGuard and NextDNS. It works, but DNS-over-HTTPS/3 is going to be the new popular standard. It is already supported by AdGuard Home (local DNS server/forwarder) via h3 links "h3://1.1.1.1/dns-query".

I don't quite understand why DNS-over-HTTPS/3 is the preferred standard and not DNS-over-QUIC, which has lower overhead and carries less metadata than DNS-over-HTTPS/3. I understood that DNS-over-HTTPS/2 was preferred because it used TCP port 443 and blended in with the rest of HTTPS/2 traffic, making it difficult to block, unlike DNS-over-TLS, which could be easily blocked by blocking TCP port 853.

Just like DNS-over-TLS, DNS-over-QUIC stands out by using UDP port 853, unlike DNS-over-HTTPS/3 that blends in with HTTPS/3 traffic because both DNS-over-HTTPS/3 and HTTPS/3 use UDP port 443, but HTTPS/2 still dominates the web. That means neither DNS-over-HTTPS/3 nor DNS-over-QUIC blend in with most traffic on the web and can be easily blocked by blocking UDP port 443 and UDP port 853. If you consider all that, DNS-over-QUIC makes more sense because of overhead and metadata and yet DNS-over-HTTPS/3 is the one gaining attention and being supposed by all 4 major providers (Google, Cloudflare, AdGuard, NextDNS).

AdGuard developers stated that DNS-over-HTTPS/3 added no value compared to DNS-over-QUIC, but Google has already decided to support DNS-over-HTTPS/3 and not DNS-over-QUIC on Android devices natively (without any apps).

a month later

Android already supports DoT and DoH via Private DNS. Private DNS enables DoT for most providers but has a list of providers known to support DoH where it will use that instead. The list can be extended but we don't plan to add our own auto-detection for DoH. They'll likely add that in some form eventually.

    3 months later

    +1

    Would appreciate a mechanism to use the system-wide DoH or at least add custom entries to the list.

    6 months later

    GrapheneOS How can I add a DoH provider? Every address I enter into the private dns server box isn't accepted and won't let me click through

        8 months later

        GrapheneOS is there any way to add to this list without a custom build of GOS? I use a malware blocking DNS which I know supports DNS over HTTPS/3, but I have no way of making Private DNS utilize it, so I am stuck with the much worse latency of DNS over TLS.

          Cedaronbelay You need to enter the hostname, not an IP address. It verifies the certificate via WebPKI so they didn't support IPs even though in rare cases they may have a valid certificate such as 1.1.1.1. It uses DoT unless the server is on the DoH whitelist due to compatibility concerns. We don't currently plan to change this, but we could whitelist more known good DoH servers. It's a very low priority since DoT works fine.