DNS over TLS coming to Android for some level of privacy

By JC Torres/Oct. 24, 2017 5:31 am EST

Apple has gotten into hot water because of its stance on privacy and encryption and while Google is, on paper, on the same boat, Android hasn't exactly been widely regarded as a very privacy-focused OS. Especially with Google behind it. A new feature coming to a future version of Android could give users a new tool to keep some prying eyes away, specifically those of ISPs. Called "DNS over TLS", it's really a very simple layer of encryption that masks what websites you go to.

At the heart of this future is DNS or Domain Name Server. This often overlooked part of the Internet chain is the one that saves us from having to type seemingly random numbers like "108.177.97.106" instead of "www.google.com". These serves basically translate human readable URLs or web addresses into the actual numeral address on the Web before the actual browsing takes place.

The problem with DNS is that all this data travels over the Internet in plain, readable text. That means that anyone who can see your connection can see the lookups you make with a DNS. And by "anyone", we really mean ISPs. And while everyone naturally connects to the Internet via ISPs, barely anyone actually trusts them to have their privacy in mind.

The solution comes via the second part of that phrase, "over TLS" or Transport Layer Security. That's the same level of encryption used by HTTPS, which is the recommended, encrypted way to browse web pages. This way, the queries you make with name servers are hidden even from even ISPs. This feature was recently just added to Android source code, hinting it could be released soon, probably with Android 8.1.

There is, however, a catch. Actually two. The first is that, in order for DNS over TLS to work, the DNS provider should support DNS over TLS in the first place. Some do, but not all. Google is one of those that do. The second catch is that while the query is encrypted from ISPs and other onlookers, the DNS over TLS server will still be able to read those, making it really a question of whether you trust the DNS provider more than your ISP.

VIA: XDA