Google rejects feature request for arbitrary DNS-over-HTTPS server support

https://issuetracker.google.com/issues/331250145?pli=1#comment7


Some background, since 2022 Android has used DNS-over-HTTP/3 instead of DNS-over-TLS for its Private DNS setting, but only for two predefined servers (Google and Cloudflare). Any other server you add to the Private DNS setting will still use DNS-over-TLS for… some reason.

DoH is more private, secure, and performant than DoT. Most other major operating systems and browsers support DoH without any sort of restrictions like this.

Alongside Manifest V3, this is just more evidence that Google is willing to abuse their monopoly position in open-source projects like Chromium and Android to protect their advertising business. The primary use-case for many alternative DNS users is to block invasive tracking content on a DNS level with tools like AdGuard, so of course Google would want to restrict that usage, apparently by whatever means necessary.

12 Likes

can you expand on this? I always thought they were relatively simalar in terms of their benefits.

1 Like

DNS-over-HTTPS is more censorship resistant because it is harder to identify as DNS traffic, whereas DoT operates on a unique port (853) that can be trivially blocked by firewalls.

As far as security and performance on Android, Google addresses these points clearly in the blog post I linked above.

3 Likes

DoT is blocked in a lot of public Wifis. DoH can’t be blocked like that. So if you’re a person who uses public Wifis a lot, Adguard or Mullvad as your Private DNS will quickly get annoying because you need to disable it in these networks.

edit: from the issue tracker

I mean yeah this expected, Google is very clearly upset and insecure about people using ad blocking software. They killed off adblockers in Chrome and now they’re killing the workarounds; removing useful user features in the name of profits is nothing new for Google, they are not a company that you should trust whatsoever, as they will never act in good faith.

I think it summarises the whole story quite well.

3 Likes

@jonah @Regime6045 thanks for the info!

GrapheneOS also had some thoughts about the issue but they seem to think the only reason DoH is preferred is due to the port.

DoT/DoQ are just losing to DoH due to the port.

1 Like

DoH can be just as easily blocked. The packet sizes are no where near a typical HTTP request. Some apps do “pad” DoH requests to make 'em look bigger but that increases bandwidth way too much.

The firewall implementers are lousy. They won’t stay lousy for long, as DoH gains traction.

2 Likes

Agreed with the points you mentioned.

As a regular user, whenever I check the netstat tool on my router, I can see the DNS domains/hostnames and IP addresses of the AdGuard and ControlD providers. I guess the DoT and DoH domain names/URLs that we set on our devices must be resolved firstly through DNS servers set by the ISP or network administrator, please correct me if I am wrong.

Android still supports DoT, which can be used for content filtering.

All VPN recommendations on PG provide their own DNS servers with content filtering. Using a different DNS provider would make one stand out from other VPN users and also add an additional party of trust.

Chromium-based Android browsers still support DoH.

Apps like RethinkDNS, AdGuard, etc. can be used to use DoH or any other protocol system-wide.

Also, one can use DoH on their router to have content filtering on the entire network.


I don’t see a reason for Google to do this for the sake of their ad business because DNS-based content filtering is trivial to bypass by either one of these methods:

  1. By hosting advertising and trackers on the apex domain.
  2. An application using its own DNS resolution instead of relying on the one provided by the system.
  3. Connecting to the IP addresses directly.

As for MV3, it was a first step towards securing extensions. Instead of conspiracies, let’s just wait and see if Google will fix the security issues with the extensions or if they just did it to kill adblocking extensions.

1 Like

You’re right. Note though, some DNS stub resolvers may bootstrap IPs via other mechanisms, to avoid doing that lookup on the underlying ISP/network’s DNS resolver. And indeed, some of the mainstream DoH providers can talk HTTPS over IPs, too; ex: Cloudflare (https://1.1.1.1/) & Google (https://8.8.8.8).

The issue was cloned (and is open): Google Issue Tracker

1 Like

Original issue has been reopened! Please hit the “I’m affected” +1 button and comment your thoughts so Google finally implements this

Share this with others and specialized media if possible!