Is it possible to use Private DNS on my laptop that is connected to WiFi shared by my Android Pie smartphone with configured Private DNS?
I tried visiting https://1.1.1.1/help from my phone and it says DNS over TLS is used, but when I visit from my laptop it tells me that it uses plain unsecure DNS.
Answer
DNS has traditionally been part of libc
. Android's Bionic libc
depends on netd
for traditional DNS as well as Private DNS (DoT
) implementation. See this answer for more details.
Since every app runs in its own stance of Virtual Machine (ART) forked by zygote
, so when an app creates a new connection to a remote hostname, DNS queries are made by the VM on behalf of the app, which makes use of DNS resolution in native code. So the whole thing is handled by Java runtime.
When using tethering, a DNS server needs to be run on Android device which listens to DNS queries received from connected hosts. These queries are then resolved as per configuration of DNS server. dnsmasq
is current implementation of DHCP
/DNS
server on Android up to Pie. It's a native daemon, which receives nameservers
from TetherController
(a part of netd
) or /etc/resolv.conf
(if no-resolv
argument is not passed) or /etc/dnsmasq.conf
(using server=
option).
So dnsmasq
works independently and doesn't depend on libc
or netd
for DNS resolution. In other case if the tethered device is using some other public nameserver and not dnsmasq
, the DNS queries are forwarded to internet as per routing policy and NAT rules. In each case the queries don't pass through Private DNS.
That said, you can use third party solution for encrypted DNS. Go for a robust solution: dnscrypt-proxy on rooted device. See this answer for an advanced setup.
Or use some VPN app like this. But VPN doesn't redirect hotspot traffic through VPN network as far as I have tested on Pie ROM. You have to modify routing table and forwarding rules. This works for me:
~# iptables -t mangle -I PREROUTING -i wlan0 -p udp --dport 53 -j MARK --set-mark 2
~# ip rule add fwmark 2 lookup 5000
~# ip route add default dev tun0 table 5000
~# iptables -I FORWARD -o wlan0 -i tun0 -j ACCEPT
~# iptables -I FORWARD -i wlan0 -o tun0 -j ACCEPT
Additionally NAT
ing might also be needed for some situations. So it seems there isn't a non-root solution.
PS:
Most probably Android Q will have DoT
on tethering too because dnsmasq
is being replaced with a DHCP service inside Java runtime.
RELATED: How to share VPN connection with devices on hotspot?
No comments:
Post a Comment