Friday, September 6, 2019

9.0 pie - How to use Private DNS on Android Pie for tethering?



Is it possible to use Private DNS on my laptop that is connected to WiFi shared by my Android Pie smartphone with configured Private DNS?


I tried visiting https://1.1.1.1/help from my phone and it says DNS over TLS is used, but when I visit from my laptop it tells me that it uses plain unsecure DNS.



Answer



DNS has traditionally been part of libc. Android's Bionic libc depends on netd for traditional DNS as well as Private DNS (DoT) implementation. See this answer for more details.
Since every app runs in its own stance of Virtual Machine (ART) forked by zygote, so when an app creates a new connection to a remote hostname, DNS queries are made by the VM on behalf of the app, which makes use of DNS resolution in native code. So the whole thing is handled by Java runtime.


When using tethering, a DNS server needs to be run on Android device which listens to DNS queries received from connected hosts. These queries are then resolved as per configuration of DNS server. dnsmasq is current implementation of DHCP/DNS server on Android up to Pie. It's a native daemon, which receives nameservers from TetherController (a part of netd) or /etc/resolv.conf (if no-resolv argument is not passed) or /etc/dnsmasq.conf (using server= option).


So dnsmasq works independently and doesn't depend on libc or netd for DNS resolution. In other case if the tethered device is using some other public nameserver and not dnsmasq, the DNS queries are forwarded to internet as per routing policy and NAT rules. In each case the queries don't pass through Private DNS.


That said, you can use third party solution for encrypted DNS. Go for a robust solution: dnscrypt-proxy on rooted device. See this answer for an advanced setup.
Or use some VPN app like this. But VPN doesn't redirect hotspot traffic through VPN network as far as I have tested on Pie ROM. You have to modify routing table and forwarding rules. This works for me:


~# iptables -t mangle -I PREROUTING -i wlan0 -p udp --dport 53 -j MARK --set-mark 2

~# ip rule add fwmark 2 lookup 5000
~# ip route add default dev tun0 table 5000
~# iptables -I FORWARD -o wlan0 -i tun0 -j ACCEPT
~# iptables -I FORWARD -i wlan0 -o tun0 -j ACCEPT

Additionally NATing might also be needed for some situations. So it seems there isn't a non-root solution.


PS:
Most probably Android Q will have DoT on tethering too because dnsmasq is being replaced with a DHCP service inside Java runtime.


RELATED: How to share VPN connection with devices on hotspot?


No comments:

Post a Comment

samsung galaxy s 2 - Cannot restore Kies backup after firmware upgrade

I backed up my Samsung Galaxy S2 on Kies before updating to Ice Cream Sandwich. After the upgrade I tried to restore, but the restore fails ...