Does Android P private DNS really contribute to privacy? Or to Enterprise control?

Private DNS is a new feature in Android P, which allows you to globally override the DNS settings (received from your carrier, hotspot provider etc.). This means that the said carrier’s or provider’s DNS servers will not be able to log your browsing habits.

Read more here (Android Police).

Screenshot_20180422-175014.png
Private DNS configuration (c) Android Police

This looks like privacy, but isn’t necessarily so…

1. If you are without VPN – the hotspot provider or carrier will harvest the hostnames from DNS packets anyway.
2. If they really want to spoof DNS (censure, diverting ad traffic) – they will intercept and overwrite the DNS packets.
3. If your VPN client leaks DNS – same story.

In oder to make it fully private, your DNS queries must be encrypted, and the authenticity of your DNS server much be validated. Which means DNSSEC or DNS over TLS. The latter being also introduced in P.

However, not many DNS services support it. So people will end up putting 8.8.8.8 or 1.1.1.1 there to allow their browsing habits to be harvested by Google, CloudFlare etc.

I guess this is called “out of the frying pan into the fire” in English 🙂

I can also imagine the next step: unhappy free hotspot providers (NSTAAFL) beginning to block said popular DNS IPs, explicitly requiring you to submit your data for harvesting.

NSTAALF
Yep, No such thing as a free Wi-Fi

Moral: use VPN.
#SecurityTheatre

Now, to where can actually be useful?

My guess – enterprise-managed devices.Forcing this setting to corporate DNS equipped with TLS, DNS filtering, site reputation service or another security/enforcement mechanism ensures that the devices are safe and sound, the forbidden sites are blocked, and ad-serving sites are resolved to 127.0.0.1 (one can only dream…)

Of course, provided user can’t change it. We’ll have to live and see if this setting ends up upon many new Android Enterprise features in P or not.

Nevertheless, for absolute privacy this should be combined with a corporate VPN.

What do you think?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Blog at WordPress.com.

Up ↑

<span>%d</span> bloggers like this: