Private DNS is a new feature in Android P, which allows you to globally override the DNS settings (received from your carrier, hotspot provider etc.). This means that the said carrier’s or provider’s DNS servers will not be able to log your browsing habits.
This looks like privacy, but isn’t necessarily so…
1. If you are without VPN – the hotspot provider or carrier will harvest the hostnames from DNS packets anyway.
2. If they really want to spoof DNS (censure, diverting ad traffic) – they will intercept and overwrite the DNS packets.
3. If your VPN client leaks DNS – same story.
In oder to make it fully private, your DNS queries must be encrypted, and the authenticity of your DNS server much be validated. Which means DNSSEC or DNS over TLS. The latter being also introduced in P.
However, not many DNS services support it. So people will end up putting 126.96.36.199 or 188.8.131.52 there to allow their browsing habits to be harvested by Google, CloudFlare etc.
I guess this is called “out of the frying pan into the fire” in English 🙂
I can also imagine the next step: unhappy free hotspot providers (NSTAAFL) beginning to block said popular DNS IPs, explicitly requiring you to submit your data for harvesting.
Moral: use VPN.
Now, to where can actually be useful?
My guess – enterprise-managed devices.Forcing this setting to corporate DNS equipped with TLS, DNS filtering, site reputation service or another security/enforcement mechanism ensures that the devices are safe and sound, the forbidden sites are blocked, and ad-serving sites are resolved to 127.0.0.1 (one can only dream…)
Of course, provided user can’t change it. We’ll have to live and see if this setting ends up upon many new Android Enterprise features in P or not.
Nevertheless, for absolute privacy this should be combined with a corporate VPN.
What do you think?