On Mon, 4 Mar 2024 03:59:11 -0600, VanguardLH wrote:
>> How To Enable DNS over HTTPS in Windows 10
>> a. First, it says DoH is using port 443 (not port 53 which DNS uses).
>
> Not when HTTPS is used. The port is for the transport, not the traffic
> within. HTTP uses port 80. HTTPS uses port 443. DNS *without* an
> encryption transport uses port 53.
>
> https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml

That was a good explanation. Thanks.
>> b. Then it says you need Build 19628 or higher (mine is 19045.4046).
>
> Mine is 19045.4123. That's for Win 10 22H2. Build 19628 was an Insider
> fast ring build for 20H2; see:
>
> https://blogs.windows.com/windows-insider/2020/05/13/announcing-windows-10-insider-preview-build-19628/
> https://betawiki.net/wiki/Windows_10_build_19628
>
> So, the author is mentioning non-released versions of Win10. Often the
> Insider builds have features that are not present in the released
> versions. The 2nd article (betawiki) also mentions the same registry
> key to edit, so even in the author's Insider build there was no exposed
> config settings, and users had to do a registry edit. That's why I
> suspect the author is conflating settings available in Server or Win11
> builds.

Even though I'm on a normal release of Windows 10, I still made the
requested registry addition explained in that article titled
How To Enable DNS over HTTPS in Windows 10

HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters
New > 32-bit DWord > EnableAutoDoh set to hex 2

Then I rebooted. And then I looked for the special GUI to show up.
It never showed up.

>> But this still doesn't solve the problem even if it does work.
>> I want to set the Windows the same way as Android.
>
> Please be careful when burying humor in staid construction. Some folks
> may think you really expect Windows and Android to be that similar.

Actually, if it was funny, that's my fault as I had only meant that I want
to use the same FQDN in Windows that I use in Android for Private DNS.
>> To make it more confusing, Android uses DNS over TLS, not DNS over
>> HTTP.
>
> DNS over TLS is easier to setup than DNS over HTTPS, but DNS over HTTPS
> is more secure. DoT uses port 853, so anyone interrogating your network
> traffic will know you are issuing DoT lookups. The payload is
> encrypted, not the target IP address, so anyone doing packet inspection
> can see you have DoT on port 853, and to which DNS server. They just
> cannot see what was the hostname the client sent the DNS server, and
> what IP address the DNS server sent back to the client.
>
> With DoH, that's the same port 443 that HTTPS uses for, say, your web
> browser. Someone seeing traffic on port 443 doesn't know it's being
> uses also for DNS traffic. However, again, they can use packet
> inspection to see to where you send your HTTPS traffic, so they can see
> to which hosts you connnect whether a web server or DNS server. The
> source and destination are not encrypted, just the payload.

That was a good explanation. Thanks for taking the effort to explain.

>> So it's not that simple to answer the questions asked, which are now:
>> Anyone here know why Android uses a FQDN while Windows uses an IP?
>> Anyone here know if specifying a DoT server works with Windows DoH?
>
> As you recall, I figured an IP address was needed to find a DNS server.
> Apparently Google did some magic in the Android OS, and probably
> untoward magic, like they still use the default DNS server to submit a
> host to it to get back an IP address to then find the DoT server. Could
> also be they use a hosts file to do a local lookup from hostname to IP
> address, and might be why there is a specific list of DoT servers.
>
> Also, it could be a matter of providing auto-private DNS selection.
> That means the OS can still use regular DNS should DoT not work. In
> Windows, using group policy (all policies are registry entries), you can
> elect one of the following for DoH:
>
> Prohibit DoH: No DoH name resolution will be performed.
>
> Allow DoH: Perform DoH queries if the configured DNS servers support
> it. If they don't support it, try classic name
> resolution.
>
> Require DoH: Allow only DoH name resolution. If there are no DoH
> capable DNS servers configured, name resolution will fail.
>
> In the registry edit, you set the value to 2, so maybe that matches on
> the 2nd policy setting above (Allow DoH). That provides a fallback to
> non-encrypted DNS traffic.
>
> Google loves to track, so they might still use regular DNS to resolve a
> hostname for another DNS server, or Google doesn't really get that a DNS
> server, encrypted or not, should be found using only an IP address.

I'm on a normal Windows 10 release. Unfortunately, even after making the
registry change and rebooting, nothing changed (AFAICT) in the Windows GUI.

I guess that means I need to put the IP address of the encrypted DNS server
into the forms in they same place we used to put the non-encrypted servers.

This brings back the issue that I want to use the same encrypted DNS
servers on Windows that I use on Android but the input format is different.

Windows wants an IP address for the encrypted DNS server.
Android wants a FQDN for the encrypted DNS server.

Of course I can run a ping/tracert to find out the current IP address of
the DoT/DoH FQDN, but is that really the way that it's supposed to be done
for Windows?

Patrick <patrick@oleary.com> wrote:

> Then I rebooted. And then I looked for the special GUI to show up.
> It never showed up.

I don't remember anything saying after there registry edit and reboot
that you would get a new config wizard, or the old ones got modified.
You do the reg hack, reboot, and then config the DNS settings to point
at DoH-capable DNS servers; else, you'll still be using unencrypted DNS.

> I'm on a normal Windows 10 release. Unfortunately, even after making the
> registry change and rebooting, nothing changed (AFAICT) in the Windows GUI.

Many, if not most, reg hacks have no effect on config or wizard screens.
Nothing changes except underlying behavior.

> I guess that means I need to put the IP address of the encrypted DNS server
> into the forms in they same place we used to put the non-encrypted servers.

Yep.

> This brings back the issue that I want to use the same encrypted DNS
> servers on Windows that I use on Android but the input format is different.

Yep. Different operating systems, different management for each. That
Google requires a hostname (maybe since an article I cited showed an
Android setup that entered IP addresses, so it could rely on which brand
and model of smartphone you have) makes me suspicious that Google's DNS
is still involved, like to get the IP addresses for the hostnames
specified for private DNS. The only way to be sure is to monitor
network traffic from your phone to a wi-fi capable router that has some
enterprise-level logging of network traffic for you to analyze to where
the phone is connecting.

> Of course I can run a ping/tracert to find out the current IP address
> of the DoT/DoH FQDN, but is that really the way that it's supposed to
> be done for Windows?

That's one way, but you'd still have to know to which DNS servers you
want to connect. I usually search online for free/public DNS servers,
find the features of each, and then go to the DNS providers to get
*their* details on where to connect.

On Mon, 4 Mar 2024 01:04:13 -0600, Patrick <patrick@oleary.com> wrote:

>I ran a tracert so I know what the IP address is of the FQDN.
>But that IP address can change over time and I'm just guessing.
>
>Some Android examples that I'd like to replicate on Windows are
>easy to figure out since you can guess at what their IP address is.
> one.one.one.one
> 1dot1dot1dot1.cloudflare-dns.com
> dns.google
>
>But many (most actually) of the ad blocking DNS servers aren't
>in the articles for Windows so you have to guess at the IP address.

> adblock.doh.mullvad.net
adblock.doh.mullvad.net. 1270 IN CNAME adblock.dns.mullvad.net.
adblock.dns.mullvad.net. 1270 IN A 194.242.2.3

> dns.adguard.con
(typo fixed)
dns.adguard.com. 3600 IN A 94.140.15.15
dns.adguard.com. 3600 IN A 94.140.14.14

> p2.freedns.controld.com
p2.freedns.controld.com. 300 IN A 76.76.2.11

> dns.Cleanbrowsing.com
Address: 143.244.220.150 <--nslookup example

> dns.quad9.net
dns.quad9.net. 807 IN A 9.9.9.9
dns.quad9.net. 807 IN A 149.112.112.112

> doh.mullvad.net
doh.mullvad.net. 3600 IN CNAME dns.mullvad.net.
dns.mullvad.net. 3600 IN A 194.242.2.2

You never have to guess when you can just do a quick lookup. I use dig on
Windows/Linux, but nslookup also works in a pinch. The dig utility shows cnames
and multiple A records, while nslookup has a cleaner/simpler output.

If your network toolbox gets rusted shut and you find that you only have access
to ping or traceroute, I guess they can also do the job, sort of.

On Mon, 04 Mar 2024 23:36:50 -0600, Char Jackson wrote:
>> adblock.doh.mullvad.net
> adblock.doh.mullvad.net. 1270 IN CNAME adblock.dns.mullvad.net.
> adblock.dns.mullvad.net. 1270 IN A 194.242.2.3
>
>> dns.adguard.com
> dns.adguard.com. 3600 IN A 94.140.15.15
> dns.adguard.com. 3600 IN A 94.140.14.14
>
>> p2.freedns.controld.com
> p2.freedns.controld.com. 300 IN A 76.76.2.11
>
>> dns.Cleanbrowsing.com
> Address: 143.244.220.150 <--nslookup example
>
>> dns.quad9.net
> dns.quad9.net. 807 IN A 9.9.9.9
> dns.quad9.net. 807 IN A 149.112.112.112
>
>> doh.mullvad.net
> doh.mullvad.net. 3600 IN CNAME dns.mullvad.net.
> dns.mullvad.net. 3600 IN A 194.242.2.2
>
> You never have to guess when you can just do a quick lookup. I use dig on
> Windows/Linux, but nslookup also works in a pinch. The dig utility shows cnames
> and multiple A records, while nslookup has a cleaner/simpler output.
>
> If your network toolbox gets rusted shut and you find that you only have access
> to ping or traceroute, I guess they can also do the job, sort of.

Thanks for those dig and nslookup results. When I tried to reproduce them,
I found that nslookup but not dig was on my Windows 10 by default.

Looking up how to add dig to Windows showed there are two ways.
1. With the Chocolatey package manager (which installs the bind tool package)
2. By downloading & installing the bind tool package separately manually

Chocolatey + Bind
1. Win+R cmd [control+shift+enter]
2. powershell
3. Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))
4. choco install -y bind-toolsonly

Bind
1. https://www.isc.org/download/
2. https://downloads.isc.org/isc/bind9/9.18.24/bind-9.18.24.tar.xz

Then I could run the nslookup & dig you suggested, for example.
C:\Windows\system32> nslookup adblock.doh.mullvad.net
C:\Windows\system32> dig A +short adblock.doh.mullvad.net
C:\Windows\system32> dig AAAA +short adblock.doh.mullvad.net
C:\Windows\system32> dig adblock.doh.mullvad.net A
C:\Windows\system32> dig A adblock.doh.mullvad.net @8.8.8.8
C:\Windows\system32> dig mx adblock.dns.mullvad.net
C:\Windows\system32> dig -x 194.242.2.3

I noticed, as you did, that dig completely failed on
dig dns.cleanbrowsing.com A
So, like you, I used nslookup instead but it also failed.
nslookup dns.cleanbrowsing.com 8.8.8.8
nslookup -debug -type=A+AAAA -nosearch -recurse dns.cleanbrowsing.com 8.8.8.8
So I'm not sure how you obtained that dns.cleanbrowsing.com IP address.
dig -x 143.244.220.150

Googling, I found these addresses from https://cleanbrowsing.org/filters
dns.cleanbrowsing.org. 684 IN A 185.228.168.168
dns.cleanbrowsing.org. 684 IN A 185.228.168.10
family-filter-dns.cleanbrowsing.org. 3348 IN A 185.228.168.168
adult-filter-dns.cleanbrowsing.org. 3017 IN A 185.228.168.10
security-filter-dns.cleanbrowsing.org. 3572 IN A 185.228.168.9

Here are some results which can be added into Windows & Android.
(Windows uses the IP address while Android uses the FQDN.)

dns.google. 618 IN A 8.8.4.4
dns.google. 618 IN A 8.8.8.8
dns.google. 67 IN AAAA 2001:4860:4860::8888
dns.google. 67 IN AAAA 2001:4860:4860::8844

1dot1dot1dot1.cloudflare-dns.com. 51 IN A 1.0.0.1
1dot1dot1dot1.cloudflare-dns.com. 51 IN A 1.1.1.1
1dot1dot1dot1.cloudflare-dns.com. 217 IN AAAA 2606:4700:4700::1111
1dot1dot1dot1.cloudflare-dns.com. 217 IN AAAA 2606:4700:4700::1001

adblock.doh.mullvad.net
adblock.doh.mullvad.net. 3057 IN CNAME adblock.dns.mullvad.net.
adblock.dns.mullvad.net. 42 IN A 194.242.2.3
adblock.dns.mullvad.net. 3057 IN AAAA 2a07:e340::3

dns.adguard.com. 3295 IN A 94.140.14.14
dns.adguard.com. 3295 IN A 94.140.15.15
dns.adguard.com. 1890 IN AAAA 2a10:50c0::ad1:ff
dns.adguard.com. 1890 IN AAAA 2a10:50c0::ad2:ff

dns.quad9.net. 143 IN A 149.112.112.112
dns.quad9.net. 143 IN A 9.9.9.9
dns.quad9.net. 197 IN AAAA 2620:fe::fe
dns.quad9.net. 197 IN AAAA 2620:fe::9

doh.mullvad.net. 398 IN CNAME dns.mullvad.net.
dns.mullvad.net. 398 IN A 194.242.2.2
doh.mullvad.net. 429 IN CNAME dns.mullvad.net.
dns.mullvad.net. 429 IN AAAA 2a07:e340::2

one.one.one.one. 241 IN A 1.1.1.1
one.one.one.one. 241 IN A 1.0.0.1
one.one.one.one. 41 IN AAAA 2606:4700:4700::1111
one.one.one.one. 41 IN AAAA 2606:4700:4700::1001

p2.freedns.controld.com. 300 IN A 76.76.2.11
p2.freedns.controld.com. 300 IN AAAA 2606:1a40::11

In looking up the cleanbrowsing issues, I found this debugger.
https://1.1.1.1/help
Interestingly I got a different answer on Firefox than on Chrome,
so I'll have to debug later how that can possibly be the case.

On Mon, 4 Mar 2024 17:40:25 -0600, VanguardLH wrote:
>> Then I rebooted. And then I looked for the special GUI to show up.
>> It never showed up.
>
> I don't remember anything saying after there registry edit and reboot
> that you would get a new config wizard, or the old ones got modified.
> You do the reg hack, reboot, and then config the DNS settings to point
> at DoH-capable DNS servers; else, you'll still be using unencrypted DNS.

Thanks for explaining what happened, as I had wrongly assumed the registry
addition of adding a new 32-bit DWord of EnableAutoDoh set to 2 hex in
HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters
would have added the menus I can see in all the descriptions, but which
don't exist on my Windows 10 Pro [Version 10.0.19045.4046].

>> I'm on a normal Windows 10 release. Unfortunately, even after making the
>> registry change and rebooting, nothing changed (AFAICT) in the Windows GUI.
>
> Many, if not most, reg hacks have no effect on config or wizard screens.
> Nothing changes except underlying behavior.

The strange and confusing thing is all the web sites show us a menu for the
encrypted DNS that simply does not exist in my Windows no matter how I try.
https://winaero.com/how-to-enable-dns-over-https-in-windows-10/

1. Open the Settings app using Win + I
2. Navigate to Network & Internet > Status
3. Choose your network adapter & click on Properties
4. On the next page, click on the Edit button under DNS settings
5. Select Manual
6. Specify DNS servers that support DoH
7. Select Encrypted only (DNS over HTTPS) from the
Preferred DNS encryption drop-down menu for each of the servers
8. If you are using IPv6 DNS, repeat the previous step for them
9. Finally, click on the Save button
https://winaero.com/blog/wp-content/uploads/2021/06/Enable-DNS-over-HTTPS-in-Windows-10.png
10. To find that DoH actually works, scroll down the contents of
the network settings page. You should see "Encrypted" next
to the DNS address value on the Properties page.
https://winaero.com/blog/wp-content/uploads/2021/06/Verify-DNS-over-HTTPS-is-enabled-on-Windows-10.png

The problem is these are phantom menus that don't show up for me.
Do they show up for you?

>> I guess that means I need to put the IP address of the encrypted DNS server
>> into the forms in they same place we used to put the non-encrypted servers.
>
> Yep.

OK. That's what I'll do.

It's strange that there are four different ways to set up private DNS.
1. Android system (uses FQDN)
2. Windows system (uses IP address)
3. Android Firefox/Chrome (apparently uses IP address only?)
5. Windows Firefox/Chrome (apparently uses domain name only?)

Examples
Firefox/Chrome = Cloudflare
Windows = 1.1.1.1 or 1.0.0.1
Android = one.one.one.on

Firefox/Chrome = Quad9
Windows = 9.9.9.9 or 149.112.112.112
Android = one.one.one.on

Firefox/Chrome = Google
Windows = 8.8.8.8 or 8.8.4.4
Android = dns.google

Some of that could be wrong. But none of this is intuitive.
You can't guess either. It's strange stuff. It's not consistent.
Because if you think you know DNS, private DNS works different.
And if you think you know one system, you don't know the other system.
Worse, the browsers (Chrome/Firefox) do it different than the OS does.

>> This brings back the issue that I want to use the same encrypted DNS
>> servers on Windows that I use on Android but the input format is different.
>
> Yep. Different operating systems, different management for each. That
> Google requires a hostname (maybe since an article I cited showed an
> Android setup that entered IP addresses, so it could rely on which brand
> and model of smartphone you have) makes me suspicious that Google's DNS
> is still involved, like to get the IP addresses for the hostnames
> specified for private DNS. The only way to be sure is to monitor
> network traffic from your phone to a wi-fi capable router that has some
> enterprise-level logging of network traffic for you to analyze to where
> the phone is connecting.

I found a neat web site that tests results on any platform or browser.
https://1.1.1.1/help

And the winaero.com link above showed another way to test on Windows.
1. Open a command prompt as Administrator
2. Reset the network traffic filter: pktmon filter remove
3. Add a traffic filter for port 53: pktmon filter add -p 53
4. Start a real-time logging of traffic: pktmon start --etw -m real-time
5. All port 53 packets will be printed to the command line
6. If DoH works, you should not see traffic there
https://winaero.com/blog/wp-content/uploads/2021/06/DNS-over-HTTPS-Verify-Settings-3.png

>> Of course I can run a ping/tracert to find out the current IP address
>> of the DoT/DoH FQDN, but is that really the way that it's supposed to
>> be done for Windows?
>
> That's one way, but you'd still have to know to which DNS servers you
> want to connect. I usually search online for free/public DNS servers,
> find the features of each, and then go to the DNS providers to get
> *their* details on where to connect.

Here's the list I've been able to compile from exactly those sources.
(But any of this can be wrong as I'm just starting to learn about it.)

Firefox/Chrome name = Google
dns.google 8.8.4.4
dns.google 8.8.8.8
dns.google 2001:4860:4860::8888
dns.google 2001:4860:4860::8844

Firefox/Chrome name = Cloudflare
one.one.one.one 1.1.1.1
one.one.one.one 1.0.0.1
one.one.one.one 2606:4700:4700::1111
one.one.one.one 2606:4700:4700::1001

Firefox/Chrome name = Cloudflare
1dot1dot1dot1.cloudflare-dns.com 1.0.0.1
1dot1dot1dot1.cloudflare-dns.com 1.1.1.1
1dot1dot1dot1.cloudflare-dns.com 2606:4700:4700::1111
1dot1dot1dot1.cloudflare-dns.com 2606:4700:4700::1001

Firefox/Chrome name = Mullvad
adblock.dns.mullvad.net 194.242.2.3
adblock.dns.mullvad.net 2a07:e340::3
dns.mullvad.net 194.242.2.2
dns.mullvad.net 2a07:e340::2

Firefox/Chrome name = Adguard
dns.adguard.com 94.140.14.14
dns.adguard.com 94.140.15.15
dns.adguard.com 2a10:50c0::ad1:ff
dns.adguard.com 2a10:50c0::ad2:ff

Firefox/Chrome name = Quad9
dns.quad9.net 149.112.112.112
dns.quad9.net 9.9.9.9
dns.quad9.net 2620:fe::fe
dns.quad9.net 2620:fe::9

Firefox/Chrome name = Controld
p2.freedns.controld.com 76.76.2.11
p2.freedns.controld.com 2606:1a40::11

Firefox/Chrome name = Cleanbrowsing
dns.cleanbrowsing.org 185.228.168.168
dns.cleanbrowsing.org 185.228.168.10
family-filter-dns.cleanbrowsing.org 185.228.168.168
adult-filter-dns.cleanbrowsing.org 185.228.168.10
security-filter-dns.cleanbrowsing.org 185.228.168.9

VanguardLH <V@nguard.lh> wrote:
[...]

> Yep. Different operating systems, different management for each. That
> Google requires a hostname (maybe since an article I cited showed an
> Android setup that entered IP addresses, so it could rely on which brand
> and model of smartphone you have) makes me suspicious that Google's DNS
> is still involved, like to get the IP addresses for the hostnames
> specified for private DNS. The only way to be sure is to monitor
> network traffic from your phone to a wi-fi capable router that has some
> enterprise-level logging of network traffic for you to analyze to where
> the phone is connecting.

As I wrote earlier [1] and gave the reason why, but you did not
respond to:

There's nothing to be "suspicious" about and it's not "Google's DNS is
still involved", but *your* (defined) DNS server.

[...]

[1] Message-ID: <us4t09.e4k.1@ID-201911.user.individual.net>

Patrick <patrick@oleary.com> wrote:

> The strange and confusing thing is all the web sites show us a menu for the
> encrypted DNS that simply does not exist in my Windows no matter how I try.
> https://winaero.com/how-to-enable-dns-over-https-in-windows-10/

"Windows 10 Build 19628 was the first build to include the DoH support."

Although I just did a Windows Update a few days ago, and except for the
update to WinRE failing (because the Recovery partition isn't big enough
for the fatter WinRE image), I'm still on 19045.4123. According to:

https://learn.microsoft.com/en-us/windows/release-health/release-information

19045 belongs to 22H2, and, yep, that's where I am. According to:

https://betawiki.net/wiki/Windows_10_build_19628

that is an Insider fast-ring build available back in May 2020. I
mentioned another cited article was also showing an Insider build for
the encrypted DNS settings. Not everything that shows up in Insider
builds make it to Released builds. So, at this point, I'm not sure the
registry hack is going to work on my *released* version of 22H2.

I don't need nor want DoH on anything other than my web traffic, and
Firefox has its own DoH setting (no matter what you configure in the OS,
Firefox will use the DoH server for which it is configured). Edge-C and
Chrome have encrypted DNS settings, too.

On Windows and Android, I don't keep any apps that puke ads in my face.
If they're ad-ridden, they're removed. I've had some Android apps that
shove out fullscreen ads that render the phone unusable until the ad is
closed. I consider those apps as malicious. In fact, because the app
authors deny responsibility for the fullscreen ads by claiming their app
uses Google's code (gee, it's not my code, so it's not my fault, uh
huh), they can't regulate what type of ad gets displayed. I disagree.
They can always fence content within an element in their app or within a
window. They're lazy, and they want their click-through revenue. Hell,
some apps you can't even get an ad-free version, because it is easier
for the author to get their ad revenue then bother with payments from
users. Same on Windows: ad-ridden apps get uninstalled, and then I do
the necessary remnant registry and file cleanup since most uninstalls
are dirty. I have yet to find an app so critical that I have to suffer
its ads.

Firefox, both desktop and mobile versions, let me install add-ons.
Chrome does not, so guess which web browser I use on my desktop and
Android phone? Yup, Firefox. I install the uBlock Origin add-on, tweak
it to my likes, and no more ads and other untoward crap.

Frank Slootweg <this@ddress.is.invalid> wrote:

> VanguardLH <V@nguard.lh> wrote:
> [...]
>
>> Yep. Different operating systems, different management for each. That
>> Google requires a hostname (maybe since an article I cited showed an
>> Android setup that entered IP addresses, so it could rely on which brand
>> and model of smartphone you have) makes me suspicious that Google's DNS
>> is still involved, like to get the IP addresses for the hostnames
>> specified for private DNS. The only way to be sure is to monitor
>> network traffic from your phone to a wi-fi capable router that has some
>> enterprise-level logging of network traffic for you to analyze to where
>> the phone is connecting.
>
> As I wrote earlier [1] and gave the reason why, but you did not
> respond to:
>
> There's nothing to be "suspicious" about and it's not "Google's DNS is
> still involved", but *your* (defined) DNS server.
>
> [...]
>
> [1] Message-ID: <us4t09.e4k.1@ID-201911.user.individual.net>

Connection is by IP address. Humans like names. Computers demand
numbers. Somehow those hostnames specified for DoH servers have to get
converted to IP addresses to then have your client connect to the DoH
server. The purpose of DNS has not changed. You don't use hostnames to
connect to hosts. So, somehow the Android phone does convert the
hostnames you enter for private DNS servers to IP addresses. No matter
what you say, I will NEVER believe that DNS servers have become defunct,
because now hosts can connect to each other using just hostnames.

On an Android phone, what are the default DNS servers? Are they
assigned by the cellular carrier's DHCP server, or are they preset to
point at Google's DNS servers?

VanguardLH <V@nguard.lh> wrote:
> Frank Slootweg <this@ddress.is.invalid> wrote:
>
> > VanguardLH <V@nguard.lh> wrote:
> > [...]
> >
> >> Yep. Different operating systems, different management for each. That
> >> Google requires a hostname (maybe since an article I cited showed an
> >> Android setup that entered IP addresses, so it could rely on which brand
> >> and model of smartphone you have) makes me suspicious that Google's DNS
> >> is still involved, like to get the IP addresses for the hostnames
> >> specified for private DNS. The only way to be sure is to monitor
> >> network traffic from your phone to a wi-fi capable router that has some
> >> enterprise-level logging of network traffic for you to analyze to where
> >> the phone is connecting.
> >
> > As I wrote earlier [1] and gave the reason why, but you did not
> > respond to:
> >
> > There's nothing to be "suspicious" about and it's not "Google's DNS is
> > still involved", but *your* (defined) DNS server.
> >
> > [...]
> >
> > [1] Message-ID: <us4t09.e4k.1@ID-201911.user.individual.net>
>
> Connection is by IP address. Humans like names. Computers demand
> numbers. Somehow those hostnames specified for DoH servers have to get
> converted to IP addresses to then have your client connect to the DoH
> server. The purpose of DNS has not changed. You don't use hostnames to
> connect to hosts. So, somehow the Android phone does convert the
> hostnames you enter for private DNS servers to IP addresses. No matter
> what you say, I will NEVER believe that DNS servers have become defunct,
> because now hosts can connect to each other using just hostnames.

Sigh! :-(

Please spare me/us pompous lectures and insinuations like this! If you
had bothered to read - and understand - my earlier post, it would be
blatantly clear that your lecture/insinuation is uncalled for.

> On an Android phone, what are the default DNS servers? Are they
> assigned by the cellular carrier's DHCP server, or are they preset to
> point at Google's DNS servers?

If on mobille data, your cellular carrier's DNS server will be used
(unless you/they changed it for some reason). If on Wi-Fi, your ISP's
DNS server will be used (unless you/they changed it for some reason).
There's no reason for Google's DNS servers to get involved.

See my earlier post about the switch from 'Private DNS provider
hostname' back to Automatic or Off.

Frank Slootweg <this@ddress.is.invalid> wrote:

> VanguardLH <V@nguard.lh> wrote:
>
>> Connection is by IP address. Humans like names. Computers demand
>> numbers. Somehow those hostnames specified for DoH servers have to get
>> converted to IP addresses to then have your client connect to the DoH
>> server. The purpose of DNS has not changed. You don't use hostnames to
>> connect to hosts. So, somehow the Android phone does convert the
>> hostnames you enter for private DNS servers to IP addresses. No matter
>> what you say, I will NEVER believe that DNS servers have become defunct,
>> because now hosts can connect to each other using just hostnames.
>
> Sigh! :-(
>
> Please spare me/us pompous lectures and insinuations like this! If you
> had bothered to read - and understand - my earlier post, it would be
> blatantly clear that your lecture/insinuation is uncalled for.

I ask for clarification, and you resort to reciting your "I think the
default DNS server is still known/configured, because ..." response.

"I think" is not "I know". I can make guesses, too. So, neither of us
know for sure. Spare us the "I think" response as a definitive answer.

You agreed with my *guess* the default DNS server still gets used to get
the IP address of the DoH server, but my proposal was just a guess. I
was hoping for better proof my guess was correct. Then you say that a
preset Google DNS server is not used for fallback or the default, "but
*your* (defined) DNS server." Well, I never configured a DNS server in
Android. I don't know for sure the default DNS server would be assigned
from whomever's upstream DHCP server figuring there was a possibility
the default DNS server could be preset in an OS by Google, so I asked
the following.

>> On an Android phone, what are the default DNS servers? Are they
>> assigned by the cellular carrier's DHCP server, or are they preset to
>> point at Google's DNS servers?
>
> If on mobille data, your cellular carrier's DNS server will be used
> (unless you/they changed it for some reason). If on Wi-Fi, your ISP's
> DNS server will be used (unless you/they changed it for some reason).
> There's no reason for Google's DNS servers to get involved.

According to you, my guess (on a prior guess) was wrong of what a Google
OS on my phone uses for the default DNS server. Instead of a preset
default DNS server (Google), I get whatever my cellular carrier's DHCP
server gives to my phone as the DNS server, or to whoever my wi-fi
router (*) points which was assigned by its upstream (my ISP) DHCP
server.

(*) It's pass-through service pushes DNS requests to the upstream DNS
server. In an old cable modem, I could configure WAN-side settings,
like DNS server. In the new cable modem, its config has been dumbed
down, so no way to specify a DNS override. My router gets the DNS
server from my ISP's DHCP server, and no option to specify
otherwise. I'm stuck with my ISP's DNS server as assigned to my
router (which my router's DHCP server passes to the workstations
clients that don't specify an override DNS server.

It's stupid that Android has to fallback to the default server (obtained
by the upstream DHCP server) to get the IP addresses for the DoH servers
specified in the private DNS setting. Yeah, use a DNS server to lookup
a DNS server. Windows has you specify the IP address of whatever DNS
server you want to us. Isn't Linux the same way? Even Apple has you
specify an IP address for the DNS server. But, noooo, Google has to do
it differently.

Can I see what my phone is using for a DNS server? I've dug through the
Android settings, but haven't found where the DNS server it was assigned
is specified. Some online articles mention long-tapping the current
wi-fi connection to choose Modify network which lets you change the DNS
servers. That's for wi-fi connections, not for cellular data
connections. DNS settings are missing for me, so must be for Android
versions later than 8 on my phone, or for customized Android versions on
phones other than my old LG V20. Could be my Android version is too
old, or LG dumbed down its feature set. Guess I need a DNS app to show
me my phone's current DNS setup.

On Sun, 3 Mar 2024 05:08:29 -0600, VanguardLH <V@nguard.LH> wrote:

>Patrick <patrick@oleary.com> wrote:
>
>> Does Windows have a native private DNS setting like Android does?
>
>Run ncpa.cpl.
>Right-click on your network connection, and select Properties.
>Select "Internet Protocol Version 4", and click Properties.
>In the General tab, you can define 2 DNS servers (primary & secondary).
>Click on Advanced, DNS tab, and you can define several for fallback.
>
>In order, I have the following DNS servers defined for IPv4:
>- 1.1.1.1 (Cloudflare)
>- 208.67.222.222 (OpenDNS)
>- 8.8.8.8 (Google)
>- 10.0.0.1 (my router's DNS which merely passes to the upstream DNS)

First of all let me start by saying I am using Win 7 Ultimate, not Win
10 and that may be the problem, but I doubt it.

I followed the steps above and changed my DNS to the Cloudflare and
OpenDNS settings. I put the them in the "Advanced, DNS" tab that has
"Append primary and connection specific DNS suffixes, with a check
mark in Append parent suffixes of the primary DNS suffix". After doing
so, I started getting many, many ads in my Facebook Feeds page that I
never saw before. When I switched back to Obtain DNS Automatically,
all the ads disappear. I thought the above DNS settings were supposed
to block ads, not encourage them! Did I do something wrong?

I only set the IPv4 properties as it doesn't appear my router uses
IPv6.
>
>My router gets its WAN-side IP address from my ISP's DHCP server which
>also tells my router my ISP's DNS server, so pointing to my router
>merely has, if used, my ISP's DNS server get used. However, there is
>some caching in my router, so DNS lookups are a bit quicker on cached
>entries.
>
>Back in the Ethernet Properties dialog, select "Internet Protocol
>Version 6", and click Properties.
>
>In order, I have the following DNS servers defined for IPv6:
>2606:4700:4700::1111 (Cloudflare)
>2620:119:35::35 (OpenDNS)
>2001:4860:4860:8888 (Google)
>
>My router doesn't support IPv6 for its internal pass-through DNS server.
>
>In most setups, the router and intranet hosts are configured for
>automatic DNS config which means they get the DNS server from the
>upstream DHCP server. For the intranet hosts, that's your router's DNS
>server. For the router, that's your ISP's DNS server. You can choose
>to use other DNS servers. While better in the past few years, my ISP
>had the nasty habit of DNS failures about twice per year on average
>which would last 1 to 3 days. That was unacceptable, and when I looked
>into me deciding which DNS servers to use.
>
>Windows had has the ability to let users select which DNS server(s) they
>want to use since Windows 3.1 (c.1992).
>
>Without rooting, Android allowed users to specify their choice of DNS
>server since Android 9 (c.2018).
>
>I don't know why the Chromium folks or Google thought "private" was a
>proper name for a setting to let users define which DNS server to use.
>DNS requests are hardly private. They are sent unencrypted. Anyone,
>including your ISP or cell carrier can see for what domains the DNS
>lookup was requested. Firefox added DoH (DNS Over HTTPS) to encrypt the
>DNS requests to prevent spying on where you wanted to go (except, of
>course, by the DNS provider themself).
>
>https://en.wikipedia.org/wiki/DNS_over_HTTPS
>
>So does Microsoft Edge-C (I don't know about the old Edge, and
>definitely not Internet Explorer). Instead of DoH, Microsoft hides it
>under the name "Secure DNS", because that is also the same setting name
>used by Google in Chrome.
>
>You can specify your choice of DNS server(s) in the IPv4/IPv6 settings
>mentioned above, and your choice might even include DNS servers that
>filter out phish and malware sites, and block spam sources, but they are
>still using plain DNS requests that anyone can intercept. Windows can
>support DoH, but it is not enabled by default. You have to enable DoH
>using a policy, or a registry edit (since all policies are registry
>entries). See:
>
>https://blog.netwrix.com/2022/10/11/dns-over-https/

>>>>>>>>>>jetjock<<<<<<<<<<

VanguardLH <V@nguard.lh> wrote:
> Frank Slootweg <this@ddress.is.invalid> wrote:
>
> > VanguardLH <V@nguard.lh> wrote:
> >
> >> Connection is by IP address. Humans like names. Computers demand
> >> numbers. Somehow those hostnames specified for DoH servers have to get
> >> converted to IP addresses to then have your client connect to the DoH
> >> server. The purpose of DNS has not changed. You don't use hostnames to
> >> connect to hosts. So, somehow the Android phone does convert the
> >> hostnames you enter for private DNS servers to IP addresses. No matter
> >> what you say, I will NEVER believe that DNS servers have become defunct,
> >> because now hosts can connect to each other using just hostnames.
> >
> > Sigh! :-(
> >
> > Please spare me/us pompous lectures and insinuations like this! If you
> > had bothered to read - and understand - my earlier post, it would be
> > blatantly clear that your lecture/insinuation is uncalled for.
>
> I ask for clarification, and you resort to reciting your "I think the
> default DNS server is still known/configured, because ..." response.

Nope, you don't "ask for clarification", you give an unneeded lecture
on (the need for) DNS in *general* (i.e. *not* about Android's Private
DNS).

> "I think" is not "I know". I can make guesses, too. So, neither of us
> know for sure. Spare us the "I think" response as a definitive answer.

I see you 'conveniently snipped the part after "because". Why? Because
you couldn't fault my explanation?

[...]

> It's stupid that Android has to fallback to the default server (obtained
> by the upstream DHCP server) to get the IP addresses for the DoH servers
> specified in the private DNS setting. Yeah, use a DNS server to lookup
> a DNS server.

How else could it find the IP address for the specified FQDN of the
Private DNS provider. *You* gave a lecture about computers needing
numbers, not names, and now Android is stupid?

> Windows has you specify the IP address of whatever DNS
> server you want to us. Isn't Linux the same way? Even Apple has you
> specify an IP address for the DNS server. But, noooo, Google has to do
> it differently.

Oh sorry, I forgot it was Bash Google For Any Odd Reason week.

You recently told 'someone that different OSs work differently, but
now you expect Android an Windows to work the same!?

Anyway, it has been noted, why a FQDN for the Private DNS provider is
more flexible (and more user-friendly).

> Can I see what my phone is using for a DNS server? I've dug through the
> Android settings, but haven't found where the DNS server it was assigned
> is specified. Some online articles mention long-tapping the current
> wi-fi connection to choose Modify network which lets you change the DNS
> servers. That's for wi-fi connections, not for cellular data
> connections. DNS settings are missing for me, so must be for Android
> versions later than 8 on my phone, or for customized Android versions on
> phones other than my old LG V20. Could be my Android version is too
> old, or LG dumbed down its feature set. Guess I need a DNS app to show
> me my phone's current DNS setup.

Yes, you probably need a app to see which DNS server is used/
configured. I have a 'Phone Information' app which gives more network
details, but for this it only gives the Gateway, not the DNS server(s).

Frank Slootweg <this@ddress.is.invalid> wrote:

> VanguardLH <V@nguard.lh> wrote:
>
>> "I think" is not "I know". I can make guesses, too. So, neither of us
>> know for sure. Spare us the "I think" response as a definitive answer.
>
> I see you 'conveniently snipped the part after "because". Why? Because
> you couldn't fault my explanation?

The "because" is based on the presumption both you and I made and agreed
upon. Since the default DNS is obtained by the upstream DHCP server, it
doesn't have to be remembered. The client gets the DNS server from the
DHCP server again.

I understand the Auto mode: if DoH server cannot be found or reached,
fallback to default DNS server (which is got from the DHCP server). The
DHCP server doesn't just assign your device an IP address. It also
specifies a DNS server.

https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-top#:~:text=Dynamic%20Host%20Configuration%20Protocol%20(DHCP)%20is%20a%20client%2Fserver,subnet%20mask%20and%20default%20gateway.

A DHCP-enabled client, upon accepting a lease offer, receives:

- A valid IP address for the subnet to which it is connecting.

- Requested DHCP options, which are additional parameters that a DHCP
server is configured to assign to clients. Some examples of DHCP
options are Router (default gateway), DNS Servers, and DNS Domain
Name.

I learned a long time when working with my ISP's 3rd-tier support on
configuring the WAN-side settings of the cable modem that it got its DNS
server (to which the modem's own DNS server merely passes upstream the
DNS requests to the ISP's DNS server) from my ISP's DHCP server. Your
workstation gets its IP address and DNS server from the DHCP server in
the cable modem/router (unless you don't use dynamic DHCP configuration
and instead specify static settings).

No need to remember what DNS server a DHCP server told you to use
before, in order to revert back to it. Just ask the upstream DHCP
server what DNS server to use now (option 6 in the following article).
What you had before, if kept recorded for reuse, might not be usable or
reachable now.

https://techhub.hpe.com/eginfolib/networking/docs/switches/5130ei/5200-3942_l3-ip-svcs_cg/content/483572290.htm

>> Windows has you specify the IP address of whatever DNS server you
>> want to us. Isn't Linux the same way? Even Apple has you specify
>> an IP address for the DNS server. But, noooo, Google has to do it
>> differently.
>
> Oh sorry, I forgot it was Bash Google For Any Odd Reason week.

No, it's your guess was the same as mine, and then you professed an
operation on that guess. My bet is on querying the upstream DHCP server
to find out what DNS server to use when not specifying an override.

If Android is remembering the old DNS server setting when reverting from
the private DNS server, it would be using a staid DNS setting. The old
DNS server might be temporarily remembered for auto-DNS switching to
work, but Android should not be relying indefinitely on the old setting.

> You recently told 'someone that different OSs work differently, but
> now you expect Android an Windows to work the same!?

Not what *I* said.

Patrick: This brings back the issue that I want to use the same
encrypted DNS servers on Windows that I use on Android but the
input format is different.

Me: Yep. Different operating systems, different management for
each.

> Anyway, it has been noted, why a FQDN for the Private DNS provider is
> more flexible (and more user-friendly).

Only because humans like names while computers want numbers. I don't
see entering a FQDN for a DNS server to be more flexible. It mandates
another DNS server must be employed to get the IP address of the
specified DNS server.

> Yes [to see DNS the phone is currently using] , you probably need a
> app to see which DNS server is used/ configured. I have a 'Phone
> Information' app which gives more network details, but for this it
> only gives the Gateway, not the DNS server(s).

An app is also how I figured was needed to see the current network
config on the phone. I'll have to dig about the Play Store to see which
apps report the network config, and avoid those that try to change it,
like the DNS Changer apps.

On 5 Mar 2024 20:06:59 GMT, Frank Slootweg wrote:
> it has been noted, why a FQDN for the Private DNS provider is
> more flexible (and more user-friendly).

I agree a FQDN is definitely more user friendly so that makes sense.

How Android gets the IP address is unknown to me, but what is known to me
makes it seem probable that Android gets the IP address for the Private DNS
FQDN the same way it gets the IP address when you're not using Private DNS.

On Android, when I long press on the settings for any given Wi-Fi
connection, it tells me what DNS server is being normally queried.
<https://i.postimg.cc/NGrqHTpC/wi-fi-dns.jpg>

Of course, if Private DNS is set, I suspect those two Wi-Fi DNS servers are
ignored, which I guess we could test if I knew how to use these two sites.
https://1.1.1.1/help
http://test.nextdns.io/

While it's obvious what DNS server is normally used (if Private DNS isn't
set) for Wi-Fi, I don't know where the DNS server is set for cellular data.

VanguardLH <V@nguard.lh> wrote:
> Frank Slootweg <this@ddress.is.invalid> wrote:
>
> > VanguardLH <V@nguard.lh> wrote:
> >
> >> "I think" is not "I know". I can make guesses, too. So, neither of us
> >> know for sure. Spare us the "I think" response as a definitive answer.
> >
> > I see you 'conveniently snipped the part after "because". Why? Because
> > you couldn't fault my explanation?
>
> The "because" is based on the presumption both you and I made and agreed
> upon. Since the default DNS is obtained by the upstream DHCP server, it
> doesn't have to be remembered. The client gets the DNS server from the
> DHCP server again.
>
> I understand the Auto mode: if DoH server cannot be found or reached,
> fallback to default DNS server (which is got from the DHCP server). The
> DHCP server doesn't just assign your device an IP address. It also
> specifies a DNS server.

That assumes that DHCP is used, which is indeed (very) common, but not
neccessarily the case, as one can configure 'Static' in Android's IP
settings.

In the Static case Android has to know/remember the DNS server
address.

[Much more of the same deleted.]

> https://techhub.hpe.com/eginfolib/networking/docs/switches/5130ei/5200-3942_l3-ip-svcs_cg/content/483572290.htm
>
> >> Windows has you specify the IP address of whatever DNS server you
> >> want to us. Isn't Linux the same way? Even Apple has you specify
> >> an IP address for the DNS server. But, noooo, Google has to do it
> >> differently.
> >
> > Oh sorry, I forgot it was Bash Google For Any Odd Reason week.
[Repeat deleted.]
> > You recently told 'someone that different OSs work differently, but
> > now you expect Android an Windows to work the same!?
>
> Not what *I* said.
>
> Patrick: This brings back the issue that I want to use the same
> encrypted DNS servers on Windows that I use on Android but the
> input format is different.
>
> Me: Yep. Different operating systems, different management for
> each.

Yes, that's what I mean(t). 'Patrick' expects Windows and Android to
work (in this case in configuring) the same, but you countered that. But
now you complain "But, noooo, Google has to do it differently."

But nevermind, it's not important (except for the gratuitous Google
bashing).

> > Anyway, it has been noted, why a FQDN for the Private DNS provider is
> > more flexible (and more user-friendly).
>
> Only because humans like names while computers want numbers. I don't
> see entering a FQDN for a DNS server to be more flexible. It mandates
> another DNS server must be employed to get the IP address of the
> specified DNS server.

No, someone else mentioned the flexibility of falling back to other
servers, different IPs, etc.. It's somewhere in this thread or in the
'sister' thread in comp.mobile.android.

> > Yes [to see DNS the phone is currently using] , you probably need a
> > app to see which DNS server is used/ configured. I have a 'Phone
> > Information' app which gives more network details, but for this it
> > only gives the Gateway, not the DNS server(s).
>
> An app is also how I figured was needed to see the current network
> config on the phone. I'll have to dig about the Play Store to see which
> apps report the network config, and avoid those that try to change it,
> like the DNS Changer apps.

Yes, that would give more clarity on what is happening. I.e. proof
instead of - well-reasoned - theory.

[Newsflash:]

'Patrick' has posted a screenshot of his Wi-Fi connection, which shows
'DNS 2' set to 8.8.4.4, which is dns.google

So it seems that you were right that Android uses Google's DNS
servers, albeit for DNS 2, not DNS 1 (which in Patrick's case is set to
192.168.1.1 (which is also his Gateway), i.e. his ISP's DNS server).

Patrick <patrick@oleary.com> wrote:
> On 5 Mar 2024 20:06:59 GMT, Frank Slootweg wrote:
> > it has been noted, why a FQDN for the Private DNS provider is
> > more flexible (and more user-friendly).
>
> I agree a FQDN is definitely more user friendly so that makes sense.
>
> How Android gets the IP address is unknown to me, but what is known to me
> makes it seem probable that Android gets the IP address for the Private DNS
> FQDN the same way it gets the IP address when you're not using Private DNS.
>
> On Android, when I long press on the settings for any given Wi-Fi
> connection, it tells me what DNS server is being normally queried.
> <https://i.postimg.cc/NGrqHTpC/wi-fi-dns.jpg>

Sadly that long press does not work on my (Samsung A51 Android 13)
phone. Do you long press the connection which is actually connected at
the moment or or of the other 'Available networks'?

Anyway, unless you or something have changed something, it seems
VanguardLH is right, because your screenshot shows 'DNS 2' as 8.8.4.4,
which is indeed dns.google.

> Of course, if Private DNS is set, I suspect those two Wi-Fi DNS servers are
> ignored, which I guess we could test if I knew how to use these two sites.
> https://1.1.1.1/help
> http://test.nextdns.io/
>
> While it's obvious what DNS server is normally used (if Private DNS isn't
> set) for Wi-Fi, I don't know where the DNS server is set for cellular data.

Earlier today, I wrote:
> VanguardLH <V@nguard.lh> wrote:
> > Frank Slootweg <this@ddress.is.invalid> wrote:
> >
> > > VanguardLH <V@nguard.lh> wrote:
> > >
> > >> "I think" is not "I know". I can make guesses, too. So, neither of us
> > >> know for sure. Spare us the "I think" response as a definitive answer.
> > >
> > > I see you 'conveniently snipped the part after "because". Why? Because
> > > you couldn't fault my explanation?
> >
> > The "because" is based on the presumption both you and I made and agreed
> > upon. Since the default DNS is obtained by the upstream DHCP server, it
> > doesn't have to be remembered. The client gets the DNS server from the
> > DHCP server again.
> >
> > I understand the Auto mode: if DoH server cannot be found or reached,
> > fallback to default DNS server (which is got from the DHCP server). The
> > DHCP server doesn't just assign your device an IP address. It also
> > specifies a DNS server.
>
> That assumes that DHCP is used, which is indeed (very) common, but not
> neccessarily the case, as one can configure 'Static' in Android's IP
> settings.
>
> In the Static case Android has to know/remember the DNS server
> address.

[Fast forward:]

> [Newsflash:]
>
> 'Patrick' has posted a screenshot of his Wi-Fi connection, which shows
> 'DNS 2' set to 8.8.4.4, which is dns.google
>
> So it seems that you were right that Android uses Google's DNS
> servers, albeit for DNS 2, not DNS 1 (which in Patrick's case is set to
> 192.168.1.1 (which is also his Gateway), i.e. his ISP's DNS server).

While fiddling with my phone, I happened to see that if you set 'IP
settings' to 'Static' (instead of 'DHCP'), it *does* show the DNS
settings and DNS 1 defaults to 8.8.8.8 and DNS 2 defaults to 8.8.4.4,
i.e. both dns.google.

So the behaviour is different for Windows, which uses my ISP's DNS
servers, and Android, which defaults to Google DNS servers.

Of course you can change the Android IP addresses for DNS 1 and DNS 2,
but if you switch back from Static to DHCP and then again to Static, DNS
1 and DNS 2 are back to the Google IPs, so the manual change is
forgotten.

Conclusion: So Android indeed seems to prefer Google's DNS servers,
but for a normal DHCP connection only as DNS 2, *not* DNS 1.

HTH (us all).

Frank Slootweg <this@ddress.is.invalid> wrote:

> That assumes that DHCP is used, which is indeed (very) common, but not
> neccessarily the case, as one can configure 'Static' in Android's IP
> settings.
>
> In the Static case Android has to know/remember the DNS server
> address.

Interesting. I didn't know you could modify the base network settings
without rooting the phone. When the private DNS setting showed up,
users could change which DNS server they used. Before that setting
appeared, there was yet another setting that let users specify a DNS
server other than the one assigned by DHCP?

> But nevermind, it's not important (except for the gratuitous Google
> bashing).

I've never felt the need for uber-privacy, but I do dislike additional
load times for web pages to retrieve ads and other content from 3rd
party sources. For example, Microsoft Outlook.com webmail client has
become excrutiatingly slow due to a ton of retrieves from
cdn.microsoft.com for CSS, scripts, and whatnot. Takes about a 1.5
minutes before the gear icon gets painted and I can click on it, since I
don't use their webmail client other than to define server-side rules.
If you use the web cache in your web browser, their webclient will paint
much more quickly on a revisit. However, I configure Firefox to purge
all locally cached data, so every visit to outlook.com is a first one.

In exchange for tracking, logistics, and marketing data, Google provides
a hell of a lot of services for free. Then the freeloaders whine when
they realize that they are being used to sell the collected data. For
those that are paranoid about Google, Microsoft, and every other
marketing company collecting statistics on users, they should not read:

"How the Pentagon Learned to Use Targeted Ads to Find Its Targets—and Vladimir Putin"
https://www.wired.com/story/how-pentagon-learned-targeted-ads-to-find-targets-and-vladimir-putin/

Interesting would be to see how many freeloaders would pay for Google
Maps, Google Voice, Gmail, Google Drive, Google Chrome, and all the
other free services Google provides. Google is a business, not your
parents to leech off. They need to make money, too, to stay in
business. Freeloaders, after using free services for a long time, get
way to acting entitled.

On 6 Mar 2024 13:03:33 GMT, Frank Slootweg wrote:
>> On Android, when I long press on the settings for any given Wi-Fi
>> connection, it tells me what DNS server is being normally queried.
>> <https://i.postimg.cc/NGrqHTpC/wi-fi-dns.jpg>
>
> Sadly that long press does not work on my (Samsung A51 Android 13)
> phone. Do you long press the connection which is actually connected at
> the moment or or of the other 'Available networks'?
> Anyway, unless you or something have changed something, it seems
> VanguardLH is right, because your screenshot shows 'DNS 2' as 8.8.4.4,
> which is indeed dns.google.

Actually, the 8.8.4.4 is grayed out.
As far as I can tell, it's not being used.
I think it's a suggestion that the Android 13 operating system gives you.
But maybe not. I don't know. I changed 8.8.8.8 to 192.168.1.1 long ago.

I have a static connection set up for each Android phone in the house.
When you set up a static connection, 8.8.8.8 & 8.8.4.4 are suggested.

I replaced the 8.8.8.8 with 192.168.1.1 but I didn't bother changing that
second slot because if the router isn't working, neither will the Wi-Fi.

The presumption is that is the DNS server which is looking up the Private
DNS hostname to get the IP address when you're on a Wi-Fi connection.

I have to assume when we're on cellular data, that the DNS lookup is
whatever the carrier has it set to. I don't know how to find that data.

On this Wed, 6 Mar 2024 16:31:11 -0600, VanguardLH wrote:

> Interesting would be to see how many freeloaders would pay for Google
> Maps, Google Voice, Gmail, Google Drive, Google Chrome, and all the
> other free services Google provides. Google is a business, not your
> parents to leech off. They need to make money, too

I think there are the vast majority of people who never heard of all these
ad blocking methods (netguard, adaway, privatedns, etc) who will always
take the easiest way out which is the way that Google sets it up for them.

It's probably why Google will default to DNS1 and DNS2 being dns.google
domain name servers, which most people who set up a static IP might take.

It's only one out of a few thousand people who knows enough to do the
settings modifications discussed here.

If that's true, then Google won't even notice the impact on their bottom
line from the few who are discussing it here blocking advertisements.

VanguardLH wrote:

> Different operating systems, different management

Google publishes these instructions with a section for every OS.
https://developers.google.com/speed/public-dns/docs/using

That link refers to this blog about Android DNS over TLS encryption.
https://android-developers.googleblog.com/2018/04/dns-over-tls-support-in-android-p.html

That blog provides this list of compatible DoT (& DoH) test servers.
https://dnsprivacy.org/test_servers/

It refers to something called "stubby" which I haven't heard of before.
https://raw.githubusercontent.com/getdnsapi/stubby/develop/stubby.yml.example

getdnsapi.net 185.49.141.38 2a04:b900:0:100::37 853
getdnsapi.net 185.49.141.37 2a04:b900:0:100::38 443
UncensoredDNS 89.233.43.71 2a01:3a0:53:53::0 853 unicast.censurfridns.dk
Fondation RESTENA (NREN for Luxemburg) 158.64.1.29 2001:a18:1::29 853 kaitain.restena.lu
dns.neutopia.org 89.234.186.112 2a00:5884:8209::2 853 443 dns.neutopia.org
FAP 146.255.56.98 2a01:4f8:c0c:83ed::1 853 443 dot1.applied-privacy.net
keweonDNS 84.16.252.137 or 84.16.252.147 2a00:c98:4002:1:8::5 or 2a00:c98:4002:2:c::80 853 dns.keweon.center
BlahDNS 108.61.201.119 2001:19f0:7001:1ded:5400:01ff:fe90:945b 853 443 dot-jp.blahdns.com
ibksturm 213.196.191.96 853 ibksturm.synology.me
dismail.de 159.69.114.157 2a01:4f8:c17:739a::2 853 fdns2.dismail.de
dismail.de 80.241.218.68 2a02:c205:3001:4558::1 853 fdns1.dismail.de
NIC Chile 200.1.123.46 2001:1398:1:0:200:1:123:46 853 dnsotls.lab.nic.cl

And they list these with less information.
dns.digitale-gesellschaft.ch
dns.switch.ch
dot.ffmuc.net
https://dns.sb/dot/
https://dns.cmrg.net
https://servers.opennicproject.org/
ns29.de.dns.opennic.glue
ns4.fi.dns.opennic.glue
ns4.ru.dns.opennic.glue
https://tenta.com/dns-setup-guides

On 6 Mar 2024 18:39:14 GMT, Frank Slootweg wrote:

> While fiddling with my phone, I happened to see that if you set 'IP
> settings' to 'Static' (instead of 'DHCP'), it *does* show the DNS
> settings and DNS 1 defaults to 8.8.8.8 and DNS 2 defaults to 8.8.4.4,
> i.e. both dns.google.

This shows how to do what you just did.
https://www.easytechguides.com/android-dns/#wi-fi-settings

What's interesting is setting the DNS to one of the adguard DNS addresses
might do the same thing that an encrypted private dns does (but I'm not
sure but they explain that you can set an adguard dns IP address there).

This also shows the same method of setting the DNS server for Wi-FI APs.
https://tunecomp.net/google-dns-8-8-8-8/#Android

That article goes further to explain how to set the cellular data DNS.
https://tunecomp.net/wp-content/uploads/2016/01/apps-for-using-8.8.8.8-on-mobile-data.jpg

They work as a vpn app in ways that I don't understand as they're not vpns.

Patrick <patrick@oleary.com> wrote:
> On 6 Mar 2024 13:03:33 GMT, Frank Slootweg wrote:
> >> On Android, when I long press on the settings for any given Wi-Fi
> >> connection, it tells me what DNS server is being normally queried.
> >> <https://i.postimg.cc/NGrqHTpC/wi-fi-dns.jpg>
> >
> > Sadly that long press does not work on my (Samsung A51 Android 13)
> > phone. Do you long press the connection which is actually connected at
> > the moment or or of the other 'Available networks'?
> >
> > Anyway, unless you or something have changed something, it seems
> > VanguardLH is right, because your screenshot shows 'DNS 2' as 8.8.4.4,
> > which is indeed dns.google.
>
> Actually, the 8.8.4.4 is grayed out.
> As far as I can tell, it's not being used.

I think it will be used when the 'DNS 1' servers fails, does not
respond, etc.. No idea why it's greyed out, because it *can* be
changed/set.

> I think it's a suggestion that the Android 13 operating system gives you.
> But maybe not. I don't know. I changed 8.8.8.8 to 192.168.1.1 long ago.
>
> I have a static connection set up for each Android phone in the house.

Ah, I hadn't noticed the 'Static' bit on your screenshot. So we still
do not know what DNS servers are used, when the 'IP settings' are set to
'DHCP'.

> When you set up a static connection, 8.8.8.8 & 8.8.4.4 are suggested.
>
> I replaced the 8.8.8.8 with 192.168.1.1 but I didn't bother changing that
> second slot because if the router isn't working, neither will the Wi-Fi.

But theoretically it could be that you ISP's DNS servers aren't
working, but Google's are, so leaving 'DNS 2' point to a Google DNS
server is better than also setting it to one of your ISP's DNS servers.

> The presumption is that is the DNS server which is looking up the Private
> DNS hostname to get the IP address when you're on a Wi-Fi connection.
>
> I have to assume when we're on cellular data, that the DNS lookup is
> whatever the carrier has it set to. I don't know how to find that data.

VanguardLH <V@nguard.lh> wrote:
> Frank Slootweg <this@ddress.is.invalid> wrote:
>
> > That assumes that DHCP is used, which is indeed (very) common, but not
> > neccessarily the case, as one can configure 'Static' in Android's IP
> > settings.
> >
> > In the Static case Android has to know/remember the DNS server
> > address.
>
> Interesting. I didn't know you could modify the base network settings
> without rooting the phone. When the private DNS setting showed up,
> users could change which DNS server they used. Before that setting
> appeared, there was yet another setting that let users specify a DNS
> server other than the one assigned by DHCP?

Yes, the latter is a per connection setting, i.e. one for each of the
'networks' you have configured, the 'Private DNS' setting is a
system-wide setting.

BUT, (sofar) we can only set the DNS servers for a connection if that
connection has its 'IP settings' set to 'Static'. If it's set to 'DHCP'
I/we have not yet found a method to set the DNS servers. (I thought
that Patrick had found a way on his phone, but it turned out that his
screenshot was also for 'Static', not for 'DHCP'.)

[...]

Frank Slootweg <this@ddress.is.invalid> wrote:

> VanguardLH <V@nguard.lh> wrote:
>
>> Interesting. I didn't know you could modify the base network settings
>> without rooting the phone. When the private DNS setting showed up,
>> users could change which DNS server they used. Before that setting
>> appeared, there was yet another setting that let users specify a DNS
>> server other than the one assigned by DHCP?
>
> Yes, the latter is a per connection setting, i.e. one for each of the
> 'networks' you have configured, the 'Private DNS' setting is a
> system-wide setting.
>
> BUT, (sofar) we can only set the DNS servers for a connection if that
> connection has its 'IP settings' set to 'Static'. If it's set to 'DHCP'
> I/we have not yet found a method to set the DNS servers. (I thought
> that Patrick had found a way on his phone, but it turned out that his
> screenshot was also for 'Static', not for 'DHCP'.)

Without the upstream DHCP to get your IP address, you would need a
static IP address. I know some users can get a static IP address from
their ISP. Some get it free, some have to pay for it. With my ISP, I
have to pay more for a business-class account to get a static IP
address. However, I never looked into getting a static IP address from
my carrier for cellular data (unless we're talking about static IP on
the phone to your own wifi access point, like at home).

I getting jealous of you guys, and phone envy, too. I'm still back on
my c.2016 LG V20 phone with Android 8.0 the latest I can get on it. I
won't play around with rooting it until I get another phone that has all
those features I keep hearing about, like DNS settings and private DNS.