DNS over HTTPS (DoH) support coming to Android Chrome (by default)
DNS over HTTPS has been an option in Chrome since at least May, and I evidently turned it on in Android sometime around then and forgot to write how to do it, but now it’s coming by default to Chrome for Android, that is if your DNS provider has it enabled.
Secure DNS allows you to browse the web on a public WiFi and not have information about which sites you’re going to easily sniffable by anyone within WiFi earshot. While most of the web is encrypted these days, random people knowing that you’re paying bills and what different sites you go to can have some consequences.
As your current ISP and that public WiFi probably do not pass off secure DNS servers to you, Chrome will be allowing for a manual list of secure DNS providers as a fallback.
This is a feature that will be rolling out, so as with all things Google, you’ll get it when you get it. If you want to enable it now, go into Android settings, look up Private DNS (settings, connections, More connection settings, Private DNS) and put in a known DoH server (I suggest one.one.one.one for this.)
Open up your Chrome browser on Android, type CHROME://FLAGS in the address bar and fine Secure DNS Lookups. Enable that, restart the browser, then head over to Cloudflare’s DoH test page. You should now pass 3 out of 4 of the tests.
There are still ways to phish what you’re going to, but it offers a little more security and can’t easily be tracked by a compromised router.
Should be noted, since using the single one.one.one.one Private DNS I’ve had two issues directly related to that, so you might want to wait until there’s a fallback list of DNS servers in Chrome rather than Android’s very limited Private DNS Server option.
List of private DoH servers I can find:
- 126.96.36.199 (one.one.one.one) – Cloudflare DNS
- adult-filter-dns.cleanbrowsing.org (blocks porn 188.8.131.52 & 169.11)
- Cleanbrowsing Family Filter (porn, sets bing/google/YT to safe mode) 184.108.40.206 / 169.168
- dns.quad9.net (malicious domain blocker)