Google has added support for the DNS-over-HTTP/3 (DoH3) protocol on Android 11 and later to increase the privacy of DNS queries while providing better performance.
HTTP/3 is the third major version of the Hypertext Transfer Protocol, which relies on QUIC, a multiplexed transport protocol built on UDP, rather than TCP like previous versions.
The new protocol fixes the problem of “head-of-line blocking,” which slows down internet data transactions when a packet is lost or reordered, something quite common when moving around on mobile and switching connections frequently.
Android previously supported DNS-over-TLS (DoT) for version 9 and later to bolster DNS query privacy, but this system inevitably slowed down DNS requests due to the encryption overhead.
Moreover, DoT requires a complete renegotiation of the new connection when changing networks. In contrast, QUIC can resume a suspended connection in a single RTT (time needed for a signal to reach the destination).
With DoH3, many of DoT’s performance burdens are lifted, and according to Google’s measurements, achieves a 24% increase in performance for median query times. In some cases, Google has seen performance increases up to 44%.
Additionally, DoH3 may help with unreliable networks, even outperforming traditional DNS thanks to the proactive flow control mechanisms that immediately generate package delivery fail alerts instead of waiting for timeouts to elapse.
DNS-over-HTTPS is already widely supported by many DNS providers to provide increased privacy when performing DNS requests.
With Google supporting DNS-over-HTTP/3 Android and DNS-over-QUIC now a proposed standard, we will likely see increased adoption by DNS providers shortly.
However, as part of this feature’s launch, Android devices will use Cloudflare DNS and Google Public DNS, which already support DNS-over-QUIC.
In the future, Google plans on adding support for other DoH3 providers through the use of Discovery of Designated Resolvers (DDR), which automatically selects the best provider for your specific configuration.
Secure and lean implementation
Another point of superiority of DoH3 is the use of Rust in its implementation, which resulted in a lean system comprising 1,640 lines of code that use a single runtime thread instead of DoT’s four.
“We built the query engine using the Tokio async framework to simultaneously handle new requests, incoming packet events, control signals, and timers. In C++, this would likely have required multiple threads or a carefully crafted event loop.” – Google.
The result is a performant low-level system with a few dependencies, is light, and uses a memory-safe language that reduces the number of bugs attackers can leverage to abuse it.
Roll-out
At the time of reading this, all Android devices running Android 11 and later should use DoH3 for Google DNS and Cloudflare DNS (more to be added soon).
In addition, a subset of Android 10 devices whose vendors adopted Google Play system updates early will also receive this new feature.
The end-users don’t have to take any action to enable the new feature, as Android will handle this part automatically.
Source: www.bleepingcomputer.com