Android 9.0 Pie in 2018 introduced DNS-over-TLS (DoT) and the mobile OS now supports DNS-over-HTTP/3 (DoH) thanks to a Google Play system update (Mainline).

Meant to be the latest method for keeping DNS queries private, DNS-over-HTTP/3 features a “number of improvements over DNS-over-TLS” spanning performance and memory safety (with the Mainline Module written in Rust).

It’s “rapidly gaining traction” and already deployed by Google Public DNS and Cloudflare Resolver. Chrome for Android added support for Secure DNS in 2020.

Field measurements during the initial limited rollout of this feature show that DoH3 significantly improves on DoT’s performance. For successful queries, our studies showed that replacing DoT with DoH3 reduces median query time by 24%, and 95th percentile query time by 44%. 

DoH is now supported on Android 11+ and will be used over DoT for the two aforementioned DNS servers. It was rolled out though an unspecified Play system update, though the addition appears to have gone unmentioned in the changelog.

Which DNS service you are using is unaffected by this change; only the transport will be upgraded. In the future, we aim to support DDR which will allow us to dynamically select the correct configuration for any server. This feature should decrease the performance impact of encrypted DNS.

Google says some Android 10 devices might support it as well.

Most network connections begin with a DNS lookup. While transport security may be applied to the connection itself, that DNS lookup has traditionally not been private by default: the base DNS protocol is raw UDP with no encryption. While the internet has migrated to TLS over time, DNS has a bootstrapping problem. Certificate verification relies on the domain of the other party, which requires either DNS itself, or moves the problem to DHCP (which may be maliciously controlled). This issue is mitigated by central resolvers like Google, Cloudflare, OpenDNS and Quad9, which allow devices to configure a single DNS resolver locally for every network, overriding what is offered through DHCP.