Android has the option for using private DNS, but it requires a hostname, not an IP of the DNS server. Isn't entering the domain name of a DNS server a chance for MITM attacks and DNS poisoning?
How is using a hostname secure?
- Have you tried the IP of a DNS provider?schroeder– schroeder ♦2023-10-31 14:52:13 +00:00Commented Oct 31, 2023 at 14:52
- Yeah, it doesn't allow me to use an IP. It needs a domain only.masterchief164– masterchief1642023-10-31 14:52:57 +00:00Commented Oct 31, 2023 at 14:52
- I'm hoping for an option to enter the IP address of my preferred DNS server like 8.8.8.8 rather than entering a domain.masterchief164– masterchief1642023-10-31 15:01:10 +00:00Commented Oct 31, 2023 at 15:01
- 1I rewrote your question to narrow into the core issue you are concerned about.schroeder– schroeder ♦2023-10-31 15:38:30 +00:00Commented Oct 31, 2023 at 15:38
Add a comment |
1 Answer
How is using a hostname secure?
Asking about using a hostname instead of an IP address is essentially asking if some kind of DNS spoofing would be possible, where the attacker answers a DNS query with an attacker controlled IP address.
But, since private DNS is using DoT (DNS over TLS) or DoH (DNS over HTTPS) it makes use of certificate validation which also covers the hostname. Thus DNS spoofing will not be possible. For a deeper explanation on this see Why doesn't DNS spoofing work against HTTPS sites? or Can a HTTPS connection be compromised because of a rogue DNS server. While these focus on HTTPS the arguments are the same for DNS over TLS.
In addition to being equally secure compared to an IP address, the use of a hostname can even be used to make additional security features easier or more reliable. For example some DNS providers like nextdns.io give their customers hostnames specific to their user profile. Even if all these hostnames resolve to the same IP address they get reflected in the SNI extension of the TLS handshake. This makes it possible to apply client specific security settings without given each client a different IP address (which does not scale).
