Encrypt your DNS queries on /e/OS system-wide

Mission:

Learn to encrypt your DNS queries using DNS-over-TLS client implementation known as Private DNS in your smartphone running latest /e/OS.

Prerequisites:

  • A smartphone with /e/OS based on Android 9 or newer.
  • Patience to fiddle around with /e/OS Settings

Let’s roll.

Why should you Encrypt your DNS?
The same reason why we use https to access our favorite websites including this very forum or wiki. To seek privacy, security and integrity of data communication.

1. Goto /e/OS Settings to open Network & Internet settings therein.

image
image

2. In Network & Internet settings, navigate to ‘Advanced’ settings therein

Tap PrivateDNS to continue.

Input a DNS hostname of your choice from various options available across the globe.

Popular public domain name resolving services offering DoT or Private DNS support:

Name | Hostname
Nic.cz | odvr.nic.cz (used in this guide)
Quad9 | dns.quad9.net
Cloudflare | 1dot1dot1dot1.cloudflare-dns.com

Enter DNS hostname of your choice and tap ‘Save’ to continue.

Private DNS attempts to connect when connected you see the hostname in settings as seen in the image below.

3. Check DNS settings or leaks in /e/OS’s browser

Open https://dnsleaktest.com in /e/OS’s browser and tap Extended test to continue.

Once the test is complete you should exclusively see the DNS servers that you have set in Private DNS settings of your /e/OS, as seen in the image below.


Troubleshooting


If you see the error as seen in the image above, it means you have entered wrong DNS hostname or the service you are using is broke. Try another one to check. It should fix the issue.

Thanks for reading!

6 Likes

with this, you will kill trackerControl / Netguard and Co, because they can’t read the network address anymore

Also if you force DNS servers in Settings->Network & internet->DNS, like 9.9.9.9, you can set private DNS to automatic and it should use DNS over TLS using this server.

Note that with Quad9, DNS servers tested with dnsleaktest will show up as Woodynet (they have a partnership)

1 Like

Which trackerBlocker do you use ??

I have had some users which where wondering why TrackerControl don’t ‘see’ any Tracker. After disabeling the DNS encryption, TrackerControl works fine

»Now all DNS requests sent by my system are transmitted and answered via TLS encrypted connection to the selected DNS server

1 Like

Just gotten the confirmation from the Dev of TrackerControl. TrackerControl can’t handle private DNS nor encrypted DNS requests.

TC is moste like Netguard, so I think (but don’t know for sure) that NG will also fail with this setup. So everyone have to decide: Blocking trackers or using private DNS encryption

It’s good you’re dealing with it, @harvey186 This information is valuable.

I appreciate the “Select private DNS mode” feature in /e/ OS 9-Pie and use it because with FOSS apps à la Simple Mobile Tools (/from F-Droid Store) and don’t need apps like the very attractive TrackerControl (TC).

That’s the best way, but for all other users which are using non-FOSS apps it a needed information that TC isn’t failing with private DNS and I have jus read (in german) that Netguard does have the same issue Blokada seems also onyl AFW+ with root not. But root is not the best for a device

I totally agree with you. As I wrote above: »This information is valuable.«

Please don’t recommend it, it has been shut down since 30.04.2020.

Where did you get this information?

On the website of dismail de are valid as of today:

fdns2.dismail.com | fdns1.dismail.com


dismail_dns

@gael Once more my question: what tracker blocker do you use ?? Or do you really only use FOSS aps ??

I quoted https://securedns.eu/ It has apparently shut down as per the notice on the homepage itself.

Aha, I’ve assumed that dismail.de | Host: fdns1.dismail.de | Server location: Germany and the accompanying picture.


Please note: TLS Hostname: dot.securedns.eu

SecureDNS has been shutdown since the 30th of April 2020. Please do not use SecureDNS anymore.

@harvey186 , please remember: 93 Smartphones are supported by /e/. Only 20 of them run with /e/ OS 9-Pie and the DNS over TLS (DoT) feature.

20 devices with /e/ OS 9-Pie

|Essential |Essential PH-1 |mata |pie|
|Fairphone |FP2 |FP2 |pie|
|Fairphone |FP3 |FP3 |pie|
|Google |Pixel |sailfish |pie|
|Google |Pixel XL |marlin |pie|
|OnePlus |6 |enchilada |pie|
|OnePlus |OnePlus 7 (beta) |guacamoleb |pie|
|OnePlus |6T |fajita |pie|
|OnePlus |7 Pro |guacamole |pie|
|Samsung |Galaxy A5 (2017) |a5y17lte |pie|
|Samsung |Galaxy A5 (2016) |a5xelte |pie|
|Samsung |Galaxy S8 (beta) |dreamlte |pie|
|Samsung |Galaxy S5 LTE International |klte |Pie|
|Samsung |Galaxy A7 (2017) |a7y17lte |pie|
|Xiaomi |Mi 8 |dipper |pie|
|Xiaomi |Mi 5s |capricorn |pie|
|Xiaomi |Poco F1 |beryllium |pie|
|Xiaomi |Mi A1 |tissot |pie|
|Xiaomi |Redmi Note 7 Pro |violet |pie|
|Xiaomi |Mi MIX 2 |chiron |pie|

Tracker Control & Co. are and remain an extremely useful tools.

But still wait for an answer from GAEL. He is promoting apps with trackers via apps store. So he should also showing a way to block them

Did you check the homepage of https://securedns.eu yet?

I don’t understand your question!

The quote with link here and here indicates that dot.securedns.eu should no longer be used.

I am only trying to tell, stop recommending SecureDNS any more. It is shut down officially even if it still works.

And I quote securedns.eu in two postings (here and here) saying “Please do not use SecureDNS anymore.” So that should take care of that point.Or what do you think is necessary in order to be able to consider the subject as clarified?