Android now supports DNS-over-HTTP/3 for enhanced security

Google has improved Android security with the addition of DNS-over-HTTP/3 (DoH3), which has a number of improvements over DNS-over-TLS (DoT). This is in addition to existing support for DNS-over-TLS.

The support for DoH3 was released as part of a Google Play system update, so by the time you're reading this, Android devices from Android 11 onwards will use DoH3 instead of DNS-over-TLS (DoT) for well-known DNS servers which support it, the Android team wrote in a blog post earlier this week.

"Which DNS service you are using is unaffected by this change; only the transport will be upgraded. In the future, we aim to support DDR which will allow us to dynamically select the correct configuration for any server. This feature should decrease the performance impact of encrypted DNS," reads the post.

According to the Android team, DoH3 avoids several problems that can occur with the DoT operation. While DoT operates on a single stream of requests and responses, DoH3 runs each request over a separate logical stream, which means implementations will resolve requests out-of-order by default.

Secondly, Android phones change networks frequently as the user moves around. With DoT, these events require a full renegotiation of the connection, but, the QUIC transport HTTP/3 is based on can resume a suspended connection in a single RTT. In unreliable networks, DoH3 may even outperform traditional DNS.

DoH3 significantly improves on DoT's performance, with Google studies showing that replacing DoT with DoH3 reduces the median query time by 24%, and 95th percentile query time by 44%.

Lastly, the addition of Rust support to the Android platform helps reduce the risk of security vulnerabilities

"With the introduction of Rust, we are able to improve both security and the performance at the same time. Likewise, QUIC allows us to improve network performance and privacy simultaneously," the Android team said.