Behaviour of Android 9 Private DNS with restricted networks and a quick comparsion of DNS over TLS providers (or why I use Quad9)

I got Android 9 (Go Edition) three days ago and as right now I am still unable to find results on how its Private DNS (DNS over TLS) behaves when port 853 is blocked I typed my own post.

Test: automatic mode without DoT capable server from DHCP ; the setting says “automatic”.

Test: DoT with port 853 blocked ; Android reports that the WLAN network has no internet connectivity…

Test: automatic mode with DoT capable server from DHCP ; Android says that DoT is “enabled”

Test: DoT + Captive Portal ; I get the captive portal prompt asking me to login to the network as usual…

For more details and the reason why I use Quad9 you have to read the post or forum threads where I have discussed my DNS choices.


Hmph, it looks like Google has informed of it in their development blog and I have either missed it or read some other post about it.

Users can enter a hostname if they want to use a private DNS provider. Android then sends all DNS queries over a secure channel to this server or marks the network as “No internet access” if it can’t reach the server. (For testing purposes, see this community-maintained list of compatible servers.)

Empasis mine.

Have you tried Quad9’s DoT Android app? I’m wondering if it’s more reliable than Android’s native DoT configured with it?

I like Quad9 and Cleanbrowsing (Quad9 vs Cleanbrowsing
Both OpenDNS and Neustar redirect NXDomain to their own blocking site… I don’t like it. though Cleanbrowsing returned NXDOMAIN, lack of QNAME support.

If you have a spare device, welcome to give a try :slightly_smiling_face:
Switzerland🇨🇭 : (IPv6 ONLY)
Finland​:finland: will consider in the year 2020 :smiley:

1 Like

I haven’t tried it on Android 9, but on Android 7.x my experience is that it sometimes loses connectivity by itself especially in always on VPN mode and it breaks captive portal detection even more.

OpenDNS hasn’t done NXDOMAIN hijacking in years, but AFAIK they still don’t support DNSSEC or stably IPv6.

1 Like

2 posts were merged into an existing topic: Discussion: OpenNIC