Opened 22 months ago

Last modified 22 months ago

#28955 new defect

should Orbot include DNS forwarder backed by DNS-over-TLS

Reported by: eighthave Owned by: n8fr8
Priority: Medium Milestone:
Component: Applications/Orbot Version:
Severity: Normal Keywords:
Cc: n8fr8 Actual Points:
Parent ID: Points:
Reviewer: Sponsor:


DNS-over-TLS (DoT) is now available on many nameservers, and at least three, large public ones,, and DoT plugs a significant metadata leak: the domain in plain text. Starting in Android 9, Android itself supports DoT. Should Orbot itself include a DNS server that uses only DoT?

If yes, then here is some related example code:

Child Tickets

Change History (4)

comment:1 Changed 22 months ago by eighthave

I should add that in the past, I thought this wasn't worth the complexity. But now with DNS-over-TLS, I think its worth considering.

comment:2 Changed 22 months ago by pege

This is probably something that should be supported by Tor itself rather than Orbot since it affects anything using Tor, not just Orbot and applications that use it to connect to the Tor network.

I'm generally in favor but there a few things to consider:

  • This is going to increase latency. Tor supports specifying a DNS as target in SOCKS5 in which case the exit node does a DNS lookup (lower latency). Also, it allows sending data before the DNS name is resolved, decreasing latency again, but only if DNS resolution is made remotely. If DNS over TLS is used, this won't be possible without another request to the DNS server first. Exits doing a lookup, without them learning the DNS name is probably not possible.
  • Tor Browser and all other application using TLS still leak that information without ESNI being enabled browser and server-side (not in Firefox stable AFAIK).
  • There need to be enough independent services offering DNS-over-TLS to make sure blocking of Tor exit nodes by a single or a few provider won't break Tor.

comment:3 Changed 22 months ago by eighthave

One way to start with this would be just to make the DNS server available in Orbot, but not force anything to use it. We're working on a NetCipher library that enables ESNI in any Android app. That library could then be configured to always use the Orbot DNS server.

comment:4 Changed 22 months ago by n8fr8

I think the DNS port is already available for any app. It should be by default at 5400.

Note: See TracTickets for help on using tickets.