Google slides DNS privacy into 'Droid developer stream
Encrypting domain queries with TLS
Android users might get better protection for their browsing records, if a Google experiment takes off.
XDA-developers.com spotted the entry in the Android Open Source Project, which adds DNS over TLS, along with an option to turn it off.
The idea of sending DNS queries over TLS is simple: it's in line with the IETF's (and the Internet Architecture Board's) belief that standards need to protect users from snooping by default.
DNS-over-TLS is described in RFC 7858. It proposed using TCP port 853, an implementation would establish a TLS tunnel, and send the DNS query over that encrypted tunnel (with fallback mechanisms if client or server can't support it).
That would protect DNS queries from snooping by prying spies.
Such efforts are important because if your ISP doesn't offer TLS protection, your DNS queries are visible to it – but if you're calling on an upstream resolver which does encrypt, then the ISP will only see you querying (for example) 18.104.22.168.
Unlike the developer-grade Stubby, for example, baking the standard into Android would mean users don't need to bone up on IETF documents to protect themselves.
The XDA-Developers post speculates that with the feature now offered to developers, Google could have it in mind for a future version of Android. ®